From 2a1cbe94f84530434272f45655497916e4b2c8fc Mon Sep 17 00:00:00 2001 From: Jon Douglas Date: Mon, 22 May 2023 14:34:06 -0500 Subject: [PATCH 1/3] Update vulnerabilities-in-restore.md --- proposed/2022/vulnerabilities-in-restore.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/proposed/2022/vulnerabilities-in-restore.md b/proposed/2022/vulnerabilities-in-restore.md index a95736faa..ac9b0e048 100644 --- a/proposed/2022/vulnerabilities-in-restore.md +++ b/proposed/2022/vulnerabilities-in-restore.md @@ -80,6 +80,14 @@ This feature will be opt-in to start and gather feedback from developers. To enable the feature, a developer can add `enable` to their project file as a MSBuild property. To disable the feature, a developer can add `disable` or remove the property from the project file. +#### Setting Vulnerability Auditing Modes + +There will be different modes to audit vulnerabilities based on the developer's or developer's team preference. To do this, a developer will opt-in to a feature called `` which will have different modes such as `direct`, `transitive`, and `all`. + +These modes should be pretty straight-forward. `direct` will scan for any top-level vulnerabilities, `transitive` will scan for any transitive-level vulnerabilities, and `all` will scan for both top-level and transitive-level vulnerabilities. The default will be `direct` until the experience is ready to be `all` given that transitive vulnerabilities are the majority of vulnerability notices (90%+). + +When a known vulnerability is found that is of the `transitive` level, it will include the path to the project containing the top-level package and including the name and version of the package the vulnerable transitive dependency is coming from. Transitive level known vulnerabilities should not be a warning, but rather a message/informational MSBuild severity as they should not break builds but still be brought up in the Error List as informational. + #### Setting an Audit Level In cases where a developer only cares about a certain threshold of advisory severity, they can set a MSBuild property to set a level such as `moderate` in which auditing will fail. Possible values match the OSV format of `low`, `moderate`, `high`, and `critical`. From d232c68008f772ec3bdd176ba8ba44fac684c2e9 Mon Sep 17 00:00:00 2001 From: Jon Douglas Date: Thu, 25 May 2023 12:02:33 -0500 Subject: [PATCH 2/3] Update vulnerabilities-in-restore.md --- proposed/2022/vulnerabilities-in-restore.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/proposed/2022/vulnerabilities-in-restore.md b/proposed/2022/vulnerabilities-in-restore.md index ac9b0e048..76e60751e 100644 --- a/proposed/2022/vulnerabilities-in-restore.md +++ b/proposed/2022/vulnerabilities-in-restore.md @@ -82,11 +82,11 @@ To enable the feature, a developer can add `enable` to #### Setting Vulnerability Auditing Modes -There will be different modes to audit vulnerabilities based on the developer's or developer's team preference. To do this, a developer will opt-in to a feature called `` which will have different modes such as `direct`, `transitive`, and `all`. +There will be different modes to audit vulnerabilities based on the developer's or developer's team preference. To do this, a developer will opt-in to a feature called `` which will have different modes such as `direct`, and `all`. -These modes should be pretty straight-forward. `direct` will scan for any top-level vulnerabilities, `transitive` will scan for any transitive-level vulnerabilities, and `all` will scan for both top-level and transitive-level vulnerabilities. The default will be `direct` until the experience is ready to be `all` given that transitive vulnerabilities are the majority of vulnerability notices (90%+). +These modes should be pretty straight-forward. `direct` will scan for any top-level vulnerabilities, and `all` will scan for both top-level and transitive-level vulnerabilities. The default will be `direct` until the experience is ready to be `all` given that transitive vulnerabilities are the majority of vulnerability notices (90%+). -When a known vulnerability is found that is of the `transitive` level, it will include the path to the project containing the top-level package and including the name and version of the package the vulnerable transitive dependency is coming from. Transitive level known vulnerabilities should not be a warning, but rather a message/informational MSBuild severity as they should not break builds but still be brought up in the Error List as informational. +When a known vulnerability is found that is of the transitive level, it will include the path to the project containing the top-level package and including the name and version of the package the vulnerable transitive dependency is coming from. Transitive level known vulnerabilities should not be a warning, but rather a message/informational MSBuild severity as they should not break builds but still be brought up in the Error List as informational. #### Setting an Audit Level @@ -304,6 +304,7 @@ However, it is expected that such projects will have a CI build which will perfo - Vulnerability scanning can be extended to SBOMs. - Support can be added to automatically fix vulnerable dependencies (i.e. a fix experience in CLI / Tooling) +- Consideration of SDK/Framework scanning for implicit PackageReference that may be vulnernable. Additionally, most of the [`Rationale and alternatives`](#rationale-and-alternatives) are really future possibilities on their own as they are not always exclusive to the current approach. Here's some further possibilities: From 4e981b18144f3479f0b00cae6768dbd6a815b57a Mon Sep 17 00:00:00 2001 From: Jon Douglas Date: Tue, 27 Jun 2023 13:40:56 -0500 Subject: [PATCH 3/3] Update vulnerabilities-in-restore.md Add future possibilities of readiness --- proposed/2022/vulnerabilities-in-restore.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/proposed/2022/vulnerabilities-in-restore.md b/proposed/2022/vulnerabilities-in-restore.md index 76e60751e..c4e5a0fc6 100644 --- a/proposed/2022/vulnerabilities-in-restore.md +++ b/proposed/2022/vulnerabilities-in-restore.md @@ -305,6 +305,16 @@ However, it is expected that such projects will have a CI build which will perfo - Vulnerability scanning can be extended to SBOMs. - Support can be added to automatically fix vulnerable dependencies (i.e. a fix experience in CLI / Tooling) - Consideration of SDK/Framework scanning for implicit PackageReference that may be vulnernable. +- Readiness to enable `` to `all` for .NET/VS vNext: + - Customer feedback from .NET 8. + - Satisfaction of direct dependency scanning. + - Noise ratio of transitive dependency scanning (i.e. new warnings) + - Performance/scalability impact of transitive dependency scanning. + - Version resolution to ensure proper vulnerability reporting. + - UI/UX considerations for distinguishing direct/transitive vulnerability warnings. + - Incremental scanning/caching to avoid redundant scans. + - Documentation and education resources for the functionality. + - Prioritization and suppression of severity / advisories. Additionally, most of the [`Rationale and alternatives`](#rationale-and-alternatives) are really future possibilities on their own as they are not always exclusive to the current approach. Here's some further possibilities: