Solution Analysis Project or Add-in

[dealproc]

So, as part of PA-DSS/PCI-DSS, I am tasked with preparing reports of what dlls (nuget packages) we use within each of our software solutions. I have to manually build this information at this point, but was wondering if you had an available API to utilize whereas we could, at a minimum, pull the nupkg dependency graph for all dependencies to ensure that we have all the nupkgs that are actually used by the project.

Bonus points if there is an availability to also get streams [somehow] of resources per-package for security packages, etc. I know that there is an OSS tool that can do some of the security bits, but not sure how comprehensive that is, and how we would subscribe to things that are not openly posted.

[loic-sharma]

Can you use a lock file instead to capture the full closure of your project's package dependencies? https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file

Alternatively, you can build your project and look at the project.assets.json file that's built under the obj directory. The libraries element will list the full closure of your project's dependencies.

[dealproc]

Ok. I found something within nuget for dotnet core that gave me some of what I need... so the last step is going to be figuring out a way to have the cmd query "something" to see if there are security vulnerabilities. If you happen to have any ideas/suggestions, I'm going to ping the nuget team about this.

[loic-sharma]

There's no way for you to query known security vulnerabilities today. We're working on this, for more information see: https://github.com/NuGet/Home/wiki/Deprecate-packages