Curtis CarterMar 5

If anyone is interested in contributing to #NuGetDefense
I just opened an issue for moving the OSS Index source to their new compatibility endpoint ( #sonatype will continue to offer free usage via Sonatype Guide or the compatibility API).

I'm going to look into creating a proper source for the newer Sonatype Guide API but it will not be soon unless someone wants to take on something a little more challenging.

#FOSS #security #vulnerabilityscanning #nuget #dotNET

Curtis CarterJan 8

Thanks mostly to two new contributors, #NuGetDefense (a #foss #dotnet dependency scanner) has been upgraded to .Net 10. Nothing fancy, but you can checkout the prerelease of v5.0.0.0 of both the dotnet tool and the at-build dependency check package it all began with.

Thanks for the contributions!

https://github.com/digitalcoyote/NuGetDefense/releases/tag/v5.0.0.0-pre1

Show threadCurtis CarterOct 28
@foone I always keep my open source contributions off of work wifi, on a personal computer, and on my own time for that reason. We're technically not supposed to even discuss it at work but they use #NuGetDefense in some of our security scans so it's a little unavoidable.
Curtis CarterOct 12

If anyone wants to celebrate #Hacktoberfest with #NuGetDefense, it's got some low hanging fruit you can look into and I'll make time to review and label any PRs that are quality code.

Issues:

1. NuGetDefense needs to be evaluated for #dotnet 10 in each project. I expect it to be mostly just changing the target, but it may have a couple fixes needed.

2. Failing Unit Tests

3. Missing Unit Tests

4. Documentation Updates

I'll also make time to help with anyone who finds an issue difficult.

Curtis CarterJun 11, 2025
If anyone has been using #NuGetDefense after my unexpected pause in development, know that a new release was pushed recently that fixes what is IMHO one of the most annoying bugs. The file access retry on the vulnerability data was failing before it entered the try/catch used to trigger the retry logic.
Curtis CarterFeb 10, 2025

I feel like a hypocrite, I preach the joys of CI/CD at work, but I manually package and deploy my open source releases even though it's painful.

Gonna have to invest some time to automate released for #NuGetDefense soon. Half the time I don't have time to do small fixes is that a small fix still takes 30 minutes to an hour to fully release if the bug is in NuGetDefense.Core.

Curtis CarterOct 19, 2024
Found time to maintain my #foss project #NuGetDefense for the first time in a while. Proprietary work has been bleeding me dry, but we just had a sudden change in management so hopefully I'll have more time for maintaining and even contributing to other projects.
Curtis CarterJun 1, 2024

#NuGetDefense v4.1.3 has been released: https://github.com/digitalcoyote/NuGetDefense/releases/tag/v4.1.3

This includes a fix for vulnerable packages failing to report when severity thresholds are used (due to CVSS scores being stored as a double), and a fix for Vulnerable packages not being listed in Reports generated from NuGetDefense.

This required updates to all NuGetDefense packages including NuGetDefense.Lib and NuGetDefense.NVD.API (NVD API 2.0 client library used in NuGetDefense).

#security #dotNET

Release v4.1.3 BugFix Release · digitalcoyote/NuGetDefense

Fixed this release: #154 Vulnerable packages not showing in Vulnerability Reports Fix CVSS Scores sometimes slippping under reporting thresholds due to storing them as double

GitHub
Curtis CarterApr 17, 2024

#NuGetDefense (the #foss #security tool) has a new prerelease (v4.1.0-pre0001). It's deprecating the dotnet list parsing and will now parse the project.assets.json file for resolved dependencies.

I'm expecting this to weed out the intermittent dotnet list errors. But I need brave souls to give it a test drive before it releases.

Curtis CarterMar 6, 2024

#NVD is lowering their maximum results per page in April. This will likely affect older #NuGetDefense versions that are used to create the global vulnerability data for offline NVD scanning as well as potentially scans made using the NuGetDefense NVD API client. I'm going to try to get a preview version up this weekend to get ahead of the change and expect 500 or less results per page.

This probably won't affect many people unless you're using the global tool (NuGetDefense.Tool).