Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing audit warnings from "nuget install" when nuget.org is not a package source #14096

Open
hickford opened this issue Feb 12, 2025 · 1 comment
Open

Missing audit warnings from "nuget install" when nuget.org is not a package source #14096

hickford opened this issue Feb 12, 2025 · 1 comment
Labels
Area:NuGetAudit Functionality:Install The install command in VS/nuget.exe Priority:2 Issues for the current backlog. Type:Bug

Comments

@hickford
Copy link

hickford commented Feb 12, 2025
edited
Loading

NuGet Product Used

NuGet.exe

Product Version

NuGet Version: 6.12.2.

Impact

It bothers me. A fix would be nice

Repro Steps & Context

Read https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages#audit-sources

audit sources can be used to use nuget.org (or any other source that provides vulnerability information) without also using it as a package source.

Edit nuget.config to include nuget.org as an audit source, but not a package source.

<configuration>
    <packageSources>
        <clear />
        <add key="hippo" value="https://artifactory.example.com/artifactory/api/nuget/v3/hippo/index.json" />
    </packageSources>
    <auditSources>
        <clear />
        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
    </auditSources>
</configuration>

Then run nuget install packages.config that includes vulnerable packages

What I expected:

Audit warnings such as

WARNING: NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 5.6.0 has a known moderate severity vulnerability, GHSA-59j7-ghrg-fj52
WARNING: NU1902: Package 'System.IdentityModel.Tokens.Jwt' 5.6.0 has a known moderate severity vulnerability, GHSA-59j7-ghrg-fj52

What actually happens:

Packages installed without any audit warnings.

nuget install System.IdentityModel.Tokens.Jwt -Version 1.0.0
@hickford hickford changed the title Missing audit warnings Missing audit warnings from "nuget install" when nuget.org is not a package source Feb 12, 2025
@Nigusu-Allehu Nigusu-Allehu added Functionality:Install The install command in VS/nuget.exe Area:NuGetAudit and removed Triage:Untriaged labels Feb 15, 2025
@jeffkl jeffkl added the Priority:2 Issues for the current backlog. label Feb 20, 2025
@jeffkl
Copy link
Contributor

jeffkl commented Feb 20, 2025

Team Triage: install should audit individual packages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area:NuGetAudit Functionality:Install The install command in VS/nuget.exe Priority:2 Issues for the current backlog. Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hickford @jeffkl @Nigusu-Allehu