Comments (9)
Btw, just so you know as a maintainer. Microsoft is working on a spec for dependency auditing as part of the dotnet SDK. It's been stale for a year or so, but eventually they'll incorporate that into the SDK.
https://github.com/NuGet/Home/wiki/Flag-vulnerable-packages
from nugetdefense.
How about using the dotnet tool capability to distribute your tool? It would be also nice because it make it easy to use in in CI pipelines.
from nugetdefense.
I've have a working dotnet tool (minimal changes to support it without adding to the existing code (a couple lines to give usage details if it's run without arguments).
I'm not going to publish it til I get 1.0.9 released and I get it into the ci.
Chocolatey will be as simple as creating a powershell script that installs it as a dotnet tool. I have a repo that keeps my chocolatey packages up to date, so after writing that, it should update itself.
WinGet will apparently require an installer be built. This also adds complexity to the maintenance process. Because of this, I'll revisit WinGet at a later date.
from nugetdefense.
Hi! Just stumbled across this. Great work!
Re CLI: That's what I did with dotnet-retire. I actually began the project as a CLI tool, then after a while thought about also making a MSBuild task like done here in NuGet Defense - which absolutely makes sense.
from nugetdefense.
I'm going to circle back on this after I automate the maintenance (automatically updates the embedded NVD source) deploy process. I intend to make a dotnet tool that can be installed, and write a chocolatey package to allow installation/updating through that package manager on Windows.
from nugetdefense.
I'm going to circle back on this after I automate the maintenance (automatically updates the embedded NVD source) deploy process. I intend to make a dotnet tool that can be installed, and write a chocolatey package to allow installation/updating through that package manager on Windows.
Do you plan to provide it also via winget? (Official windows package manager https://github.com/microsoft/winget-cli)
from nugetdefense.
I've not pushed anything to winget, and I don't use it. But I see no reason to exclude it. I'll look into it after I get the chocolatey package together.
from nugetdefense.
https://www.nuget.org/packages/NuGetDefense.Tool dotnet tool has been published. I'm going to work on a chocolatey script next.
from nugetdefense.
Closing this since it's available as a dotnet tool and chocolatey has an installer to wrap this for manageability. WinGet's msi requirement will be looked at again later. I've got some higher priority features/issues and some automation for releases that needs to be accomplished before I can look at WinGet. If anyone explicitly needs winget support, let me know in a separate issue and I'll try to work it into my schedule a little sooner.
from nugetdefense.
Related Issues (20)
- does not support csproj with multiple target frameworks that target different versions of same package HOT 4
- System.ServiceModel.Primitives @ 4.10.0 wrongly reported as vulnerable HOT 1
- Support for Central Package Management HOT 4
- sonatype-2019-0115 reported for jQuery @ 3.6.3, but not on ossindex.sonatype.org HOT 1
- Question: Where is the default cache location? HOT 5
- Global NVD Vulnerability Data HOT 1
- Scanner crashes when encountering a SSIS project in a solution HOT 2
- Tool crashes with a fatal exception HOT 2
- .nugetdefense folder location on different Operating Systems
- Upgrade to new NVD API HOT 6
- SqlLiteVulnerabilityCache TODO: Debug this query to make sure Vulnerable versions are input correctly HOT 2
- Question: how does this differ from dotnet list HOT 3
- Does not create settings file HOT 2
- NuGetDefence.lib: scanning twice does not report the vulnerabilities on secound scan HOT 1
- NuGetDefence.lib: json report file not showing the list fo vulnarable packages
- Fatal Exception - System.ArgumentException: An item with the same key has already been added. HOT 3
- Missing ConfigFile leads to ExitCode > 0 HOT 3
- NVD Source not reporting vulnerability in Microsoft.ChakraCore 1.11.23
- packages without vulnerablities are in Report HOT 3
- Build fails with dotnet publish after upgrading from NuGetDefense 2.1 to 3.0.7 HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nugetdefense.