NuGet/Home

[Feature]: Allow excluding vulnerabilities from output of `dotnet list package --vulnerable`

Open

#11.926 geöffnet am 29. Juni 2022

Auf GitHub ansehen
 (13 Kommentare) (29 Reaktionen) (1 zugewiesene Person)HTML (292 Forks)batch import
Functionality:ListPackagePriority:2Product:dotnet.exeTriage:NeedsDesignSpecType:Featurehelp wanted

Repository-Metriken

Stars
 (1.459 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 464T 23h) (1 gemergte PR in 30 T)

Beschreibung

NuGet Product(s) Involved

dotnet.exe

The Elevator Pitch

Allow excluding vulnerabilities from the output of dotnet list package --vulnerable [--include-transitive] using another command line flag or config file.

Additional Context and Details

We scan for NuGet packages with vulnerabilities regularly on our build server by running dotnet list package --vulnerable --include-transitive. Sometimes it's not practical to upgrade a package version to properly fix the vulnerability, but we don't want to be notified of it anymore (because we have either determined that it doesn't apply to us, made a code change to mitigate it or accepted the risk). It would be great to be able to exclude specific vulnerabilities, e.g. by the advisory URL or perhaps just the ID part of it (CVE or GHSA ID), e.g.

dotnet list package --vulnerable --include-transitive --exclude-vulnerabilities GHSA-qpvx-gpqm-g98j,GHSA-mv2r-q4g5-j8q5

Contributor Guide