Describe the bug
I got the following build error after I added NuGetDefense to my existing project:

1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): error : 7 vulnerabilities found for bootstrap @ 3.4.1
1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): error : CVE-2019-8331: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
1>  Description: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
1>  CVE: CVE-2019-8331
1>  CWE: CWE-79
1>  CVSS Score: 6.1
1>  CVSS Vector: NETWORK
1>  References:
1>  Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.
1>     at NuGetDefense.Core.VulnerabilityReports.ReportVulnerabilities(Dictionary`2 vulnerabilityDictionary, IEnumerable`1 pkgs, String nuGetFile, Boolean warnOnly, Double cvss3Threshold)
1>     at NuGetDefense.Program.Main(String[] args)
1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\packages\NuGetDefense.1.0.4\build\nugetdefense.targets(10,5): error MSB3073: The command "dotnet "C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\packages\NuGetDefense.1.0.4\build\..\tools\netcoreapp3.1\NuGetDefense.dll" C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\WiredBrain.CustomerPortal.AspNet.csproj " exited with code -1073741819.
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========

To Reproduce
Steps to reproduce the behavior:

1. Add Boostrap v 3.4.1 to a project as a NuGet package
2. Build the project

Expected behavior
Build should complete without NuGet Defense throwing an exception.

Screenshots
If applicable, add screenshots to help explain your problem.

Tools (please complete the following information):

• IDE: VS 2019 16.5.1
• OS: Win 10 current

Additional context
I strongly suspect the problem is right here in NuGetDefense.Core/VulnerabilityReports.cs:

foreach (var reference in vulnerabilities[cve].References) Console.WriteLine(reference);
Console.WriteLine("---------------------------");

The output above does not show the dashed line, and if References is null that would cause the problem.

On further review, though, checking the NVD (https://nvd.nist.gov/vuln/detail/CVE-2019-8331) shows a lengthy list of references. Maybe something caused a problem parsing them? But I'd rather not throw that exception and be missing the references if the full resolution for this takes some time.

I can submit a PR for the simple change but to test it I may need some guidance / docs.

Describe the bug
The tool does not exclude the listed packages.

To Reproduce
Steps to reproduce the behavior:

    "IgnoredPackages": [
      {
        "Id": "NugetDefense",
        "Version": "1.0.8.0"
      },
      {
        "Id": "NLog",
        "Version": "4.7.5"
      }
    ],

or

    "IgnoredPackages": [
      {
        "Id": "NugetDefense",
        "Version": "1.0.8.0"
      },
      {
        "Id": "NLog"
      }
    ],

error : 1 vulnerabilities found for NLog @ 4.7.5

Expected behavior
The package should be ignored.

Screenshots
If applicable, add screenshots to help explain your problem.

Tools (please complete the following information):

• IDE: VS2019
• OS: Windows 10 Update 2004

Additional context
The IgnoredPackages property is not used at all.

Source
https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/

Why should this source be considered?
It's probably going to be the go to source for most dev's

Should this source be checked by default?
yes

Would this be better in an independent package?
No

I plan to pack this for Chocolatey so it can be used. In the meantime DevAudit should be a good alternative.

Source
OWASP Dependency-Check has a CLI tool that if globally installed will keep itself up-to-date with data from NVD.

Why should this source be considered?
Having an option other than our own implementation of NVD checking will provide a backup for NVD data checking.

Should this source be checked by default?
No, it cannot be guaranteed that the CLI tool will be accessible via PATH when the project is built.

Would this be better in an independent package?
Optionally, Yes. If a user only wanted to run this tool, and wanted it configured by default. Maybe "NugetDefense.OWASP.DependencyCheck"?

What is the Feature? Please describe.
When NugetDefense is installed on the project a NuGetDefense.json is created. If you have a solution that contains multiple projects a NuGetDefense.json is required for each project. It would be nice if NugetDefense behaved a bit like .nugetconfig where when the file is not found in the project folder it checks parent folders. This would allow a single NuGetDefense.json to set the defense configuration for an entire solution

Use Case
When a project is part of a larger solution and all have NuGetDefense installed

Packing a .Net 4.8 version of the tool would remove the need for .Net Core 3.1 on Windows.

What is the Feature? Please describe.
OSS Index has support for authentication that can be used to increase the rate limiting threshold
Use Case
Users with many projects and/or frequent builds may hit rate limiting errors more often.

Describe alternatives you've considered
N/A, this is suggested by OSS Index

Additional context
https://ossindex.sonatype.org/doc/rest

Describe the bug
Exit Code is not 0 when all vulnerabilities are warnings

Expected behavior

• Exit code is the number of vulnerabilities that exceed the error threshold
• WarnOnly should cause an exit code of 0 as well
• Ignored CVE's should not raise exit code

Tools (please complete the following information):

• NuGetDefense.Tool

Describe the bug
When my projects depend an the Nancy nuget I get a warning that 0 vulnerabilities was found for Nancy

To Reproduce
Steps to reproduce the behavior:

1. Have a project depend on [email protected] (Reproduction repo)
2. Enable the NVD Scanner
3. Build produces one warning "0 vulnerabilities found for Nancy @ 2.0.0"

Expected behavior
I would not expect any warning

Screenshots

Tools (please complete the following information):

• IDE: VS2019
• OS: Windows 10 Update 2004

Additional context

Describe the bug
For some reason, I set the properties for these setting as internal and did not catch it (I always leave them on in manual testing). This prevents them from Serializing/Deserializing.

I have been able to successfully run this tool in a .NET Framework 4.5.2 project and it detected a bad package that I tested with an failed the build.

I have tried running this in .NET Core 3.1 and while it does show in the output that there are bad packages with CVEs, the build process does not fail. I tested using:
<PackageReference Include="jQuery" Version="1.5.0" />

and I can see the vulnerability scan run in my output.

1>Target CheckForVulnerableNuGetPkgs: 1> Using "Exec" task from assembly "Microsoft.Build.Tasks.Core, Version=15.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a". 1> Task "Exec" 1> dotnet "C:\Users\jwilliamson\.nuget\packages\nugetdefense\1.0.2\build\..\tools\netcoreapp3.1\NuGetDefense.dll" C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj netcoreapp3.1 1> ************************************* 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : 7 vulnerabilities found for jQuery @ 1.5.0 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2015-9251: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. 1> Description: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. 1> CVE: CVE-2015-9251 1> CWE: 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/3b3ba2f8-9c2c-4afe-b593-75c6b3fd4bb7 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : OSS Index ID: 5143404a-0e8c-420a-aef1-dccfd1bb3ea4: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> CVE: OSS Index ID: 5143404a-0e8c-420a-aef1-dccfd1bb3ea4 1> CWE: CWE-79 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/5143404a-0e8c-420a-aef1-dccfd1bb3ea4 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : OSS Index ID: 52f593c8-7729-435c-b9df-a7bb9ded8589: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> CVE: OSS Index ID: 52f593c8-7729-435c-b9df-a7bb9ded8589 1> CWE: CWE-79 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/52f593c8-7729-435c-b9df-a7bb9ded8589 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : OSS Index ID: bb07990f-5984-4107-a7ee-27d0c09a1698: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> CVE: OSS Index ID: bb07990f-5984-4107-a7ee-27d0c09a1698 1> CWE: CWE-79 1> CVSS Score: 7.199999809265137 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/bb07990f-5984-4107-a7ee-27d0c09a1698 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2012-6708: jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. 1> Description: jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. 1> CVE: CVE-2012-6708 1> CWE: 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/b510dae9-a933-4169-b010-0325829abf42 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. 1> Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. 1> CVE: CVE-2019-11358 1> CWE: 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/11b6563a-ead6-4040-83e5-455f36519d1b 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2011-4969: Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. 1> Description: Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. 1> CVE: CVE-2011-4969 1> CWE: 1> CVSS Score: 4.300000190734863 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/fe8b44f2-8604-4d1a-95be-ffce5f6f8f97 1> --------------------------- 1> The command "dotnet "C:\Users\jwilliamson\.nuget\packages\nugetdefense\1.0.2\build\..\tools\netcoreapp3.1\NuGetDefense.dll" C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj netcoreapp3.1" exited with code -1. 1> Done executing task "Exec". 1>Done building target "CheckForVulnerableNuGetPkgs" in project "unreal-gateway.csproj".

{ "WarnOnly": false, "ErrorSettings": { "ErrorSeverityThreshold": 5, "CVSS3Threshold": -1, "IgnoredPackages": [ { "Id": "NugetDefense", "Version": null, "PackageUrl": "pkg:nuget/NugetDefense@" } ], "IgnoredCvEs": [], "WhiteListedPackages": [], "BlackListedPackages": [] }, "OssIndex": { "Enabled": true, "BreakIfCannotRun": false }, "NVD": { "SelfUpdate": false, "Enabled": true, "BreakIfCannotRun": false } }

What is the Feature? Please describe.
Include dependencies from all referenced projects in the scan.

Use Case
I just started evaluating NuGetDefense for use in the solutions within my organisation. Most of our solutions consist of multiple projects following a layered architecture (business logic, contract model, data layer ...). I would prefer that adding NuGetDefense to the top level project would scan all the referenced projects too (also nested references).

Describe alternatives you've considered
It seems quite redundant to be forced to add NuGetDefense to all of the projects.

Additional context
Tested with 2.0.2 and 1.0.15.1
We are using Net Core 3.1, Visual Studio 2019 16.8.2

Please Provide a Build Task Example for MSBUILD style project and sdk projects.
In documentation https://digitalcoyote.github.io/NuGetDefense/ it is mentioned that "NuGetDefense is a bundled dotnet tool that runs using an MSBuild ExecTask after your project finishes building."

But how to configure this build task? What are the correct values? Please find below my example that is not working (MSBUILD style - related to .NET 4.6.2 Fullframework project )

<Target Name="AfterBuild">
	<UsingTask TaskName="NuGetDefense.Tool" AssemblyFile="C:\Users\{user}\.dotnet\tools\.store\nugetdefense.tool\2.0.2\nugetdefense.tool\2.0.2\tools\net5.0\any\NugetDefense.dll" />
	<NuGetDefense.Tool />
  </Target> 

Describe the bug
After updating from v.1.0.5 to 1.0.6 the scan errors out for me. If I downgrade back to 1.0.5 things work as before, and uninstalling the package removes all errors.

To Reproduce
Here is the contents of my packages.config file:

<?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="Antlr" version="3.5.0.2" targetFramework="net472" />
  <package id="bootstrap" version="4.4.1" targetFramework="net472" />
  <package id="Effort.EF6" version="2.2.2" targetFramework="net472" />
  <package id="Elasticsearch.Net" version="7.0.0" targetFramework="net472" />
  <package id="EntityFramework" version="6.2.0" targetFramework="net472" />
  <package id="jQuery" version="3.3.1" targetFramework="net472" />
  <package id="jQuery.Validation" version="1.17.0" targetFramework="net472" />
  <package id="Microsoft.AspNet.Mvc" version="5.2.7" targetFramework="net472" />
  <package id="Microsoft.AspNet.Razor" version="3.2.7" targetFramework="net472" />
  <package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net472" />
  <package id="Microsoft.AspNet.WebPages" version="3.2.7" targetFramework="net472" />
  <package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="2.0.0" targetFramework="net472" />
  <package id="Microsoft.Data.Edm" version="5.8.4" targetFramework="net472" />
  <package id="Microsoft.Data.OData" version="5.8.4" targetFramework="net472" />
  <package id="Microsoft.jQuery.Unobtrusive.Validation" version="3.2.11" targetFramework="net472" />
  <package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net472" />
  <package id="Modernizr" version="2.8.3" targetFramework="net472" />
  <package id="Newtonsoft.Json" version="11.0.1" targetFramework="net472" />
  <package id="NMemory" version="3.1.0" targetFramework="net472" />
  <package id="NuGetDefense" version="1.0.6" targetFramework="net472" />
  <package id="popper.js" version="1.16.0" targetFramework="net472" />
  <package id="SecurityCodeScan" version="3.5.0.0" targetFramework="net472" developmentDependency="true" />
  <package id="Serilog" version="2.9.0" targetFramework="net472" />
  <package id="Serilog.Enrichers.HttpContextData" version="0.1.3" targetFramework="net472" />
  <package id="Serilog.Formatting.Compact" version="1.0.0" targetFramework="net472" />
  <package id="Serilog.Formatting.Elasticsearch" version="8.0.0" targetFramework="net472" />
  <package id="Serilog.Sinks.Console" version="3.1.1" targetFramework="net472" />
  <package id="Serilog.Sinks.Elasticsearch" version="8.0.0" targetFramework="net472" />
  <package id="Serilog.Sinks.File" version="4.0.0" targetFramework="net472" />
  <package id="Serilog.Sinks.PeriodicBatching" version="2.1.1" targetFramework="net472" />
  <package id="SerilogWeb.Classic" version="5.0.52" targetFramework="net472" />
  <package id="System.Buffers" version="4.5.0" targetFramework="net472" />
  <package id="System.Diagnostics.DiagnosticSource" version="4.5.1" targetFramework="net472" />
  <package id="System.Spatial" version="5.8.4" targetFramework="net472" />
  <package id="WebGrease" version="1.6.0" targetFramework="net472" />
</packages>

Expected behavior
Was hoping to just have bootstrap not be a reported vulnerability any longer.

Screenshots
This is the build output I got (I first updated the package from 1.0.5 to 1.0.6 and then uninstalled package and installed 1.0.6):

1>------ Build started: Project: WiredBrain.CustomerPortal.AspNet, Configuration: Debug Any CPU ------
1>  WiredBrain.CustomerPortal.AspNet -> C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\bin\WiredBrain.CustomerPortal.AspNet.dll
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(3,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(5,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(6,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(7,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(8,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(9,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(10,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(11,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(12,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(13,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(14,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(15,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(16,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(17,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(18,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(19,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(20,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(21,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(22,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(23,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(24,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(25,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(26,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(27,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(28,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(29,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(30,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(31,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(32,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(33,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(34,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(35,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(36,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(37,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config : error : NuGetDefense : OSS Index scan failed with exception: System.AggregateException: One or more errors occurred. (The JSON value could not be converted to NuGetDefense.OSSIndex.ComponentReport[]. Path: $ | LineNumber: 0 | BytePositionInLine: 1.)
1>   ---> System.Text.Json.JsonException: The JSON value could not be converted to NuGetDefense.OSSIndex.ComponentReport[]. Path: $ | LineNumber: 0 | BytePositionInLine: 1.
1>     at System.Text.Json.ThrowHelper.ThrowJsonException_DeserializeUnableToConvertValue(Type propertyType)
1>     at System.Text.Json.JsonSerializer.HandleStartObject(JsonSerializerOptions options, ReadStack& state)
1>     at System.Text.Json.JsonSerializer.ReadCore(JsonSerializerOptions options, Utf8JsonReader& reader, ReadStack& readStack)
1>     at System.Text.Json.JsonSerializer.ReadCore(JsonReaderState& readerState, Boolean isFinalBlock, ReadOnlySpan`1 buffer, JsonSerializerOptions options, ReadStack& readStack)
1>     at System.Text.Json.JsonSerializer.ReadAsync[TValue](Stream utf8Json, Type returnType, JsonSerializerOptions options, CancellationToken cancellationToken)
1>     at NuGetDefense.OSSIndex.Scanner.GetReportsForPackagesAsync(NuGetPackage[] pkgs)
1>     --- End of inner exception stack trace ---
1>     at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
1>     at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
1>     at System.Threading.Tasks.Task`1.get_Result()
1>     at NuGetDefense.OSSIndex.Scanner.GetVulnerabilitiesForPackages(NuGetPackage[] pkgs, Dictionary`2 vulnDict)
1>C:\temp\wired-brain-aspnet\packages\NuGetDefense.1.0.6\build\nugetdefense.targets(10,5): error MSB3073: The command "dotnet "C:\temp\wired-brain-aspnet\packages\NuGetDefense.1.0.6\build\..\tools\netcoreapp3.1\NuGetDefense.dll" "C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\WiredBrain.CustomerPortal.AspNet.csproj" " exited with code -1.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

Tools (please complete the following information):

• IDE: VS 2019
• OS: Win 10 Pro

Additional context
Add any other context about the problem here.

Describe the bug
Packages from private feeds should be ignored. Therefore I excluded them from NuGetDefense.json. Nevertheless an unhandled exception is thrown after calling dotnet build.

To Reproduce
Steps to reproduce the behavior:

1. Add packages from a private feed to your project
2. dotnet add package nugetdefense
3. dotnet build

Expected behavior
Ignred packages from private feeds should not be restored to avoid unhandled exceptions.

Additional context
A plain package restore works as expected (dotnet restore).

What is the Feature? Please describe.
I'm looking for a library where i can provide a list of package names and versions to a .NET method and get a list of the vulnerable packages. I think this should be easily doable by extracting the actual code into a e.g. NuGetDefinse.Core package.

Use Case
I want to leverage this library in https://apimundo.com in the NuGet package index and .NET project index.

What is the Feature? Please describe.
Log References for Vulnerabilities in the Build Log. These are usually links to pages that disclose more information about the vulnerability.

Use Case

• Parsing log for references.
• Developers needing more information about an issue but not knowing where to look up the issue
• Providing more information for a vulnerability that has no CVE (after #13 is fixed)

Describe alternatives you've considered

• Warning or Info with the reference (seems like it could Clutter the warnings/info UI)

What is the Feature? Please describe.
Unit Tests will ensure that CI is able to detect issues and prevent them from being released.

Projects to Unit Test

• OSSIndex
• NVD
• Core

Describe the bug
Running the build on a net fw project returns this error:
MyProject\packages.config : Warning : NuGetDefense : NVD scan failed with exception: System.ArgumentException: '1.2.9_beta' is not a valid version string.

The project includes both public nugets and private ones, but no direct reference to any package on version 1.2.9_beta is present in the package.config

To Reproduce
Steps to reproduce the behavior:

1. I assume add a package with a non canonical format
2. Compile

Expected behavior
Security vulnerabilities should be detected

Screenshots
If applicable, add screenshots to help explain your problem.

Tools (please complete the following information):

• IDE: VS2017
• OS: Windows

Additional context
Warning : NuGetDefense : NVD scan failed with exception: System.ArgumentException: '1.2.9_beta' is not a valid version string.
at NuGet.Versioning.VersionRange.Parse(String value, Boolean allowFloating)
at NuGet.Versioning.VersionRange.Parse(String value)
at NuGetDefense.NVD.Scanner.<>c__DisplayClass8_0.b__1(String v)
at System.Linq.Enumerable.Any[TSource](IEnumerable1 source, Func2 predicate)
at NuGetDefense.NVD.Scanner.<>c__DisplayClass8_1.b__0(String cve)
at System.Linq.Enumerable.WhereEnumerableIterator1.MoveNext() at NuGetDefense.NVD.Scanner.GetVulnerabilitiesForPackages(NuGetPackage[] pkgs, Dictionary2 vulnDict)

Describe the bug
when I run nugetdefense app.csproj netcoreapp3.1 on a CI runner box

I get below error

app.csproj: Error : Encountered a fatal exception while checking for Dependencies in app.csproj. Exception: System.TimeoutException: Reading vulnerability data failed:'C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin'
 ---> System.IO.FileNotFoundException: Could not find file 'C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin'.
File name: 'C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin'
   at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
   at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
   at NuGetDefense.NVD.Scanner..ctor(String nugetFile, TimeSpan vulnDataReaTimeout, Boolean breakIfCannotRun, Boolean selfUpdate)
   --- End of inner exception stack trace ---
   at NuGetDefense.NVD.Scanner..ctor(String nugetFile, TimeSpan vulnDataReaTimeout, Boolean breakIfCannotRun, Boolean selfUpdate)
   at NuGetDefense.Program.Main(String[] args) in /home/codingcoyote/Code/NuGetDefense/Src/NuGetDefense/Program.cs:line 85

I confirmed the file VulnerabilityData.bin is indeed missing, do i need run a vuln data load?

To Reproduce

See above

Expected behavior

I would expect the tool run and give me results to dependencies issues within the app

Tools (please complete the following information):

• OS:
  

PS > $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.17763
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context
Add any other context about the problem here.

No proxy, well never had any issues with a proxy before.

Describe the bug
OSS Index does not allow scanning more than 128 packages at a time

To Reproduce
Steps to reproduce the behavior:

1. Have a project with more than 128 packages and NuGetDefense.
2. Build

Expected behavior
Sends 128 packages at a time
Error Message
{"code":400,"message":"Request for more than 128 components"}

Tools (please complete the following information):

• IDE: Azure Function CLI
• OS: Win 10 Latest

Additional context
Was building an Azure Function and hit this problem.
First I've seen of this error.

Add ability to define a whitelist of allowed packages. Break build if an unlisted package is added to the project.

What is the Feature? Please describe.
Provide a wrapper for the dotnet tool so it can be installed into an Azure DevOps organisation.

Use Case
Most people would not want to modify their projects, but adding a task to a build pipeline is much less intrusive

Describe alternatives you've considered
Dependabot, nukeeper etc.

Package Dependencies should also be checked for vulnerabilities and the message should make it clear which package the dependency is for.

Hi,
great work!

I ran into some issue on Windows, as having the NuGet in dependecies results in the following in VS output:
1>'...nuget\packages\nugetdefense\0.0.2\build../tools/netcoreapp3.1/NuGetDefense' is not recognized as an internal or external command,

My q&d fix for Windows is to replace the line in nugetdefense.targets to the following:
<NuGetDefenseExe>dotnet.exe $(MSBuildThisFileDirectory)..\tools\netcoreapp3.1\NuGetDefense.dll</NuGetDefenseExe>

This way, it runs correctly - but still not cross platform.
Found related issue with no clear solution: dotnet/msbuild#1024

Hello, I'm getting this error when running unit tests inside a docker container:

"IdentityProvider.csproj : error : NuGetDefense : OSS Index scan failed with exception: System.AggregateException: One or more errors occurred. (The input does not contain any JSON tokens. Expected the input to start with a valid JSON token, when isFinalBlock is true. Path: $ | LineNumber: 0 | BytePositionInLine: 0.)"

When I run on my machine it works, but when I run on my pipeline I got this error, I'm not sure if it's because the docker.

What is the Feature? Please describe.
NuGet Dependency Scanning [Optional]

Details
I originally removed this functionality because I did not have a way to check that the dependencies that came back were the correct ones for the current Framework. But I fund this dotnet list package --include-transitive. While it doesn't link the packages up to their resolved dependencies and versions, it has a framework flag and I can cross-reference this with the list of dependencies available for each package.

Check NVD for updated feed and check for known vulnerabilities.

What is the Feature? Please describe.
NVD Feed should be able to update itself.

Use Case
In the event that vulnerabilities are released between releases of NuGetDefense, the user could allow it to update and import the newer vulnerabilities.

Describe alternatives you've considered
CI will be setup soon to handle automatic updates when NVD feeds are updated.

What is the Feature? Please describe.

Hello! As someone who works on or around OSS Index, basically we'd love it if you could set a User-Agent when communicating with the service.

If you can read Golang, this package has a bunch of tests and code where we generate one:

https://github.com/sonatype-nexus-community/nancy/tree/master/useragent

If TypeScript is more your thing:

https://github.com/sonatype-nexus-community/auditjs/blob/master/src/Services/RequestHelpers.ts#L20-L26

Use Case

Essentially this lets us see a bit better how much your tool is calling OSS Index, and is not used for any nefarious purposes, just ultimately let's us know if we should maybe get more involved with helping on the tool, as well on how much effort we put into specific ecosystems related to the data.

Describe alternatives you've considered

Nothing really, this one is pretty cut and dried.

Additional context

Nothing, but we love that you made this tool, and appreciate you!

Describe the bug
NuGetDefense.Tool throws an exception on a Solution Items project from the solution file.

To Reproduce
Steps to reproduce the behavior:

1. Have a project file with a Solution Items folder
2. Install the tool: dotnet tool install NuGetDefense.Tool -g
3. Run the tool: nugetdefense .\MySolution.sln Release
4. Fails with exception message

Example project file part that causes this:

Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{DAC32E4B-F605-4584-A629-554E7523B1FD}"
	ProjectSection(SolutionItems) = preProject
		.editorconfig = .editorconfig
		.gitlab-ci.yml = .gitlab-ci.yml
		common\GenerateBuildInfo.sh = common\GenerateBuildInfo.sh
		README.md = README.md
	EndProjectSection
EndProject

Exception:

`dotnet list` Errors:

`dotnet list` Errors:

`dotnet list` Errors:

: Error : Encountered a fatal exception while checking for Dependencies in . Exception: System.IO.FileNotFoundException: Could not find file 'C:\Users\RobBos\source\repos\MyRepoName\Solution Items'.
File name: 'C:\Users\RobBos\source\repos\MyRepoName\Solution Items'
   at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
   at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
   at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy)
   at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
   at System.Xml.XmlTextReaderImpl.FinishInitUriString()
   at System.Xml.XmlTextReaderImpl..ctor(String uriStr, XmlReaderSettings settings, XmlParserContext context, XmlResolver uriResolver)
   at System.Xml.XmlReaderSettings.CreateReader(String inputUri, XmlParserContext inputContext)
   at System.Xml.XmlReader.Create(String inputUri, XmlReaderSettings settings)
   at System.Xml.Linq.XDocument.Load(String uri, LoadOptions options)
   at System.Xml.Linq.XDocument.Load(String uri)
   at ByteDev.DotNet.Project.DotNetProject.Load(String projFilePath)
   at NuGetDefense.Program.LoadMultipleProjects(String TopLevelProject, String[] projects, Boolean specificFramework, String targetFramework, Boolean solutionFile) in /home/codingcoyote/Code/NuGetDefense/Src/NuGetDefense/Program.cs:line 193   at NuGetDefense.Program.Main(String[] args) in /home/codingcoyote/Code/NuGetDefense/Src/NuGetDefense/Program.cs:line 73

Expected behavior
Not fail :-). Perhaps detect the type of project and skip it.

Screenshots
If applicable, add screenshots to help explain your problem.

Tools (please complete the following information):

• dotnet global toos
• Windows 10 19042

Additional context
Found the link to the source code here:

Unfortunately you only push in the names of the projects to this method.
I see three options:

1. Eat up the exception on Project load and log it
2. Only load valid projects on solution file load
3. Add option to skip certain projects during the analysis

Describe the bug
[email protected] reported 3 vulnerabilities including CVE-2017-0249 that was fixed in 4.3.2

Expected behavior
4.3.0 and 4.3.2 should not report CVE-2017-0249

Additional context
This did not appear prior to updating to 2.1.0, so I suspect there are new issues brought about by correcting the parsing that prevented showing a vulnerability for log4net in earlier versions of the NVD Data.

Workaround
If you are using System.Net.Http, confirm it is not affected and add the CVE(s) to the ignore list for that project.

The source should change based on the file the error was found in.

ex. if package is listed in a package.config, the error should link to package.config not Example.csproj

Describe the bug
I tried upgrading my project to use NuGetDefense 1.0.15, however Visual Studio fails the build with the following error

MSB3073	The command "dotnet "C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\..\tools\net5.0\NuGetDefense.dll" "C:\test\test\test.csproj" netcoreapp3.1" exited with code 1.	test	C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\nugetdefense.targets	10	

1>------ Build started: Project: test, Configuration: Debug Any CPU ------
1>test -> C:\test\test\bin\Debug\netcoreapp3.1\test.dll
1>Could not execute because the specified command or file was not found.
1>Possible reasons for this include:
1>  * You misspelled a built-in dotnet command.
1>  * You intended to execute a .NET Core program, but dotnet-C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\..\tools\net5.0\NuGetDefense.dll does not exist.
1>  * You intended to run a global tool, but a dotnet-prefixed executable with this name could not be found on the PATH.
1>C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\nugetdefense.targets(10,5): error MSB3073: The command "dotnet "C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\..\tools\net5.0\NuGetDefense.dll" "C:\test\test\test.csproj" netcoreapp3.1" exited with code 1.
1>Done building project "test.csproj" -- FAILED.

To Reproduce
Steps to reproduce the behavior:

1. Create a new .NET Core 3.1 project
2. Update project to use NuGetDefense 1.0.15
3. Build solution

Expected behavior

• The solution builds

Tools (please complete the following information):

• .NET Version: netstandard2.0
• IDE: Visual Studio Professional 2019 16.8.2
• OS: Windows 10 OS Build 19042.630

Additional context

• The previous NuGetDefense 1.0.14 builds successfully
• I haven't installed the .NET 5 SDK

Describe the bug
Vulnerabilities reported when I have updated version to be past the known vulnerabilities list.

To Reproduce
I just had bootstrap 3.4.1 in the project, saw vulnerabilities (good), and then updated from 3.4.1 to 4.4.1 -- the vulnerabilities persisted (bad -- I think).

Expected behavior
I would have expected the vulnerabilities on bootstrap to go away. The packages.config shows "bootsrap" (lower case b) and the vulnerabilities show Bootstrap, and I'm not sure if that makes a difference.

Let me know if I have misinterpreted results.

Tools (please complete the following information):

• IDE: Vs 2019
• OS: Win 10

Additional context
Add any other context about the problem here.

What is the Feature? Please describe.
Apologies in advanced if I missed something, but I wanted to know if there is a way to output the results of a finding, positive or negative to a text file. Perhaps just having a field in the NugetDefense.json like:
output: "myfile.txt"
As a way of keeping audit trail of findings.
Use Case
The use would be for a way to look at previous builds in a ci/ci pipeline and see if there was any issues.

Describe alternatives you've considered
I had considered parsing the output of the failure, but I thought might ask to see if something like this already exists.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
The Vector returned by OSS Index is not an Access Vector, but a CVSS 3 Vector string.

Additional context
Parsing the string to get the access vector should be enough to fix it for now. It may be more considerate to pull in the whole string and try to find a CVSS Vector in NVD to import inplace of the AccessVector

What is the Feature? Please describe.
I would like a configuration option (maybe scoped to OssIndex would make sense) that allows me to list names of packages that should not be transmitted to a third party, and have that configuration acted upon. Essentially, if I provided a list of packages that we consider internal or sensitive, then NuGet Defense would not send them in the request to OSS Index.

Use Case
As a sec ops, I would like to be able to exclude certain packages being sent to OSS Index, so that commercially-sensitive package names are not sent to a third party.

We have internal packages used in the projects that we are scanning with NuGet Defense, but our legal department would like the names of those internal packages not to be sent to third party services (such as OSS Index), in case the names are commercially sensitive (e.g. "SecretNewFeaturePackage").

Describe alternatives you've considered
We have considered just disabling the call to OSS Index, and just using NVD, but we're concerned that will provide a less fulsome vulnerability scan.

We have also considered excluding the internal packages manually, by removing them from the project before scanning. However, we would like to integrate this into our CI/CD pipeline, so the security scan will run automatically on new commits.

Additional context
We very much appreciate your work on NuGet Defense. We were using SafeNuGet but had similar concerns to you about it being out of date. We were very excited to see you had created NuGet Defense!

Features

Ability to configure conditions to not break the build.

• Severity
• Ignore acceptable risks
• Ignore in specific build configurations
• Ignore sources

Create Default Configuration File on First Run

• Include all sources so users don't have to seek documentation to configure
• Include a Blank section for each Feature with a commented Example
• Include warnings about usage

Allow Updating NVD Feed on Build

• Require an installation of the NVD Feed Updater in the path (will probably be available on Chocolatey) This will not be released until after 1.0.0

Ignore Sources if Retrieving info Fails

• Useful for avoiding build failures when offline

Whitelist NuGetPackages

• A whitelist of packages (and versions) that can be used.

Blacklist Packages

• Custom Error Message if the package/version is used.

Describe the bug
v0.0.5 does not report Zilb.Portable.Signed vulnerabilities returned by OSS Index because they lack a CVE.

To Reproduce
Steps to reproduce the behavior:

1. Install Zlib.Portable.Signed to a project
2. Install NuGetDefense
3. Build

Expected behavior
Report the CVE as Unknown

Additional context
A bad assumption in development that checked for duplicate vulnerabilities allowed this to slip through.

Describe the bug
NuGetDefense will not output the reports no matter what the settings are.

Describe the bug
Log4Net CVE-2018-1285

To Reproduce
Install Log4Net v2.0.8 and build

Expected behavior
No Errors unless version is below 2.0.8

Additional context
The problem is unknown and we can assume there are other false positives until proven otherwise. Double Check any reports you receive for now

Describe the bug
Although this seems to be as easy as flipping the switch for Linux, NuGet.OSSIndex throws an Exception in Windoiws when Adding the UserAgent to the header.

To Reproduce
Steps to reproduce the behavior:
1.Run with the now de-listed v2.0.0.1 (repackage of 2.0.0)

Expected behavior
Runs the same on Windows and Linux

Tools (please complete the following information):

• IDE: Rider, VS2019, & dotnet cli
• OS: Windows 10 (Latest Update)

Additional context
It looks like it may be expecting a simpler User Agent

An icon or logo helps to associate a "brand" and makes the project more identifiable on other platforms.

Not a priority, but I'm open to any contributions.

Hi im running a dotnetcore 3.1 project on Visual studio Professional 2019 Version 16.7.7

my NugetDefense.json file contain property "WarnOnly": false
but still show vulnerabilities as warnings after build phase

i have alse ErrorSettings property with:

"ErrorSeverityThreshold": "any",
"Cvss3Threshold": -1

Steps to reproduce the behavior:

1. run a dotnetcore 3.1 project on Visual studio Professional 2019 Version 16.7.7
2. add jQuery package 1.9.0 (had 5 vulnerabilities)
3. build solution (NugetDefense will generate new file NugetDefense.json with "WarnOnly": false attribute)

Expected behavior:
I expect that build phase will failed with jQuery vulnerabilities errors (i got 5)

Tools (please complete the following information):

• IDE: VS2019 Professional 2019 Version 16.7.7
• OS: Windows Server 2019 Datacenter

First things first: Great seeing you put work into this package, thanks a lot for that.

Describe the bug
When building my solution I encounter a System.ArgumentOutOfRangeException: Length cannot be less than zero.

To Reproduce
Steps to reproduce the behavior:

1. create empty solution
2. add .NET Core 3.1 Console Application
3. add NugetDefense and some other package (in my case Newtonsoft JSON)
4. rebuild project
5. NugetDefense.json is generated:
   { "WarnOnly": false, "Log": null, "VulnerabilityReports": {}, "Logs": null, "CheckTransitiveDependencies": true, "ErrorSettings": { "ErrorSeverityThreshold": 5, "Cvss3Threshold": -1, "IgnoredPackages": [ { "Id": "NugetDefense", "Version": "1.0.8.0" } ], "IgnoredCvEs": [], "AllowedPackages": [], "WhiteListedPackages": null, "BlockedPackages": [], "BlacklistedPackages": null }, "OssIndex": { "Enabled": true, "BreakIfCannotRun": true }, "NVD": { "SelfUpdate": false, "TimeoutInSeconds": 15, "Enabled": true, "BreakIfCannotRun": true } }
6. build failed with:
   error : Encountered a fatal exception while checking for Dependencies in C:\Users\***\source\repos\NugetDefenseTest\ConsoleApp1\ConsoleApp1.csproj. Exception: System.ArgumentOutOfRangeException: Length cannot be less than zero. (Parameter 'length') 1> at System.String.Substring(Int32 startIndex, Int32 length) 1> at NuGetDefense.Core.NuGetFile.<>c__DisplayClass7_0.<ParseListPackages>b__2(String l) 1> at System.Linq.Enumerable.WhereSelectEnumerableIterator2.MoveNext()
   1> at System.Linq.Enumerable.ToDictionary[TSource,TKey](IEnumerable1 source, Func2 keySelector, IEqualityComparer1 comparer) 1> at NuGetDefense.Core.NuGetFile.ParseListPackages(String dotnetListOutput) 1> at NuGetDefense.Core.NuGetFile.dotnetListPackages(String projectFile, String targetFramework) 1> at NuGetDefense.Core.NuGetFile.LoadPackages(String targetFramework, Boolean checkTransitiveDependencies) 1> at NuGetDefense.Program.Main(String[] args)

Expected behavior
I expected a successful build with positive / negative NugetDefense messages.

Screenshots

Tools (please complete the following information):

• IDE: VS2019 16.7.3
• OS: Windows 10 pro 64 bit Build 19041.508

Additional context

Describe the bug
Building multiple projects concurrently can cause a System.IO.IOException when the NVD Source is enabled because the first instance of NuGetDefense has a lock on the file (writing to it to update it).

To Reproduce
Steps to reproduce the behavior:

1. "Build Solution" in a solution that allows building multiple projects with NuGetDefense installed concurrently (not dependant on each other).

Expected behavior
Builds without error and only updates the file once per Solution Build

Error Example

Unhandled exception. System.IO.IOException: The process cannot access the file
'/home/codingcoyote/.nuget/packages/nugetdefense/1.0.3/tools/netcoreapp3.1/VulnerabilityData.bin' because it is being used by another process. (TaskId:64)
at System.IO.FileStream.Init(FileMode mode, FileShare share, String originalPath) (TaskId:64)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options) (TaskId:64)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share) (TaskId:64)
at System.IO.File.Open(String path, FileMode mode, FileAccess access) (TaskId:64)
at NuGetDefense.NVD.Scanner..ctor(String nugetFile, Boolean breakIfCannotRun, Boolean selfUpdate) (TaskId:64)
at NuGetDefense.Program.Main(String[] args) (TaskId:64)

Tools (please complete the following information):

• IDE: N/A
• OS: N/A

Additional context
Found building the new Test Solution

Describe the bug
Below error is thrown on compiling the project after updating the NugetDefense package to any version higher than 1.0.7.2

error : NuGetDefense : OSS Index scan failed with exception: System.NullReferenceException: Object reference not set to an instance of an object.
at NuGetDefense.OSSIndex.ComponentReportVulnerability.ToVulnerability()

Expected behavior
No error should be thrown on compiling.

Screenshots
If applicable, add screenshots to help explain your problem.

Tools (please complete the following information):

• IDE: VS2019
• OS: Windows 10 pro

Additional context
Add any other context about the problem here.

Describe the bug
Using a directory with a whitespace in the path, makes VS return code 532462766.

To Reproduce
Steps to reproduce the behavior:

1. Add a whitespace in the project path
2. Compile the rproject
3. Copy the command from the error window
4. Run the command from the console
5. The error will show as "Unhandled exception. System.IO.FileNotFoundException: Could not find file 'FILENAME_BEFORE_WHITESPACE'.

Expected behavior
The build should complete even with the whitspace

Screenshots
If applicable, add screenshots to help explain your problem.

Tools (please complete the following information):

• IDE: VS2017
• OS: Windows