Theme: Trustworthy and Secure (.NET 9 / 2024)

[JonDouglas]

Open Source is everywhere. It is in many proprietary codebases and community projects. For organizations and individuals, the question today is not whether you are or are not using open-source code, but what open-source code you are using, and how much.

One of our ongoing themes of .NET is to secure the software supply chain. To achieve a secure supply chain with NuGet, we are focusing on three major areas such as knowing, preventing, and fixing known security vulnerabilities, support SBOMs, and making tooling more secure by default.

In .NET 9 we have a few areas that will help us make progress on that goal.

Know, Prevent, and Fix Known Security Vulnerabilities 🔒

To combat known vulnerabilities and active supply chain attacks, developers need to know that the package written by unknown individuals they are downloading from the internet can be secure and trusted enough to run on their trusted devices where they keep their most important data.

• [Epic] NuGet Package Vulnerability Auditing #8087
• Notify package owners of new vulnerabilities NuGetGallery#8592
• Don't hit registration to gather deprecation/vulnerability metadata #10865

Support SBOMs for NuGet packages 📋

A SBOM is a nested inventory; a list of ingredients that make up software components. This transparency is essential for security, compliance, and management purposes. It allows users and developers to quickly identify and address security vulnerabilities, comply with licensing requirements, and efficiently manage updates and patches.

• [Epic] Support SBOMs for NuGet packages #12497

Secure by Default ✅

When a package manager prioritizes security in its default settings, it automatically reduces the risk of vulnerabilities and attacks, such as dependency confusion or malicious code injections.

• [Epic] Package Quality/Trust #12504
• NuGet cannot restore from HTTPS sources that have SSL certificate problems #4387
• Show extra validation information during pack to allow for more effective means of communicating best practices such as README #12070
• Implement staged/transactional bulk uploads NuGetGallery#3931

IMPORTANT
This theme is not a commitment; it will evolve as we continue to learn throughout the release. Some things that are not currently planned for NuGet may get pulled in. Some things currently planned may even be pushed out.

Please 👍 or 👎 this issue to help us with the direction of this theme & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.

[ghost]

@JonDouglas Issue is missing Type label, remember to add a Type label

[ghost]

@JonDouglas Issue is missing Type label, remember to add a Type label