Requests to support .NET Team Workflows

richlander commented 1 month ago

We've been using Audit. Here are some requests, categorized by need.

In general, we want Audit to be a great dev tool and not to be enabled in CI (in its current form). This duality-experience isn't well-supported today.

Dev-time

dotnet add package should fail for vulnerable packages. It's not obvious why success + warn is the best model, particularly for conservative organizations.
dotnet add package should have some form of --transitive-cpm as a CLI gesture for adding transitive CPM dependencies.
dotnet list package --include-transitive --vulnerable seems like a lot of ceremony to get a full list of vulnerable packages. There should be a low-ceremony way to get this information.

CI

A commit check (like how linters work) would be a great way to run Audit. This means that if a PR was green and a new relevant vulnerability was published, the PR would still be mergeable with no warnings. This is the same way linters work. If the source doesn't change, there are no new errors. This somewhat aligns with a "config as code" regime.
Post-merge, CI builds never fail due to Audit and Audit doesn't download the vulnerability data since it isn't being used.
We don't need to add nuget.org as an audit source. Every AzDo feed should expose the same information. It's just a feature of both nuget.org and Azdo.

Auxiliary testing

There is a good pattern to re-enable Audit for non-CI builds, like a rolling build.
There is a way to use Audit with additional (pre-disclosure) vulnerability information.
Audit also flags deprecated packages, which are assumed vulnerable. - https://github.com/NuGet/Home/issues/12244

Binary layouts

We also ship apps (primarily tools). These often get scanned in container images by third party scanners. We'd like to be able to scan apps using the same database (including an affordance for using pre-disclosure data). cargo audit supports this, for example.

Publisher tools

More streamlined model for deprecating packages.

microsoft-github-policy-service[bot] commented 1 month ago

@richlander Issue is missing Type label, remember to add a Type label

microsoft-github-policy-service[bot] commented 1 month ago

Issue is missing Type label, remember to add a Type label

nkolev92 commented 1 month ago

This probably becomes an epic of some sorts. Some of these asks are already tracked, so I'll edit in links where I know the issues.

NuGet / Home