Enable NuGet transitive dependency auditing (NuGetAuditMode=all)#1255
Draft
NickJosevski wants to merge 1 commit into
Draft
Enable NuGet transitive dependency auditing (NuGetAuditMode=all)#1255NickJosevski wants to merge 1 commit into
NickJosevski wants to merge 1 commit into
Conversation
The .NET 8 SDK audits only DIRECT PackageReferences by default (NuGetAuditMode=direct), so transitively-resolved vulnerable packages - such as System.Security.Cryptography.Xml 8.0.2 - are invisible at build time. Setting NuGetAuditMode=all audits the full dependency graph and emits NU1901-NU1904 restore warnings for known-vulnerable packages. Findings are kept as warnings (WarningsNotAsErrors) so they surface without tripping the project's TreatWarningsAsErrors and breaking the build - this is informational, not a hard gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
todthomson
approved these changes
Jun 18, 2026
todthomson
left a comment
todthomson
left a comment
Member
There was a problem hiding this comment.
Approved, with thanks. 🥇
re: WarningsNotAsErrors
I am not opposed to you just failing the build for CVEs, thought that's just my opinion, but you could ask in EFT Requests in Slack if you agree. 😄
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
While remediating the transitive
System.Security.Cryptography.Xml8.0.2 CVEs (found by an image scan, fixed in a separate PR), it became clear that nothing in the build flags vulnerable transitive packages. The .NET 8 SDK enables NuGet auditing by default, but only indirectmode — it audits directPackageReferences and ignores the transitive graph, which is where these CVEs lived.This PR turns on
NuGetAuditMode=allsodotnet restoreaudits the full dependency graph and emitsNU1901–NU1904warnings for known-vulnerable packages.Results
Added to
source/Octopus.Tentacle/Octopus.Tentacle.csproj:A fresh
dotnet restore(net8.0) now reports — and notably surfaces 5 vulnerable transitive packages, not just the one we went looking for:(The 4.x findings are exactly the packages PR #1205 set out to pin — this is independent confirmation of that work.)
Important: this does NOT break the build
The project sets
TreatWarningsAsErrors, so audit findings would otherwise become errors and fail CI.WarningsNotAsErrorskeepsNU190xas warnings — informational visibility, not a hard gate. Verified:dotnet restoreexits 0 with the warnings printed.How to review this PR
Quality ✔️ — single
<PropertyGroup>. To see it work:dotnet restore source/Octopus.Tentacle/Octopus.Tentacle.csproj -p:TargetFramework=net8.0 --forceand watch theNU1903warnings. If you later want this to be a gate, drop theWarningsNotAsErrorsline (or scope it) so findings fail the build.