Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
NuGet.exe 6.8 NuGetAudit integration with ProGet
-
Using nuget.org and nuget.exe 6.8.0 (through VS), when I attempt to download a package that contains a security vulnerability, one of the Nuget warnings 1901,1902,1903,1904 are generated and reported in my build.
When I try to retrieve the same package from a ProGet free Nuget feed, the warnings are not generated.
I can see if I browse to the package in the ProGet GUI that the security vulnerabilities are recorded correctly already.
Why are these warnings not returned? Is this (a) because I need to purchase a paid version of ProGet to support it, or (b) because it hasn't been added yet, given that the NuGetAudit functionality was only released in November 2023?
Thanks v much for anyone who has an answer on this.
-
Hi @richard-allen_8963 ,
ProGet 2023 will return vulnerabilities when using the
audit
command and Visual Studio. Here is more information on our general approach:
https://blog.inedo.com/nuget/vulnerabilities/If you're not seeing them, make sure you're using the NuGet v3 API endpoint. That's the one that ends in
index.json
-- the v2 API does not support vulnerabilities.There is a restriction on vulnerability inforamtion in the Free Version, but they are returned in the API.
Thanks,
Alana
-
@atripp I have tried switching my package sources between nuget.org and our private ProGet NuGet feed (and we do use version 3 of the API), and it is definitely the case that the warnings appear for nuget.org and not for ProGet. So, my original question is unanswered; is it just the free version which doesn't support this feature in the NuGet client API?
-
Hi @richard-allen_8963 ,
In ProGet Free Edition, if vulnerabilities are enabled on the feed, a package will a vulnerability will always appear as critical, and the advisory URL will direct you to
/vulnerable-nuget-package-info
on your instance of ProGet.In paid editions, you will get more relevant information and you can assess these vulnerabilities to control them from being displayed as critical.
I'm not entirely sure how to suggest to debug, but in the API, you should see
advisoryUrl
listed on the
PackageDetails` resource, along with deprecation as well, so I would try looking at the API for a sample package, and making sure you can see both deprecation and advisory infoThanks,
Alana
-
@atripp I want to do everything through nuget.exe because this is ultimately what gets called for package resolution within VS and in our CI solution (Team City). It's clear that even though the ProGet API itself may support package vulnerability listing, it doesn't expose that through nuget.exe, at least in the free version, i.e. if I do 'dotnet list package --vulnerable' then no vulnerabilities are reported where nuget.config is set up to reference my ProGet feeds, but it does when referencing NuGet.org.
I have double checked in the feed configuration that vulnerability features are enabled.
-
Hi @richard-allen_8963 ,
I'm afraid I'm really not sure how different versions the NuGet client tools behave in different scenarios... just really how ProGet works in implementing the Vulnerabilities information on the NuGet API.
This API is used by Visual Studio, and in our testing, they show up as we expected -- so if you're not seeing the desired behavior, that's where you'd want to look. Using something like Fiddler, you can see what's being called.
I do know there is an older, NuGet.org-only API that the tools may be calling. But we only implement the one I mentioned above.
Best,
Alana