TomsToolbox.NugetAudit 1.0.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet tool install --global TomsToolbox.NugetAudit --version 1.0.0
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest # if you are setting up this repo
dotnet tool install --local TomsToolbox.NugetAudit --version 1.0.0
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=TomsToolbox.NugetAudit&version=1.0.0
nuke :add-package TomsToolbox.NugetAudit --version 1.0.0

NugetAudit

A DotNet command line tool to create a vulnerability report from an applications *.deps.json file

Intention of this tool

This tool can be used to create a vulnerability report based on the binary deliveries, excluding all build time dependencies.

Unlike dotnet list package --vulnerable it only works on the build output, not on the sources, so it generates a reproducible result even when projects use e.g. floating package versions.

It's e.g. useful to create a snapshot of the know vulnerabilities at release time and then compare with the current state on a periodical base, so new vulnerabilities that come up later can be detected and customers can be informed to update the software if the vulnerability might affect the product.

Installation

dotnet tool install TomsToolbox.NugetAudit -g

Usage

nuget-audit [file or directory]

Arguments

  • no arguments: all *.deps.json in the current directory will be scanned
  • file: the specified file is scanned
  • directory: all *.deps.json in the specified directory will be scanned

Sample output:

{
  "reportVersion": 1,
  "packages": {
    "Microsoft.IdentityModel.JsonWebTokens.6.32.2.0": {
      "id": "Microsoft.IdentityModel.JsonWebTokens",
      "version": "6.32.2.0",
      "vulnerabilities": [
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-8g9c-28fc-mcx2"
        },
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-59j7-ghrg-fj52"
        }
      ]
    },
    "System.IdentityModel.Tokens.Jwt.6.32.2.0": {
      "id": "System.IdentityModel.Tokens.Jwt",
      "version": "6.32.2.0",
      "vulnerabilities": [
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-8g9c-28fc-mcx2"
        },
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-59j7-ghrg-fj52"
        }
      ]
    }
  }
}

Nuget configuration

To be able to retrieve vulnerabilities, a source repository that supports this endpoint is needed, see e.g. Where do CVE/GHSA come from?

This tool only uses the first end point provided in you nuget.config and has only been tested against https://api.nuget.org/v3/index.json; the NuGet configuration is read starting at the current working directory, see

However, if there isn't some very customized configuration, this should be the default.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last updated
1.1.0 554 3/10/2024
1.0.0 307 2/22/2024