Scan nuget

[vbjay]

Report on nuget package usage that has a vulnerability.

• packages.config
• packagereference nodes in
  • *.*proj
  • *.props files

https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/

[vbjay]

Wow. Thanks. Need to take on a spin. If we can run as a build step in ci/cd pipeline this will rock. I love GitHub's dependabot but we have azure DevOps repos. So making this a build output updater and potentially a build failure cause would be awesome.

[carlin-q-scott]

@vbjay BetterScan uses osv-scanner and integrates with Azure DevOps. So as soon as this feature gets released, we can bug Marcinguy to pull in the update.

[carlin-q-scott]

@oliverchang When are we likely to see this get released?

[oliverchang]

@oliverchang When are we likely to see this get released?

@another-rex Let's cut a release this week!

[G-Rath]

fwiw ideally #124 should be addressed before a new release is cut

[G-Rath]

oh and #132 too 😅

[oliverchang]

This is now released! https://github.com/google/osv-scanner/releases/tag/v1.1.0

Note that this release only includes support for package.lock.json. I'm not familiar with NuGet as an ecosystem at all, but from the original issue it sounds like there might be more ways to specify dependencies ? (e.g. *.sln, *.props)

[piraces]

Hi! First of all thank you for the awesome work!
I want to say that I think this issue should not be closed, as @vbjay stated, it should review references in:

• packages.config
• packagereference nodes in
  • *.*proj
  • *.props files

With the latest version, using osv-scanner in dotnet projects does not detect vulnerable dependencies as the dotnet CLI does.
As a dotnet developer I can say also it's not so common to have package.lock.json in projects (unfortunately) 😢

[vbjay]

Hi! First of all thank you for the awesome work!
I want to say that I think this issue should not be closed, as @vbjay stated, it should review references in:

• packages.config
• packagereference nodes in
  • *.*proj
  • *.props files

With the latest version, using osv-scanner in dotnet projects does not detect vulnerable dependencies as the dotnet CLI does.
As a dotnet developer I can say also it's not so common to have package.lock.json in projects (unfortunately) 😢

Can you create a new issue linking to this one test demoing this discrepancy along with osv results vs dotnet list package --vulnerable and does the dotnet command handle all nuget ref types?

[vbjay]

Basically trying to determine if the scanner just needs to pull results from dotnet command run or if both have limitations.

[oliverchang]

types

+1, please open a new issue so we can track it :)

[piraces]

Opened in #298 , let me know if some things are not so well explained 👍
Thanks!