14 Sep 2017
Scanning NuGet packages for vulnerabilities
During an internal development discussion we identified the trust we put into external NuGet packages this lead to implementing automated NuGet scanning using the OWASP SafeNuGet package1.
This option allows developers to be advised early of issues or at build time in the build server (in our case VSTS).
Here’s how to set it up:
1. Add SafeNuGet package
From Visual Studio click the Tools > NuGet Package Manager > Package Manager Console menu item.
Or if you have multiple projects:
Get-Project -All | Install-Package SafeNuGet
2. Analysis of Packages
By default the build will fail if an issue was found otherwise you can can find the following in the Build Output pane of Visual Studio:
Using cached list of unsafe packages No vulnerable packages found
If you’d prefer to not break the build you can configure the tool by editing the
./packages/SafeNuGet.<version>/build/SafeNuGet.targets file and set the
DontBreakBuild option to
1 Update 14/Sep/2017 After testing this process further I’m not 100% happy with it as it is not triggering on known vulnerable NuGet packages (such as older JQuery packages). In my next post I investigate DevAudit and AuditJs.
Til next time,
Ben at 10:23