dotnet / source-build

A repository to track efforts to produce a source tarball of the .NET Core SDK and all its components
MIT License
265 stars 132 forks source link

Consider adding vulnerability detection to PR checks in SBRP #4577

Open ellahathaway opened 2 months ago

ellahathaway commented 2 months ago

In this PR comment, it was highlighted that we might accidentally introduce (or re-introduce) vulnerable packages into SBRP without being aware of potential vulnerabilities until we check for them internally.

Given the complexity of removing certain packages in SBRP (adding a new package, waiting for rebootstrap, removing the old package, updating self-reference), it's crucial to avoid adding vulnerable packages whenever possible. Implementing a validation check in PRs to detect vulnerable packages would be beneficial. We need a solution that is easy to use and does not require submitting reports to an internal system. According to this blog post, the dotnet CLI can detect vulnerabilities using the command dotnet list package --vulnerable in projects, so we might be able to leverage that.

The other thing to consider is whether we'd want to detect already-checked-in packages for vulnerabilities, or if we'd rather only check packages being introduced in the PR.

ellahathaway commented 2 months ago

See also https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

ellahathaway commented 2 months ago

See also https://github.com/dotnet/arcade/issues/15019

mthalman commented 2 months ago

Related to https://github.com/dotnet/source-build/issues/3559