search

digitalcoyote / NuGetDefense

An MSBuildTask that checks for known vulnerabilities. Inspired by OWASP SafeNuGet.
MIT License
96 stars 19 forks source link

Support for Central Package Management #115

Open ac931274 opened 1 year ago

ac931274 commented 1 year ago

Microsoft is now encouraging the use of Central Package Management (https://devblogs.microsoft.com/nuget/introducing-central-package-management/), this is where the version numbers are stored centrally in a solution for the NuGet packages. When running NuGetDefense on a solution that uses CPM you get the message Warning : Unable to find a version for this package. It will be ignored.. Please can you add support to support CPM.

digitalcoyote commented 1 year ago

Absolutely. I'll start looking into this.

digitalcoyote commented 1 year ago

I'm still planning on adding this, but I've been dealing with extra hours for my day job (new responsibilities, frameworks, etc...). I'm also prioritizing some existing bugs and documentation. That said. If anyone gets this in a PR before I get to it. I'll definitely consider merging it in.

digitalcoyote commented 1 year ago

OK, so my first draft of how to handle this :

  1. Check for a new Option in the config file for nugetdefense (ex. CentralPackageManagementFilePath) that is a path to the Directory.Packages.props file (absolute or relative to the config file).
  2. Check the directory containnig the projectFile, NuGetDefense.json (config file), and the parent directory of both of those for the Directory.Packages.props file. If it doesn't exist, assume that Central Package Management is not in use.
digitalcoyote commented 9 months ago

I haven't gotten a chance to look at this in months. Anyone willing to look into it would be appreciated. Otherwise I'll try to get to it soon.