Mirrors
/
NuGet.Home
mirror of https://github.com/NuGet/Home.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dev-nyenework-dlp-auditsources
dev-oliag-update-command
dev
dev-nyenework-audit-packagedownlaod
dev-martinrrm-origins-paths-in-pmui
end-of-life
albarry-bluecheck
dev-donnie-msft-recommenderService
dev-nyenework-pmui-packagesource
dev-nyenework-disableTLScertificateValidation
dev-nkolev92-tfmaliases
dev-donnie-msft-sourceMapperVS
sponsor-link
dev-nyenework-spec-for-nuget-search
dev-nkolev92-removeRedundantTemplateInfo
dev-kpms-dcr-feature-compliance-reminder-bot
vs-filters-sorts
dev-martinrrm-allow-version-property-in-projectreference
dev-eryondon-privateasset-vs-includeexclude-asset
dev-eryondon-ExcludedAssetsFlow
dev-zivkan-plain-text-apikey
dev-eryondon-privateasset-vs-includeexclude-asset2
package-status-indicators
fabricbot-configuration-migration
package-scoring-v1
dev-pragnya17-CPMDotnetCLISupport
zivkan-icebox-upvote-watcher
dotnet-update-package
transitive-list-expanded-by-default
dev-hengliu-sign-verbosity
dotnet-audit
dev-donnie-msft-pmuiArchRefactoringMd
chgill-proposal-login-auth-for-dotnet-nuget-push
donnie-msft-FloatingVersionsSpecFix
dev-donnie-msft-NuGetPMUIWindowAPI
dev-kartheekp-ms-uidelay8675-spec
3.2-RC-10488
2.8.7
3.1
3.1.1
3.2
3.3
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fa972093c3'
${ noResults }
NuGet.Home/accepted/2020/PackageVulnerability/FlagVulnerablePackages.md

5.7 KiB
Raw Blame History

Flag vulnerable packages - Stage 1

Issue

Flag vulnerable packages #8087

Problem

Today developers take dependency on a set of packages directly or indirectly (through transitive dependencies) and have no way to understand if any of their dependencies bring in any known vulnerabilities.

Goals

This is a security feature aiming to fill a gap in the .NET package management ecosystem known as package vulnerability auditing.

NuGet should be able to flag vulnerable packages used in projects/solutions.

The ultimate goal is to reduce exposure to known vulnerabilities in NuGet packages, and increase adoption rate of fixes for those known vulnerabilities.

Non-Goals

  • At this point, NuGet.org won't have a way for users to input vulnerability data into the system. All vulnerability data will be sourced from external systems. (no self-reporting)
  • This feature is an enhancement to the NuGet v3 protocol. We won't surface this in earlier versions of the NuGet protocol.
  • NuGet.Server is out-of-scope for this feature at this point.

Scope

There are multiple scenarios for flagging and reporting vulnerabilities. This feature will be implemented in several stages which will enable a subset of those as discussed below.

Stage 1 - MVP

For the MVP of this feature, we'll focus on:

  • Enabling consumers to be informed about known vulnerabilities before installation of a package.
  • Enabling authors to be informed about known vulnerabilities in their packages.
  • Leveraging existing, curated, and publicly available known vulnerabilities affecting NuGet packages.

This should help prevent new installs of packages that are known to be vulnerable, and trigger authors into providing a fix through a new package version on nuget.org.

NuGet will not support self-reporting of vulnerabilities at this time and instead rely on an existing data provider of curated vulnerability information. For the MVP of this feature, all vulnerability data will be sourced from external systems. The initial focus is on leveraging GitHub's Security Workflow and integration with GitHub's GraphQL API. This allows us to build an initial end-to-end experience without having to deal with the complexities of curating vulnerability reports.

✔️ In scope (Stage 1)

  • For CLI:

    • A CLI command to list vulnerabilities in a project/solution project graph

  • For Visual Studio:

    • Display vulnerability information in the package graph on Installed tab of Package Manager Dialog (PMUI)
    • Display vulnerability information for transitive packages in PMUI (additional UX complexity) - note that this is dependent on transitive packages being displayed in general, which is to be specced separately

  • For nuget.org:

    • Automatically ingest and refresh NuGet package vulnerability data from GitHub
    • Surface package vulnerability information on-demand:
      • as part of package metadata in v3 registration blobs (JSON)
      • by showing vulnerability information on package details page and version history

Out of scope (Stage 1)

Some enhancements to this feature are out of scope for the initial implementation of this feature because there are several unknowns still to be clarified. See also the Open Questions section below.

  • Enable restore to Inform or Warn
  • Expose vulnerability metadata in nuget.org Search service (not required for MVP)

Solution (Stage 1)

Protocol

To be able to show vulnerability information for phase 1 in PMUI and CLI clients, we need to update the protocol.

To this end, the following changes will happen to the package registration JSON blobs (to each version-specific blob, not the index.json):

Name Type Required Description
vulnerabilities Array of Objects No Describes the vulnerabilities information associated with a package
vulnerabilities[x].severity String Yes "Low", "Moderate", "High", or "Critical"
vulnerabilities[x].advisoryUrl String Yes URL to discover additional information about the security advisory for this vulnerability

Forward Compatibility

Clients should just not display the severity if they don't understand the value that is returned. The severity element values can be treated case-insensitive.

List Vulnerabilities using a CLI command

See client spec for dotnet list package --vulnerable.

Display Vulnerabilities in Visual Studio PMUI

  • Installed tab shows a warning icon that leads to vulnerable package, when the package has High or Critical vulnerabilities

  • Installed tab also shows transitive packages as an accordion - collapsed, by default. It has a warning icon too when any of the transitive packages have vulnerabilities (High or Critical)

    image

    Showing vulnerability in transitive package: image

Note: Irrespective of the criticality of the vulnerability, the details pane will always show the vulnerability information - with warning icon for Critical/High vulnerabilities and info for others. Just that Installed tab won't warn in those cases.