OWASP SafeNuGet is an MsBuild task to warn about insecure NuGet libraries: https://nuget.org/packages/SafeNuGet/
Use of libraries with known vulnerabilities is a big problem. So big in fact it has now made it to the OWASP Top 10 2013. It's under A9 Using Known Vulnerable Components.
- Install the NuGet package
- Build
You can configure OWASP SafeNuGet by editing the packages/SafeNuGet.1.0.9/build/SafeNuGet.targets (replace the version number with the one you have installed).
Settings:
- CacheTimeInMinutes - how long the list of vulnerabilities should be kept before being refreshed from github
- DontBreakBuild - (from 1.0.9) - If set to true, will not break build even though vulnerable package is found
Great! If you want to contribute to the list of unsafe libraries, please create a pull request, register it as an issue or email me at erlend.oftedal@owasp.org.
Code contributions are also very welcome. Fork and create a pull request.
Register it here at github: issues