Releases: digitalcoyote/NuGetDefense
Bug Fixes and Feature Updates
First: this may end up being one of the final builds for .Net Core 3.1. As .Net 5.0 is generally available and .Net 6 is an upcoming LTS release.
Exit Codes Corrected for CI Builds - WIP, there are still some scenarios I believe could prevent failing a CI run if you are using NuGetDefense.Tool
Project Reference Scanning - Consider this a pre-release feature. It seems to be working, but I have not had the ability to test it in this branch so I'm depending on users who use this feature to let me know of any issues in the 1.x versions.
Solution Scanning - Solution parsing added to NuGetDefense.Tool with the help of ByteDev.DotNet.
NVD data is more reliable/accurate and can rebuild itself instead of failing if VulnerabilityData.bin is not found.
WIP: Project Reference Scanning
Known issues in this one:
- It does scan the project references, but it reports them incorrectly as originating in the top level project
- Vulnerabilities for referenced projects that have the same id (but different version) as a package in the top level project are reported regardless of vulnerable status
Solution Level Configuration + Bonus Bug Fix for .Net 5.0
New Feature This Release
- As Requested in #44 NuGetDefense now checks the parent directory for a NuGetDefense.json in addition to the project file's directory.
- Blocked Packages no longer need a version string specified. If left out it assumes all versions are blocked.
Fixed This Release
- Blocked Packages did not work as intended
- Error Message logic was inversed
- Error Logging Level was too Low
- Extra logging that was meaningless
- Small Perfomance Fixes (mainly addressing resharper "Multiple Enumeration" warnings)
Solution Level Configuration + Bonus Bug Fix for .Net Core 3.1
New Feature This Release
- As Requested in #44 NuGetDefense now checks the parent directory for a NuGetDefense.json in addition to the project file's directory.
- Blocked Packages no longer need a version string specified. If left out it assumes all versions are blocked.
Fixed This Release
- Blocked Packages did not work as intended
- Error Message logic was inversed
- Error Logging Level was too Low
- Extra logging that was meaningless
- Small Perfomance Fixes (mainly addressing resharper "Multiple Enumeration" warnings)
BugFix Release
Fixed In This Release
- NVD Source Not Updating
- The pattern used for the links sometimes changes. Regex was modified to find both forms
- #42 IgnoredPackages was ignored
- There were no references to this setting
- Added a function (and a unit test) to ignore packages
- #41 WARNING: "0 vulnerabilities found for x @ x.x.x"
- Fixed an issue that emitted warnings even when no vulnerabilities were found.
- #40 Vulnerabilities could Warn instead of Error Despite Configuration
- Vulenrabilities with no CVSS score would always Warn instead of Error
Possible Null References
Fixed This Release
- Possible Null References on CVE and Attack Vector for OSS Index
- Fixes #39
OSS Index Package Limit
Fixed This Release
- OSSIndex package limit error #37
Reporting Fix
Fixed This Release
#36 was brought to my attention and has been corrected. Be Aware that the Paths in the JSON and XML report paths are relative to the current working directory. NuGetDefense does not change it's working directory.
Preview Features Changed this release
- SensitivePackages now accepts
*as a wildcard when looking for packages to remove from the list. Comment on #35 to give feedback on this feature.
Feature Update
New This Release
- OSSIndex Authentication
- Register to add Username and ApiToken that increases the rate limit on OSSIndex scans
- NVD Regex for updating Vulnerability Data has been updated
- Also Updated the embedded NVD Source
- [Prerelease] Sensitive Packages
- Allows defining a list of package ID's that will not be sent to remote endpoints during scans.
Bug Fix Update
Fixed in this release
- Non-English Culture Support
- NVD had a possible Argument Exception
- Settings for Logs couldn't deserialize some settings using the name of the enum