@atripp I want to do everything through nuget.exe because this is ultimately what gets called for package resolution within VS and in our CI solution (Team City). It's clear that even though the ProGet API itself may support package vulnerability listing, it doesn't expose that through nuget.exe, at least in the free version, i.e. if I do 'dotnet list package --vulnerable' then no vulnerabilities are reported where nuget.config is set up to reference my ProGet feeds, but it does when referencing NuGet.org.
I have double checked in the feed configuration that vulnerability features are enabled.
Posts made by richard.allen_8963
-
RE: NuGet.exe 6.8 NuGetAudit integration with ProGet
-
RE: NuGet.exe 6.8 NuGetAudit integration with ProGet
@atripp I have tried switching my package sources between nuget.org and our private ProGet NuGet feed (and we do use version 3 of the API), and it is definitely the case that the warnings appear for nuget.org and not for ProGet. So, my original question is unanswered; is it just the free version which doesn't support this feature in the NuGet client API?
-
NuGet.exe 6.8 NuGetAudit integration with ProGet
Using nuget.org and nuget.exe 6.8.0 (through VS), when I attempt to download a package that contains a security vulnerability, one of the Nuget warnings 1901,1902,1903,1904 are generated and reported in my build.
When I try to retrieve the same package from a ProGet free Nuget feed, the warnings are not generated.
I can see if I browse to the package in the ProGet GUI that the security vulnerabilities are recorded correctly already.
Why are these warnings not returned? Is this (a) because I need to purchase a paid version of ProGet to support it, or (b) because it hasn't been added yet, given that the NuGetAudit functionality was only released in November 2023?
Thanks v much for anyone who has an answer on this.