-
Notifications
You must be signed in to change notification settings - Fork 483
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add security audit concept doc #3060
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
7f29a0c
Add security audit concept doc
JonDouglas ae4b9e5
Update docs/concepts/Auditing-Packages.md
JonDouglas 136eda6
Fix editing section
JonDouglas ab2b3f8
Update Auditing-Packages.md
JonDouglas 499b2d5
Add h1
JonDouglas cda04e1
Update Auditing-Packages.md
JonDouglas 9269104
Update docs/concepts/Auditing-Packages.md
JonDouglas 3abb595
Update Auditing-Packages.md
JonDouglas File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| --- | ||
| title: Auditing package dependencies for security vulnerabilities | ||
| description: How to audit package dependencies for security vulnerabilities and acting on security audit reports. | ||
| author: JonDouglas | ||
| ms.author: jodou | ||
| ms.date: 05/04/2023 | ||
| ms.topic: conceptual | ||
| --- | ||
|
|
||
| # Auditing package dependencies for security vulnerabilities | ||
|
|
||
| ## About security audits | ||
|
|
||
| A security audit for package managers like NuGet is a process that involves analyzing the security of the packages that are included in a software project. This involves identifying vulnerabilities, evaluating risks, and making recommendations for improving security. The audit can include a review of the packages themselves, as well as any dependencies and their associated risks. The goal of the audit is to identify and mitigate any security vulnerabilities that could be exploited by attackers, such as code injection or cross-site scripting attacks. | ||
|
|
||
| > [!IMPORTANT] | ||
| > Security auditing at restore time is available in .NET 8 Preview 4+ and Visual Studio 17.7 Preview 2+. | ||
|
|
||
| ## Running a security audit with `restore` | ||
|
|
||
| The `restore` command automatically runs when you do a common package operation such as loading a project for the first time, adding a new package, updating a package version, or removing a package from your project in your favorite IDE. A description of your dependencies is checked against a report of known vulnerabilities on the [GitHub Advisory Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget). | ||
|
|
||
| > [!IMPORTANT] | ||
| > For Audit to check packages, a package source that provides a vulnerability database must be used. | ||
| > NuGet.org's V3 URL is one such example (https://api.nuget.org/v3/index.json), but note that NuGet.org's V2 endpoint does not. | ||
|
|
||
| > [!NOTE] | ||
| > .NET 8 preview 5+ enables Audit by default, but Visual Studio 17.7 does not ship .NET 8. | ||
| > To opt-in to Audit explicitly, set `<NuGetAudit>true</NuGetAudit>` in your project file, or a *Directory.Build.props* file. | ||
|
|
||
JonDouglas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| 1. On the command line, navigate to your project or solution directory. | ||
| 2. Ensure your project or solution contains a `.csproj` file. | ||
| 3. Type `dotnet restore` or `restore` using your preferred tooling (i.e. MSBuild, NuGet.exe, etc). | ||
| 4. Review the audit report and address the known security vulnerabilities. | ||
|
|
||
| ## Reviewing and acting on the security audit report | ||
|
|
||
| Running `dotnet restore` will produce a report of security vulnerabilities with the affected package name, the severity of the vulnerability, and a link to the advisory for more details. | ||
|
|
||
| ### Security vulnerabilities found with updates | ||
|
|
||
| If security vulnerabilities are found and updates are available for the package, you can either: | ||
|
|
||
| - Edit the `.csproj` or other package version location (`Directory.Packages.props`) with a newer version containing a security fix. | ||
| - Use the NuGet package manager user interface in Visual Studio to update the individual package. | ||
| - Run the `dotnet add package` command with the respective package ID to update to the latest version. | ||
|
|
||
| ### Security vulnerabilities found with no updates | ||
|
|
||
| In the case that a known vulnerability exists in a package without a security fix, you can do the following. | ||
|
|
||
| - Check for any mitigating factors outlined in the advisory report. | ||
| - Use a suggested package if the package is marked deprecated or is abandoned. | ||
| - If the package is open source, consider contributing a fix. | ||
| - Open an issue in the package's issue tracker. | ||
|
|
||
| #### Check for mitigating factors | ||
|
|
||
| Review the security advisor for any mitigating factors that may allow you to continue using the package with the vulnerability. The vulnerability may only exist when the code is used on a specific framework, operating system, or a special function is called. | ||
JonDouglas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| #### Use a suggested package | ||
|
|
||
| In the case that a security advisory is reported for the package you're using and the package is marked deprecated or seems abandoned, consider using any suggested alternate package the package author has declared or a package comprising of similar functionality that is maintained. | ||
|
|
||
| #### Contribute a fix | ||
|
|
||
| If a fix does not exist for the security advisory, you may want to suggest changes that addresses the vulnerability in a pull request on package's open source repository or contact the author through the `Contact owners` section on the NuGet.org package detail page. | ||
|
|
||
| #### Open an issue | ||
|
|
||
| If you do not want to fix the vulnerability or are unable to update or replace the package, open an issue in the package's issue tracker or preferred contact method. On NuGet.org, you can navigate to the package details page and click `Report package` which will guide you to get in contact with the author. | ||
|
|
||
| ### No security vulnerabilities found | ||
|
|
||
| If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package graph at the present moment of time you checked. Since the advisory database can be updated at any time, we recommend regularly checking your `dotnet restore` output and ensuring the same in your continuous integration process. | ||
|
|
||
| ### Setting a security audit level | ||
JonDouglas marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| In cases where you only care about a certain threshold of a security advisory severity, you can set the `<NuGetAuditLevel>` MSBuild property to the desired level in which auditing will fail. Possible values are `low`, `moderate`, `high`, and `critical`. For example if you only want to see `moderate`, `high`, and `critical` advisories, you can set the following: | ||
|
|
||
| ```xml | ||
| <NuGetAuditLevel>moderate</NuGetAuditLevel> | ||
| ``` | ||
|
|
||
| ### Excluding advisories | ||
|
|
||
| There is no support for excluding individual advisories at this time. You can use `<NoWarn>` to suppress `NU1901`-`NU1904` warnings or use the `<NuGetAuditLevel>` functionality to ensure your audit reports are useful to your workflow. | ||
|
|
||
| ### Warning codes | ||
|
|
||
| | Warning Code | Severity | | ||
| |--------------|----------| | ||
| | NU1901 | low | | ||
| | NU1902 | moderate | | ||
| | NU1903 | high | | ||
| | NU1904 | critical | | ||
|
|
||
| ### Disabling security auditing | ||
|
|
||
| At any time you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the following MSBuild property in a `.csproj` or MSBuild file being evaluated as part of your project: | ||
|
|
||
| ```xml | ||
| <NuGetAudit>false</NuGetAudit> | ||
| ``` | ||
|
|
||
| ## Summary | ||
|
|
||
| Security auditing features are crucial for maintaining the security and integrity of software projects. These features provide you with an additional layer of protection against security vulnerabilities and ensures that you can use open source packages with confidence. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HTML ignores whitespace, and markdown converts any empty line into a new div or paragraph. So, I suggest starting every new sentence on a new line (without a line of whitespace, obviously), so that after the PR is merged, if someone edits a sentence in the paragraph, only 1 line in the diff will show changes, rather than the entire paragraph. This is particularly useful when git/github gets a bit confused and doesn't highlight what exactly changed in the line, which is more likely on very long lines.
Same for other multi-sentence paragraphs in this doc, please 😃