RE: Mark private Nuget/Npm Packages as Vulnerable?

@stevedennis Thanks, Steve. I hear where you are coming from.

I suppose what we’re really looking for is something that eases the communication and tracking of security issues (whether low or high severity) across our teams. Right now, based on your suggestion, it sounds like the workflow would require us to manually identify which applications depend on a vulnerable library, notify each owning team, hope it fits within their priorities, and then track remediation through individual tickets.

Ideally, we were hoping our package management system — since it already governs distribution and security controls — could act as that “one stop shop” to track and visualize which applications still rely on a vulnerable version along side it's assigned severity rating. That kind of visibility would make coordination much more efficient in my opinion.

It sounds like that’s not something ProGet currently supports directly, but I appreciate the clarification if I'm wrong there as we are currently looking for something that would help that form of tracking.

And I'd like to once again thank you for all your responses today and if I don't hear from you again. I hope you have a great weekend.

@stevedennis Thank you for the quick reply.

Yeah the use case mainly comes from some of our other security tools identifying code patterns that represent security issues. In this case sonar cloud see's one of our custom libraries has logic that is not secure. We wouldn't particularly need it for open source libraries.

SCA would work for seeing the breakout like you said but it would require us marking the package vulnerable in some outside source and mapping it back to perform the analysis.

Would you still not see the potential value in marking private packages as vulnerable or is that just not possible given the way nuget is setup?

I can imagine the dotnet restore -vulnerable not working if it can only be tied to some registry of vulnerabilities that can't be changed.

Is it possible to mark private Nuget/Npm packages as vulnerable through ProGet?
I see I can mark the packages as deprecated and leave a note but I was wondering is it possible go further and actually more it as vulnerable along with the severity and have that showing up in dotnet restore -vulnerable commands along with npm -audit commands.

The use case being if we have some logically issue that is causing the package to be vulnerable we would like to be able to mark it as such and have that be able to be communicated to our users. The deprecation feature accomplishes some of that but we also have custom reporting on our side where we would like to be able to identify the severity of vulnerability through out our repos.