Note: It appears that in Visual Studio 2019 an audit does not necessarily properly run on a clean Visual Studio startup. In this situation you can kick off an audit by right clicking on the solution and select "Audit NuGet Packages for Solution". Opening projects on an already running Visual Studio will run an audit.
Audit.NET is a Visual Studio extension that highlights NuGet package dependencies with security vulnerabilities.
Audit.NET relies on the free package and vulnerability database "OSS Index." OSS Index provides open source tools and data for a variety of languages and package managers. Vulnerabilities are drawn from the National Vulnerability Database, a variety of Security Feeds, and community contributions.
Audit.NET scans your dependencies on project load, when new dependencies are added, or when prompted. Vulnerabilities will appear in the Error List, and pertinent lines will be underlined in the packages.config files.
Audit.NET installation has been tested on Microsoft Visual Studio Community 2017, though it will likely install on earlier versions of Visual Studio Professional.
- Start Visual Studio
- Select the "Tools->Extensions and Updates..." menu item
- The Extensions and Updates dialog will appear
- In the tree to the left, click "Online"
- In the tree to the left, wnsure "Visual Studio Gallery" is selected
- In the search bar to the upper right, type "audit.net" and hit enter
- The Audit.Net extension should show.
- Click the "Download" button
- The "Download and Install" dialog will appear, with the Audit.Net license (BSD 3-clause)
- Click the install button
- The dialog will dissapear and the extension will install. A "Restart Now" button will appear at the bottom of Visual Studio. Click it.
- Visual Studio will restart
- Start Visual Studio on a solution
- Once the solution has loaded, Audit.NET will automatically run against the solution.
- If there are no known vulnerabilities you will see a message in the "Output" tab indicating the number of packages checked.
- If there are vulnerabilities the "Error List" will be brought to the front indicating the vulnerabilities found.
- Select the "Tools->NuGet Package Manager->Manage NuGet Packages for Solution" menu item
- The NuGet package manager will open
- Browser for new packages and install them as appropriate
- Once installation has completed Audit.NET will run against the new package(s)
- If there are no known vulnerabilities you will see a message in the "Output" tab indicating the number of packages checked.
- If there are vulnerabilities the "Error List" will be brought to the front indicating the vulnerabilities found.
- In the Solution Explorer, select the solution or a project
- Select the "Project->Audit NuGet Packages" menu item
- Audit.NET will run against the package(s)
- If there are no known vulnerabilities you will see a message in the "Output" tab indicating the number of packages checked.
- If there are vulnerabilities the "Error List" will be brought to the front indicating the vulnerabilities found.
- Click the "Error List" tab
- Audit.NET vulnerabilities will appear in the list with the red "X" icon
- Double click on an error to open the package.config file with the vulnerable package
- The vulnerable package will be underlined in red
- Resolve the problem either by using the NuGet package manager, or by hand editing the packages.config
- If you hand edit the packages.config file you will have to run Audit.NET manually to clear the error
- Right click on an error in the errors tab
- Select "Show Error Help" and the OSS Index page for the selected error will be displayed. This page has additional information such as a list of reference links that can provide evidence of the existence and severity of the vulnerability, as well as possibly insight into the causes, and in some cases possible mitigations.