Blog by Ben Clark-Robinson


Twitter LinkedIn GitHub Download FreqPress

14 Sep 2017
Scanning NuGet packages for vulnerabilities

During an internal development discussion we identified the trust we put into external NuGet packages this lead to implementing automated NuGet scanning using the OWASP SafeNuGet package1.

This option allows developers to be advised early of issues or at build time in the build server (in our case VSTS).

Here’s how to set it up:

1. Add SafeNuGet package

From Visual Studio click the Tools > NuGet Package Manager > Package Manager Console menu item.

Install-Package SafeNuGet

Or if you have multiple projects:

Get-Project -All | Install-Package SafeNuGet

2. Analysis of Packages

By default the build will fail if an issue was found otherwise you can can find the following in the Build Output pane of Visual Studio:

Using cached list of unsafe packages
No vulnerable packages found

3. Options

If you’d prefer to not break the build you can configure the tool by editing the ./packages/SafeNuGet.<version>/build/SafeNuGet.targets file and set the DontBreakBuild option to true.

1 Update 14/Sep/2017 After testing this process further I’m not 100% happy with it as it is not triggering on known vulnerable NuGet packages (such as older JQuery packages). In my next post I investigate DevAudit and AuditJs.

Til next time,
Ben at 10:23


Twitter LinkedIn GitHub Download FreqPress