In this PR comment, it was highlighted that we might accidentally introduce (or re-introduce) vulnerable packages into SBRP without being aware of potential vulnerabilities until we check for them internally.
Given the complexity of removing certain packages in SBRP (adding a new package, waiting for rebootstrap, removing the old package, updating self-reference), it's crucial to avoid adding vulnerable packages whenever possible. Implementing a validation check in PRs to detect vulnerable packages would be beneficial. We need a solution that is easy to use and does not require submitting reports to an internal system. According to this blog post, the dotnet CLI can detect vulnerabilities using the command dotnet list package --vulnerable in projects, so we might be able to leverage that.
The other thing to consider is whether we'd want to detect already-checked-in packages for vulnerabilities, or if we'd rather only check packages being introduced in the PR.
In this PR comment, it was highlighted that we might accidentally introduce (or re-introduce) vulnerable packages into SBRP without being aware of potential vulnerabilities until we check for them internally.
Given the complexity of removing certain packages in SBRP (adding a new package, waiting for rebootstrap, removing the old package, updating self-reference), it's crucial to avoid adding vulnerable packages whenever possible. Implementing a validation check in PRs to detect vulnerable packages would be beneficial. We need a solution that is easy to use and does not require submitting reports to an internal system. According to this blog post, the dotnet CLI can detect vulnerabilities using the command dotnet list package --vulnerable in projects, so we might be able to leverage that.
The other thing to consider is whether we'd want to detect already-checked-in packages for vulnerabilities, or if we'd rather only check packages being introduced in the PR.