Comments (4)
zivkan
commented on September 29, 2024
1
@gautam-singh2 the feature was not implemented early enough to make it into the .NET 8 SDK (not even 8.0.400). But you can use the .NET 9 SDK to build projects targeting .NET 8, and therefore benefit from the stability of .NET 8's LTS status for your apps, while still using the latest build tools
I always recommend looking at our official docs before looking at github issues, or design specs that are written before the feature is implemented. I can't control where search engines will point you to, but hopefully over time the official docs will get better search rankings than github issues.
- audit sources docs
- nuget.config reference
- Looks like I forgot to mention which version of NuGet auditSources are available in, so I created a pull request: NuGet/docs.microsoft.com-nuget#3334
from home.
gautam-singh2
commented on September 29, 2024
On further digging, I realized that the comment I was referring to was #12698 (comment), was more than an year old and later a new spec was created https://github.com/NuGet/Home/blob/dev/accepted/2023/NuGetAudit-without-nuget.org-as-packageSource.md where <auditSources> was chosen over vulnerabilityDataSource. The spec has already been implemented NuGet/NuGet.Client#5708 and should be available in .NET SDK 8.0.400? Can someone please confirm?
from home.
gautam-singh2
commented on September 29, 2024
I modified C:\MyTest\NuGet.config used in Step 5) to have these contents (used auditSources instead of vulnerabilityDataSource):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageRestore>
<add key="enabled" value="True" />
<add key="automatic" value="True" />
</packageRestore>
<packageSources>
<add key="RETRACTED 1" value="A VALID V2 URL" />
<add key="RETRACTED 2" value="ANOTHER V2 URL" />
</packageSources>
<auditSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
</auditSources>
<disabledPackageSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
<add key="Microsoft Azure Service Fabric" value="true" />
<add key="Microsoft and .NET" value="true" />
</disabledPackageSources>
<activePackageSource>
<add key="RETRACTED 1" value="A VALID V2 URL" />
<add key="RETRACTED 2" value="ANOTHER V2 URL" />
</activePackageSource>
</configuration>
Tried with .NET SDK 8.0.400 and .NET SDK 9.0.100-preview.7.24407.12, it still didnt show the warning about security flaw unless I removed nuget.org from the disabled package sources list.
from home.
gautam-singh2
commented on September 29, 2024
I finally got it to work when I changed the key name in auditSources to be different from the key name in disabledPackageSources. It didnt work with .NET SDK 8.0.400 though, only with .NET SDK 9.0.100-preview.7.24407.12. This might be expected though since the change NuGet/NuGet.Client#5708 might not be released as part of .NET SDK 8.0.400?
from home.
Related Issues (20)
- [Bug Bash] The package versions are inconsistent in the “Project” node and the “Packages” node of the Solution Explorer window after updating the parent project package HOT 2
- [Build][Source-Build] Multiple code style rule violations prevent successfull build of this repo and dotnet/dotnet repo
- Error reports of invalid or missing transitive NuGet dependencies are unusable
- dotnet build/restore/run is not working HOT 13
- dotnet nuget why should check RID specific packages
- Version in GlobalPackageReference is resolved incorrectly for legacy-style csproj projects HOT 4
- NuGetAuditSuppress is ignored by dotnet list package HOT 3
- Tests PushCommand_PushToServer_GetCredentialFromPlugin and NuGet.CommandLine.Test.NuGetPushCommandTest.PushCommand_PushToServerBasicAuth are flaky HOT 1
- LINQ exception (Value cannot be null. Parameter name: source) thrown in VS when NuGet Restore is disabled
- Set NuGetLockFilePath defaults in the targets to allow it to be used SDK for exclusion
- Visual Studio Package Manager UI should show RID specific packages
- Show RID specific dependencies in VS Solution Explorer's Dependency Node
- switching between nuget and project references
- Directoy.packages.props not being loaded when building on Linux HOT 2
- .NET SDK 8.0.401: random "multiple attempts to download the nupkg have failed" HOT 7
- VS Package Manager adds version to legacy project files using CPM HOT 1
- [Epic] "Trusted Publishers" (name tbd)
- Package extraction on Linux when nupkg central directory uses back slashes
- [Bug Bash] Expected error disappear and restore will be successful after the TLS certificate validation is re-enabled HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from home.