One line 'npm audit' for dotnet
npm-audit is a nice tool for the NPM ecosystem, analysing you package references to notify you if there are vulnerabilities and even automatically fixing those references.
In .NET land we have nothing so fancy, but at least we can achieve the same "throw error if vulnerabilities are detected" workflow easily:
dotnet restore /p:WarningsAsErrors=\"NU1902,NU1903,NU1904\"
The key here is manipulating the WarningsAsErrors build property, so any of these warnings makes the command fail. This way you won't have to rely on parsing the command output for specific warnings etc. etc.
You can control the level of vulnerabilities by the different warnings by changing the NU-warnings
- 1901 - low
- 1902 - moderate
- 1903 - high
- 1904 - critical
You could implement the same thing in your .csproj, or better yet, in Directory.Build.props:
<PropertyGroup>
<WarningsAsErrors>NU1903;NU1904</WarningsAsErrors>
</PropertyGroup>
And of course it can be used in a CI pipeline, e.g. Azure pipelines:
trigger: none
schedules:
- cron: 0 0 * * 0
displayName: once a week on Sunday
branches:
include:
- main
jobs:
- job:
displayName: Fail if vulnerable nuget packages found
steps:
- task: NuGetAuthenticate@1
displayName: Authenticate to Azure Artifacts if using private feeds
- script: dotnet restore solutionName.sln /p:WarningsAsErrors=\"NU1902,NU1903,NU1904\"
So while not nearly as fully featured as npm audit, this simple command provides a lot of bang for very little buck.
Note: there's also dotnet list package --vulnerable, but that does not provide an easy way to error out if vulnerabilities are found.
Thoughts, comments? Send me an email!