-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dotnet add package
should fail vulnerable packages
#13840
Comments
I see that I missed the Stating the obvious, the audit output should be uniform across commands. |
I'm working on a draft for guidelines about how the |
dotnet add package
does not report vulnerablitiesdotnet add package
does not report vulnerabilities (that my eyes can see)
Closing in lieu of dotnet/sdk#43938 |
dotnet add package
does not report vulnerabilities (that my eyes can see)dotnet add package
should fail vulnerable packages
@aortiz-msft I changed the title to make it more specific. |
Our approach is to warn by default and fail when explicitly configured. This could be implemented through a configurable option like a "strict mode" that enforces stricter security policies. The tool's role is to inform, not to act on its own. Decisions remain in the hands of the user, and no actions are taken without their explicit consent. |
I understand that policy, however, it feels incompatible with "secure by default". It also doesn't help that the warning is effectively hidden.
This is the lack of taking an action. It feels different to me. |
I'm installing this package: https://www.nuget.org/packages/System.Formats.Asn1/8.0.0. My expectation is that (A) the vulnerability should be reported with this command, and (B) the addition should be failed by default (should require
--force
to actually add).dotnet add package
clearly has access to vulnerability data but doesn't act on it. It seems like we would "shift left" with the report on having just added a vulnerable dependency. Is there a reason why not?The text was updated successfully, but these errors were encountered: