From 5973bec4a3785c6d176a1ef9ee64f2d456fdff1a Mon Sep 17 00:00:00 2001 From: Ken Tucker Date: Sun, 28 Sep 2025 07:04:50 -0400 Subject: [PATCH 1/3] Add check for vulnerable NuGet packages --- .github/workflows/dotnet-core.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dotnet-core.yml b/.github/workflows/dotnet-core.yml index b5f63e7..6d56c67 100644 --- a/.github/workflows/dotnet-core.yml +++ b/.github/workflows/dotnet-core.yml @@ -36,7 +36,8 @@ jobs: run: dotnet tool install -g nbgv - name: Set Version run: nbgv cloud - + - name: Check vulnerable NuGet packages + uses: elmahio/github-check-vulnerable-nuget-packages-action@v2 - name: Build run: dotnet build --configuration Release --no-restore From c5cee240953b628c6b3678524cf1fc86baf3bef7 Mon Sep 17 00:00:00 2001 From: Ken Tucker Date: Sun, 28 Sep 2025 07:18:20 -0400 Subject: [PATCH 2/3] Update vulnerability check in dotnet-core workflow Replaced vulnerable NuGet packages check with a custom command to list vulnerable packages and log the output. --- .github/workflows/dotnet-core.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dotnet-core.yml b/.github/workflows/dotnet-core.yml index 6d56c67..ba3592a 100644 --- a/.github/workflows/dotnet-core.yml +++ b/.github/workflows/dotnet-core.yml @@ -36,8 +36,11 @@ jobs: run: dotnet tool install -g nbgv - name: Set Version run: nbgv cloud - - name: Check vulnerable NuGet packages - uses: elmahio/github-check-vulnerable-nuget-packages-action@v2 + - name: Checking for external vulnerabilites + run: | + dotnet list package --vulnerable --include-transitive 2>&1 | tee vuln.log + echo "Analyze dotnet list package..." + ! grep -q -i "has the following vulnerable packages" vuln.log - name: Build run: dotnet build --configuration Release --no-restore From 28646caad3eda7a3f1949bbd747a53827fbf2af1 Mon Sep 17 00:00:00 2001 From: Ken Tucker Date: Mon, 13 Oct 2025 09:12:58 -0400 Subject: [PATCH 3/3] Enhance vulnerability check for NuGet packages Updated the workflow to check for vulnerable NuGet packages with improved logging and output handling. --- .github/workflows/dotnet-core.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dotnet-core.yml b/.github/workflows/dotnet-core.yml index ba3592a..f492bc5 100644 --- a/.github/workflows/dotnet-core.yml +++ b/.github/workflows/dotnet-core.yml @@ -36,11 +36,15 @@ jobs: run: dotnet tool install -g nbgv - name: Set Version run: nbgv cloud - - name: Checking for external vulnerabilites + - name: Checking Vulnerable Nuget Packages run: | - dotnet list package --vulnerable --include-transitive 2>&1 | tee vuln.log - echo "Analyze dotnet list package..." - ! grep -q -i "has the following vulnerable packages" vuln.log + $outout = dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log + echo "Analyze dotnet vulnerable nuget package command log output..." + echo $output + if ($output -match "critical|high|moderate|low") { + Write-Host "Security Vulnerabilities found in Nuget Packages on the log output" + exit 1 + } - name: Build run: dotnet build --configuration Release --no-restore