TomsToolbox.NugetAudit 1.1.0

dotnet tool install --global TomsToolbox.NugetAudit --version 1.1.0                
This package contains a .NET tool you can call from the shell/command line.
dotnet new tool-manifest # if you are setting up this repo
dotnet tool install --local TomsToolbox.NugetAudit --version 1.1.0                
This package contains a .NET tool you can call from the shell/command line.
#tool dotnet:?package=TomsToolbox.NugetAudit&version=1.1.0                
nuke :add-package TomsToolbox.NugetAudit --version 1.1.0                

NugetAudit

Build status NuGet Status

A DotNet command line tool to create a vulnerability report from an applications *.deps.json file

Intention of this tool

This tool can be used to create a vulnerability report based on the binary deliveries, excluding all build time dependencies.

Unlike dotnet list package --vulnerable it only works on the build output, not on the sources, so it generates a reproducible result even when projects use e.g. floating package versions.

It's e.g. useful to create a snapshot of the know vulnerabilities at release time and then compare with the current state on a periodical base, so new vulnerabilities that come up later can be detected and customers can be informed to update the software if the vulnerability might affect the product.

Installation

dotnet tool install TomsToolbox.NugetAudit -g

Usage

NugetAudit [--package-source <String>] [--use-config] [--config-name <String>] [--help] [--version] file-or-directory

NugetAudit

Arguments:
  0: file-or-directory    Path to a dependency file or a directory with files '*.deps.json' (Default: .)

Options:
  --package-source <String>    The package source used to get the vulnerability info (Default: https://api.nuget.org/v3/index.json)
  --use-config                 Ignore 'package-source' and read package source from nuget.config
  --config-name <String>       The name of the source, if 'use-config' is true
  -h, --help                   Show help message
  --version                    Show version

Sample output:

{
  "reportVersion": 1,
  "sourceRepository": "https://api.nuget.org/v3/index.json",
  "packages": {
    "Microsoft.IdentityModel.JsonWebTokens.6.32.2.0": {
      "id": "Microsoft.IdentityModel.JsonWebTokens",
      "version": "6.32.2.0",
      "vulnerabilities": [
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-8g9c-28fc-mcx2"
        },
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-59j7-ghrg-fj52"
        }
      ]
    },
    "System.IdentityModel.Tokens.Jwt.6.32.2.0": {
      "id": "System.IdentityModel.Tokens.Jwt",
      "version": "6.32.2.0",
      "vulnerabilities": [
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-8g9c-28fc-mcx2"
        },
        {
          "severity": 1,
          "advisoryUrl": "https://github.com/advisories/GHSA-59j7-ghrg-fj52"
        }
      ]
    }
  }
}

Nuget configuration

To be able to retrieve vulnerabilities, a source repository that supports the package metadata is needed, see e.g. Where do CVE/GHSA come from?.

This tool uses https://api.nuget.org/v3/index.json by default, which supports the package metadata endpoint for vulnerabilities.

An alternate repository can be specified in the command line or via nuget.config Config file locations and uses.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last updated
1.1.0 967 3/10/2024
1.0.0 335 2/22/2024