Checking NuGet package vulnerabilities with OWASP SafeNuGet
Note: This method of scanning vulnerabilities is outdated. Check out our integrated vulnerability report for a better way of analyzing potential vulnerabilities.
Use of libraries with known vulnerabilities can be an issue for software and components you create: check the excellent whitepaper "The Unfortunate Reality of Insecure Libraries". In the OWASP Top 10 2013, consuming vulnerable packages is listed under A9 Using Known Vulnerable Components.
Automatic checking for known vulnerabilities can be done: OWASP has released a NuGet package which is able to check known vulnerabilities in other NuGet packages. The SafeNuGet package contains an MSBuild task which will warn you about consuming such packages.
Installing SafeNuGet into a project
Installing SafeNuGet into a project is as easy as installing any other NuGet package:
This will add a .targets file to all projects in the open solution, adding a check for possibly vulnerable packages during build.
How are potentially vulnerable packages shown?
A repository with vulnerable packages and the reason for that can be found on the SafeNuGet GitHub project. When running a build which references vulnerable NuGet packages, the warnings list will contain some information about this as well as a link with some explanation:
When a library referencing a potential unsafe package is built using MyGet Build Services, a warning will also be displayed in the build log:
Can my build fail when such packages are consumed?
It would be great if the build would fail entirely when such package is found. This can be done with simple configuration parameter for the SafeNuGet package. Find the SafeNuGet.targets file and update its contents to:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <UsingTask AssemblyFile="SafeNuGet.dll" TaskName="SafeNuGet.AreNuGetPackagesSafe" /> <Target Name="AfterBuild"> <AreNuGetPackagesSafe ProjectPath="$(MSBuildProjectDirectory)" CacheTimeInMinutes="10" DontBreakBuild="false" /> </Target> </Project>