[Feature]: Allow excluding vulnerabilities from output of `dotnet list package --vulnerable` · NuGet/Home#11926

(13 comments) (29 reactions) (1 assignee)HTML (1,459 stars) (292 forks)batch import

Functionality:ListPackagePriority:2Product:dotnet.exeTriage:NeedsDesignSpecType:Featurehelp wanted

説明

NuGet Product(s) Involved

dotnet.exe

The Elevator Pitch

Allow excluding vulnerabilities from the output of dotnet list package --vulnerable [--include-transitive] using another command line flag or config file.

Additional Context and Details

We scan for NuGet packages with vulnerabilities regularly on our build server by running dotnet list package --vulnerable --include-transitive. Sometimes it's not practical to upgrade a package version to properly fix the vulnerability, but we don't want to be notified of it anymore (because we have either determined that it doesn't apply to us, made a code change to mitigate it or accepted the risk). It would be great to be able to exclude specific vulnerabilities, e.g. by the advisory URL or perhaps just the ID part of it (CVE or GHSA ID), e.g.

dotnet list package --vulnerable --include-transitive --exclude-vulnerabilities GHSA-qpvx-gpqm-g98j,GHSA-mv2r-q4g5-j8q5

コントリビューターガイド

技術スタック: csharp
領域: clisecurity
Issue 種別: feature
難度: 3
推定時間: 1-2 days
活動状況: blocked
明確さ: clear
前提条件: C# programmingdotnet CLI knowledgeNuGet vulnerability scanning
初心者向け度: 40
調査方針: Start by examining the existing implementation of the ` vulnerable` flag in the dotnet CLI source code, which is likely in the NuGet.Client repository (https://github.com/NuGet/NuGet.Client). Look at how the current vulnerability listing is implemented and where command line arguments are parsed. Then design a new ` exclude vulnerabilities` flag that accepts a comma separated list of advisory IDs. Consider configuration file support as mentioned in the issue. Review the comment thread for any implementation guidance or maintainer feedback.