Forums

Hi @fabrice-mejean_5174 , Thanks for the suggestion; to help move this forward, we thought about this from a technical standpoint. We're a little hesitant to call the command pgutil packages audit since there's already an audit command for builds and vulnerabilities. One idea is to deprecate pgutil vulnerabilities audit and call it pgutil packages audit instead. In any case, this new command is a combination of pgutil builds audit and pgutil vulns audit. The pgutil packages audit command would input a project, something like this: pgutil packages audit --project=c:\projects\MyProject.csproj Behind the scenes, pgutil would parse and POST a packageset: POST /api/sca/audit-packages [ { "name": myPackage "version": 1.2.3 "type": "nuget" }, { "name": myPackage "version": 1.2.3 "type": "nuget" } ] The API would return an array I suppose (we don't have any samples for that, but it's a serialized BuildInfo.cs), and the end result would look like this: $> pgutil packages audit --project=c:\projects\MyProject.csproj Parsing MyProject.csproj... found X packages. Azure.Core-1.35.0 Compliance : Compliant License : MIT Vulnerabilities : None Microsoft.Extensions.Configuration.EnvironmentVariables 8.0.0 Compliance : Noncompliant License : MIT, Apache-2.0 Vulnerabilities : PG-123456 (High) the vulnerability title of this vulnerability goes here The API could obviously contain more info. It's documented via serialized .cs classes here: https://github.com/Inedo/pgutil/tree/thousand/Inedo.ProGet Thanks, Steve

Topics created by fabrice.mejean_5174

Request for Creation of API for Package Auditing Before Dependency Restoration
Support • • fabrice.mejean_5174

Topics created by fabrice.mejean_5174

Request for Creation of API for Package Auditing Before Dependency Restoration Support • • fabrice.mejean_5174

Request for Creation of API for Package Auditing Before Dependency Restoration
Support • • fabrice.mejean_5174