dotnet-retire 1.0.4

A tool to check dependencies for versions with known vulnerabilities.

There is a newer version of this package available.
See the version list below for details.
Install-Package dotnet-retire -Version 1.0.4
dotnet add package dotnet-retire --version 1.0.4
<PackageReference Include="dotnet-retire" Version="1.0.4" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add dotnet-retire --version 1.0.4
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Build status NuGet
NuGet

dotnet-retire

A dotnet CLI extension to check your project for known vulnerabilities.

Install

As the CLI don't currently allows us to install tools from the cmdline, you'll need to modify your csproj manually.

<ItemGroup>
  <DotNetCliToolReference Include="dotnet-retire" Version="1.0.1" />
</ItemGroup>

Or if your project is still using the preview2 tooling, modify your project.json

"tools": {
  "dotnet-retire": "1.0.1"
}

Usage

$ dotnet retire

Sample output:

image

How does it work?

It fetches the packages listed in the corresponding packages repo in this GitHub organization (link), and checks your projects obj\project.assets.json or project.lock.json file for any match (direct, or transient).

Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.

Other projects with similar functionality:

SafeNuGet

Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.

DevAudit

Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.

Build status NuGet
NuGet

dotnet-retire

A dotnet CLI extension to check your project for known vulnerabilities.

Install

As the CLI don't currently allows us to install tools from the cmdline, you'll need to modify your csproj manually.

<ItemGroup>
  <DotNetCliToolReference Include="dotnet-retire" Version="1.0.1" />
</ItemGroup>

Or if your project is still using the preview2 tooling, modify your project.json

"tools": {
  "dotnet-retire": "1.0.1"
}

Usage

$ dotnet retire

Sample output:

image

How does it work?

It fetches the packages listed in the corresponding packages repo in this GitHub organization (link), and checks your projects obj\project.assets.json or project.lock.json file for any match (direct, or transient).

Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.

Other projects with similar functionality:

SafeNuGet

Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.

DevAudit

Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.

Release Notes

* Remove reporting on transient vulnerabilities.
* Bugfix: Change to in-mem appSettings, as dotnet tools don't have access to NuGet content folder the same way as regular NuGets when they're run (path issues).

This package is not used by any popular GitHub repositories.

Version History

Version Downloads Last updated
2.3.3 1,754 6/13/2019
2.3.2 2,623 9/11/2018
2.3.1 189 9/8/2018
2.1.1 216 8/22/2018
2.1.0 178 8/18/2018
2.0.0 173 8/18/2018
1.0.4 7,063 6/8/2017
1.0.3 339 6/8/2017
1.0.3-beta007 250 5/31/2017
1.0.2 4,687 5/19/2017
1.0.1 3,003 5/16/2017
1.0.0 10,303 5/15/2017
1.0.0-beta002 261 5/15/2017
1.0.0-beta001 261 5/15/2017
Show less