You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<p>As developers, we often trust third-party NuGet packages to accelerate development—but with that trust comes risk. Many of these packages may carry <b>known security vulnerabilities</b>, and if left unchecked, they can become a backdoor into your application. This is where <b>vulnerability detection in .NET</b> projects becomes critical.</p>
19
+
20
+
<p>Starting with .NET SDK 5.0.200, Microsoft introduced a built-in auditing command:</p>
21
+
<CodeSnippetNumber="1"Language="Bash"Description="Command to check for vulnerable packages">
22
+
dotnet list package --vulnerable
23
+
</CodeSnippet>
24
+
25
+
<p>This command scans both direct and transitive NuGet dependencies for known security issues using Microsoft’s advisory database. It flags packages with vulnerabilities, categorizing them by severity (Low to Critical), and provides advisory URLs to investigate further.</p>
26
+
27
+
<p>But detection is only step one.</p>
28
+
29
+
<p>Vulnerability checks should be automated into your build or deployment workflows. Failing a build when vulnerabilities are found prevents insecure code from reaching production. Simple shell or PowerShell scripts can be used to enforce this in local or CI pipelines without relying on GitHub or external tools.</p>
30
+
31
+
<p>Equally important is the role of the .csproj file—this file acts as the source of truth for all your package references. A single vulnerable package listed here, directly or indirectly, can compromise your entire application.</p>
32
+
</Section>
33
+
34
+
<SectionHeading="NugetAudit to the rescue!">
35
+
<p>
36
+
NuGet 6.8 introduced the <code>NuGetAudit</code> MSBuild property, which enhances vulnerability detection during build time. When set to <code>true</code>, NuGetAudit performs an audit of your project's NuGet dependencies and generates warnings for any detected vulnerabilities. This allows you to identify and address security issues before your application is deployed.
37
+
</p>
38
+
39
+
<p>
40
+
We are using a sample repo here which which uses below packages
41
+
<ul>
42
+
<li><code>Refit</code> version <b><i>7.2.1</i></b> which has <b>Critical</b> vulnerability</li>
43
+
<li><code>Newtonsoft.Json</code> version <b><i>12.0.3</i></b> which has <b>High</b> vulnerability</li>
44
+
</ul>
45
+
</p>
46
+
<p>To enable <code>NuGetAudit</code>, we can add the following to our <code>.csproj</code> file:</p>
47
+
<CodeSnippetNumber="2"Language="xml"Description="Example .csproj file with NuGetAudit enabled">
When <code>NuGetAudit</code> is enabled, the build process will generate warnings for any NuGet packages with known vulnerabilities. These warnings will include information about the vulnerability, such as the severity and the affected package version.
65
+
</p>
66
+
67
+
<p>
68
+
You can configure the level of detail in the NuGet audit warnings by using the <code>NuGetAuditLevel</code> property. This property accepts the following values:
69
+
</p>
70
+
<ul>
71
+
<li><code>None</code>: No audit warnings are displayed.</li>
72
+
<li><code>Low</code>: Only warnings for vulnerabilities with a severity of Low or higher are displayed. This is <b>default</b> value.</li>
73
+
<li><code>Moderate</code>: Only warnings for vulnerabilities with a severity of Moderate or higher are displayed.</li>
74
+
<li><code>High</code>: Only warnings for vulnerabilities with a severity of High or Critical are displayed.</li>
75
+
<li><code>Critical</code>: Only warnings for vulnerabilities with a severity of Critical are displayed.</li>
76
+
</ul>
77
+
</Section>
78
+
79
+
<SectionHeading="Lets explore some more scenarios">
80
+
<SectionHeading="Disabling the audit mode"Level="5">
81
+
<p>When We disbale the auditing by setting <code>NuGetAudit</code> To <b>false</b> and try to <code>build / restore</code> </p>
82
+
83
+
<CodeSnippetNumber="2"Language="xml"Description="Example .csproj file with NuGetAudit disabled">
<BlogImageImagePath="/images/blog/vulnerability/auditing/Build failed with audit enabled.png"Description="Build passed with warnings"Number="2"/>
122
+
123
+
<p>As we can see the build is warning about both the critical and high severity level packages.</p>
124
+
<p>Depending on security guidelines we may want to only flag certain severity level</p>
125
+
</Section>
126
+
127
+
<SectionHeading="Setting the severity level"Level="5">
128
+
<p>Depending on security guidelines for out project we may want to only flag certain severity level and above. For this article lets assume, we only want to warn about critial vulnerabilities and leave the rest.</p>
129
+
130
+
<p>Lets set the severity level for our audit by setting <code>NuGetAudit</code> To <b>true</b> and try to <code>build / restore</code> </p>
131
+
132
+
<CodeSnippetNumber="4"Language="xml"Description="Example .csproj file with NugetAuditLevel defined">
ImagePath="/images/blog/vulnerability/auditing/Build passed with audit enabled and severity level defined.png"
151
+
Description="Build passed with critical severity level warnings"
152
+
Number="3"/>
153
+
154
+
<p>As we can see the build is warning about only the critical severity level package(s).</p>
155
+
156
+
</Section>
157
+
158
+
<SectionHeading="Enforcing build failure for vulnerabilities"Level="5">
159
+
<p>Now, warning are good but they can be ignored/missed allowing vulnerabilities to creep into the production code. To prevent this, there is another msbuild property <code>WarningsAsErrors</code> that can help by treating specified warnings codes as errors resulting in build failure. Refer the below table to such warning codes</p>
160
+
<tableclass="table table-bordered">
161
+
<theadclass="thead-dark">
162
+
<tr>
163
+
<th>Warning Code</th>
164
+
<th>Reason</th>
165
+
</tr>
166
+
</thead>
167
+
<tbody>
168
+
<tr>
169
+
<td>NU1900</td>
170
+
<td>Error communicating with package source, while getting vulnerability information.</td>
171
+
</tr>
172
+
<tr>
173
+
<td>NU1901</td>
174
+
<td>Package with low severity detected</td>
175
+
</tr>
176
+
<tr>
177
+
<td>NU1902</td>
178
+
<td>Package with moderate severity detected</td>
179
+
</tr>
180
+
<tr>
181
+
<td>NU1903</td>
182
+
<td>Package with high severity detected</td>
183
+
</tr>
184
+
<tr>
185
+
<td>NU1904</td>
186
+
<td>Package with critical severity detected</td>
187
+
</tr>
188
+
<tr>
189
+
<td>NU1905</td>
190
+
<td>An audit source does not provide a vulnerability database</td>
191
+
</tr>
192
+
</tbody>
193
+
</table>
194
+
195
+
<p>Lets set critical warning as error for our audit by setting <code>WarningsAsErrors</code> To <b>true</b> and try to <code>build / restore</code> </p>
196
+
197
+
<CodeSnippetNumber="5"Language="xml"Description="Example .csproj file with WarningsAsErrors defined">
ImagePath="/images/blog/vulnerability/auditing/Build failure with critical vulnerability.png"
217
+
Description="Build failure with critical vulnerability"
218
+
Number="4"/>
219
+
220
+
<p>As we can see the build is warning about only the critical severity level package(s).</p>
221
+
222
+
</Section>
223
+
</Section>
224
+
225
+
<SectionHeading="Conclusion">
226
+
<p>In conclusion, vulnerability detection in .NET projects is a critical aspect of modern software development. By leveraging the built-in auditing command and the NuGetAudit MSBuild property, developers can proactively identify and address security vulnerabilities in their applications. This not only helps to protect sensitive data but also ensures compliance with security standards and best practices.</p>
227
+
228
+
<p>By integrating these tools into your development workflow, you can significantly reduce the risk of security breaches and enhance the overall security posture of your .NET applications.</p>
229
+
<p>Integrating these tools into your CI/CD build pipelines ensures that vulnerabilities are detected and addressed early, preventing insecure code from being deployed to production systems.</p>
230
+
</Section>
231
+
232
+
<hr/>
233
+
<p>Thats about it for this article. Hope you liked it.</p>
0 commit comments