dotnet list package --vulerable should support auditSources
#13767
Assignees
Labels
Area:NuGetAudit
Functionality:ListPackage
dotnet.exe list package
Priority:2
Issues for the current backlog.
Type:DCR
Design Change Request
Comments
zivkan
added
Priority:2
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
NuGet Product(s) Affected
dotnet.exe
Current Behavior
dotnet list package --vulnerablewas created beforeNuGetAuditorauditSources. It still only reports vulnerabilities when the source's package metadata ("registration") endpoint reports the vulnerability. When a project has a lot of packages (especially transitive packages and `--include-transitive is used), the command can take a long time while many HTTP requests are made.Desired Behavior
If NuGetAudit reports a vulnerability during restore, then
dotnet list package --vulnerable --include-transitiveshould report it too, even if none of the package sources have vulnerability data, but an audit source is defined.Additional Context
No response
The text was updated successfully, but these errors were encountered: