17

I'm working on a couple of large .NET web apps and would like to audit the packages used in them. For node projects I've use npm audit. This checks whether your npm packages or their dependencies have any known vulnerabilities.

Is there a similar project for .NET?

John Korsnes
  • 133
  • 4
jamesj
  • 1,093
  • 1
  • 8
  • 10
  • https://www.owasp.org/index.php/OWASP_Dependency_Check – paj28 Oct 23 '15 at 13:57
  • Having reviewed a bunch of these, I think NuGetDefense is the latest package that seems to meet this need. It has been updated recently and draws from OSS Index and NVD: https://github.com/digitalcoyote/NuGetDefense – Rikki Apr 01 '20 at 20:46
  • That's cool! Great project. – John Korsnes Jun 02 '20 at 10:34
  • This is now built-in in Visual Studio and dotnet CLI: https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/ – Borislav Ivanov Sep 05 '22 at 12:17

3 Answers3

3

Another option is my project: https://github.com/RetireNet/dotnet-retire

It only reports Microsoft packages and works only on .NET Core projects. It does include runtime vulnerability checks, though.

I wrote about it here:

https://blogg.blank.no/hunting-for-vulnerable-nugets-in-net-core-3c37f30e467a https://blogg.blank.no/automatic-reports-for-vulnerable-asp-net-core-runtimes-426ebcd93ad0

schroeder
  • 123,438
  • 55
  • 284
  • 319
John Korsnes
  • 133
  • 4
2

Unfortunately the choices are fairly limited. Except for the normal FxCop tools that you can use there was also a OWASP implementation called SafeNuGet. I have not used it in quite a while and I see the last update is quite old.

https://www.nuget.org/packages/SafeNuGet/

Joe
  • 1,214
  • 1
  • 11
  • 16
  • The nuget package isn't "old" - it pulls a dynamic list from [this github source](https://raw.github.com/OWASP/SafeNuGet/master/feed/unsafepackages.xml) ... just do a Git Pull [or send the author an email here](https://github.com/OWASP/SafeNuGet) – makerofthings7 Jan 14 '17 at 20:48
  • 6
    but that "dynamic" list hasn't been updated in 2 years. – bchurchill May 28 '19 at 04:13
2

The landscape hasn't changed much in the last few years. The only thing I've seen is DevAudit. I've experimented with the Visual Studio extension, as well as its related command line utility, but haven't moved forward with using either.

A few of the vulnerabilities it reported felt just wrong, but it did also surface real ones too. The command line tool was frustrating, as it didn't produce structured data that was easily usable in a CI task.

In the commercial realm, Black Duck claim to have something comprehensive in this space. It looks really rather expensive though (call for pricing...)

pattermeister
  • 121
  • 2
  • they have a free option: https://info.blackducksoftware.com/Security-Checker-FAQ.html – schroeder Aug 21 '17 at 16:29
  • and this: https://openhub.net/ – schroeder Aug 21 '17 at 16:31
  • 1
    @schroeder I didn't take the free option seriously as they ask you to upload your whole codebase to them, via a web form. Thanks for the Openhub link though! – pattermeister Aug 22 '17 at 17:26
  • https://snyk.io/ another commerical one which has free scanning for open source projects. Mentioned on ep 1635 of .net rocks. – Sam Sippe May 21 '19 at 22:47
  • https://dependabot.com/ is another – Sam Sippe May 24 '19 at 02:10
  • As of Nov. 2019, Audit.NET (the Visual Studio extension) does not support Visual Studio 2019 and DevAudit does not support .NET Core project files (i.e. it expects a `packages.config` file to be present). – Matt Nov 01 '19 at 19:30