-
Notifications
You must be signed in to change notification settings - Fork 266
dotnet list package vulnerable
- Status: Reviewing
- Authors: Xavier Decoster
Part of Feature Spec: Flag vulnerable packages
8716 - Support Package Vulnerability feature in clients (phase 1)
Developers take dependency on a set of packages directly or indirectly (through transitive dependencies) and have no way to understand if any of their dependencies bring in any known vulnerabilities.
NuGet should be able to flag vulnerable packages used in projects/solutions. To support this capability from the commandline, a new dotnet.exe CLI option will be introduced.
This CLI command provides a way to verify already installed (direct and indirect) dependencies against known vulnerabilities.
All .NET Core customers.
It must be possible to combine the --vulnerable command option with the following flags:
--include-transitive--source--config--framework--interactive--help-
--include-prerelease(currently requires--outdatedor--deprecatedoption) -
--highest-minor(currently requires--outdatedor--deprecatedoption) -
--highest-patch(currently requires--outdatedor--deprecatedoption)
Combining the --vulnerable command option with the following flags will not be supported at this time:
--outdated--deprecated
We'll introduce a new --vulnerable command option to the existing dotnet list package command.
The dotnet CLI repository must be updated to:
- forward the
--vulnerablecommand option for thedotnet list packagecommand, - handle the invalid combinations of command options, such as
--vulnerable --outdatedand--vulnerable --deprecated.
The nuget xplat CLI code must be updated to:
- handle the new
--vulnerablecommand option for thedotnet list packagecommand, - handle the invalid combinations of command options, such as
--vulnerable --outdatedand--vulnerable --deprecated.
The --help output must be updated to include the new --vulnerable option. Other existing options should refer to the --vulnerable option as needed.
Usage: dotnet list <PROJECT | SOLUTION> package [options]
Arguments:
<PROJECT | SOLUTION> The project or solution file to operate on. If a file is not specified, the command will search the current directory for one.
Options:
-h, --help Show command line help.
--outdated Lists packages that have newer versions. Cannot be combined with `--deprecated` or `--vulnerable` options.
--deprecated Lists packages that have been deprecated. Cannot be combined with `--outdated` or `--vulnerable` options.
--vulnerable Lists packages that have known vulnerabilities. Cannot be combined with `--outdated` or `--deprecated` options.
--framework <FRAMEWORK | FRAMEWORK\RID> Chooses a framework to show its packages. Use the option multiple times for multiple frameworks.
--include-transitive Lists transitive and top-level packages.
--include-prerelease Consider packages with prerelease versions when searching for newer packages. Requires the '--outdated', '--deprecated', or `--vulnerable` option.
--highest-patch Consider only the packages with a matching major and minor version numbers when searching for newer packages. Requires the '--outdated', '--deprecated', or `--vulnerable` option.
--highest-minor Consider only the packages with a matching major version number when searching for newer packages. Requires the '--outdated', '--deprecated', or `--vulnerable` option.
--config <CONFIG_FILE> The path to the NuGet config file to use. Requires the '--outdated', '--deprecated', or `--vulnerable` option.
--source <SOURCE> The NuGet sources to use when searching for newer packages. Requires the '--outdated', '--deprecated', or `--vulnerable` option.dotnet list package --outdatedLists which installed packages have newer versions available.
If any of the outdated packages is vulnerable, a (V) marker is printed next to the version indicating the package version is known to be vulnerable.
Combining the --vulnerable option with the --outdated option is (currently) not supported. When doing so, the following error message will be presented:
> dotnet list package --outdated --vulnerable
Invalid command. Combining '--outdated' and '--vulnerable' options is not supported.Important! Installed packages that are vulnerable but not outdated will not be part of this command's output.
A description is printed to the console explaining what the (V) marker means.
> dotnet list package --outdated
The following sources were used:
nuget.org - https://api.nuget.org/v3/index.json
Local - C:\NuGet\NuGetLocal
3 packages need your attention - 2 outdated, 1 deprecated.
Package Current Wanted Latest
EntityFramework 6.1.2 6.1.2 6.2.0
NUnit 2.4.0 2.6.4 3.8.1
My.Sample.Pkg 2.1.3 (V) 4.1.0 4.1.0
(V): Vulnerable package(s). Use 'dotnet list package --vulnerable' for more info.dotnet list package --deprecatedLists which installed packages have been deprecated.
If any of the deprecated packages is vulnerable, a (V) marker is printed next to the version indicating the package version is known to be vulnerable.
Combining the --vulnerable option with the --deprecated option is (currently) not supported. When doing so, the following error message will be presented:
> dotnet list package --deprecated --vulnerable
Invalid command. Combining '--deprecated' and '--vulnerable' options is not supported.Important! Installed packages that are vulnerable but not deprecated will not be part of this command's output.
A description is printed to the console explaining what the (V) marker means.
> dotnet list package --deprecated
The following sources were used:
nuget.org - https://api.nuget.org/v3/index.json
Local - C:\NuGet\NuGetLocal
Project `ClassLibrary1` uses the following deprecated packages
[netcoreapp2.0]:
Top-level Package Resolved Reason Alternative
> My.Legacy.Package 2.0.0 Legacy My.Awesome.Package >= 3.0.0
> My.Buggy.Package 1.1.0 Critical Bugs My.NotBuggy.Package >= 2.0.0
> My.Deprecated.Package 3.2.1 Other My.NotBuggy.Package >= 2.0.0
> My.CompletelyBroken.Package 0.9.0 (V) Legacy, Critical Bugs My.Awesome.Package >= 1.0.0
> To see all packages including transitive packages, additional option `--include-transitive` can be used.
(V): Vulnerable package(s). Use 'dotnet list package --vulnerable' for more info.dotnet list package --vulnerableLists which installed packages have known vulnerabilities.
> dotnet list package --deprecated
The following sources were used:
nuget.org - https://api.nuget.org/v3/index.json
Local - C:\NuGet\NuGetLocal
Project `ClassLibrary1` uses the following vulnerable packages
[netcoreapp2.0]:
Top-level Package Resolved Vulnerability Fixed Version
> My.Vulnerable.Package 2.0.0 CVE-0001 N/A
> My.Fixed.Package 1.1.0 CVE-0002, CVE-0003 My.Fixed.Package >= 2.0.0
> To see all packages including transitive packages, additional option `--include-transitive` can be used.This is out of scope for the MVP of this feature, but is on the roadmap for a future iteration.
-
List vulnerable package references of a specific project (top-level dependencies only):
dotnet list package MyProject.csproj --vulnerable
-
List vulnerable package references, including transitive dependencies:
dotnet list package --vulnerable --include-transitive
-
List vulnerable package references for a specific target framework:
dotnet list package --vulnerable --framework netcoreapp3.0
-
List vulnerable package references, including prerelease versions:
dotnet list package --vulnerable --include-prerelease
- We need a single command to show all updates, vulnerabilities and deprecations as well. How?
Check out the proposals in the accepted & proposed folders on the repository, and active PRs for proposals being discussed today.