search

NuGet / Home

Repo for NuGet Client issues
Other
1.5k stars 252 forks source link

NuGetAudit should check PackageDownload #13658

Open zivkan opened 4 months ago

zivkan commented 4 months ago

NuGet Product(s) Involved

NuGet.exe, Visual Studio Package Management UI, MSBuild.exe, dotnet.exe

The Elevator Pitch

NuGet has a feature intended for MSBuild SDKs to request NuGet to download a package on their behalf, but don't do any asset selection, package compatibility checks, or anything else. Just plain old download to a known location. The .NET SDK uses this to download platform specific runtime hosts, such as Microsoft.NETCore.App.Runtime.linux-x64.

These packages can have known security vulnerabilities. Therefore, Audit should warn customers about these.

Additional Context and Details

original feature spec, which might give some context for why it was added: https://github.com/NuGet/Home/wiki/%5BSpec%5D-PackageDownload-support

marcpopMSFT commented 1 month ago

For this item, we may want to coordinate because some of the solutions are for customers to upgrade their SDK. We probably want to ensure customers get a specific error message for that case rather than one about a vulnerable package.