dotnet-retire 2.3.1

A tool to check dependencies for versions with known vulnerabilities.

There is a newer version of this package available.
See the version list below for details.
dotnet tool install --global dotnet-retire --version 2.3.1
This package contains a .NET Core Global Tool you can call from the shell/command line.

Build status

Windows: Build status
Linux: Build Status

NuGet
NuGet

dotnet-retire

A dotnet CLI extension to check your project for known vulnerabilities.

Install

$ dotnet tool install -g dotnet-retire

Usage

$ dotnet retire

Additional options:

Sample:

$ dotnet retire loglevel=debug

Sample output:

image

How does it work?

It fetches the packages listed in the corresponding packages repo in this GitHub organization (link), and checks your projects obj\project.assets.json or project.lock.json file for any match (direct, or transient).

Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.

Other projects with similar functionality:

SafeNuGet

Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.

DevAudit

Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.

Build status

Windows: Build status
Linux: Build Status

NuGet
NuGet

dotnet-retire

A dotnet CLI extension to check your project for known vulnerabilities.

Install

$ dotnet tool install -g dotnet-retire

Usage

$ dotnet retire

Additional options:

Sample:

$ dotnet retire loglevel=debug

Sample output:

image

How does it work?

It fetches the packages listed in the corresponding packages repo in this GitHub organization (link), and checks your projects obj\project.assets.json or project.lock.json file for any match (direct, or transient).

Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.

Other projects with similar functionality:

SafeNuGet

Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.

DevAudit

Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.

Release Notes

Makes output logging verbosity configurable

  • .NETCoreApp 2.1

    • No dependencies.

Version History

Version Downloads Last updated
2.3.3 1,753 6/13/2019
2.3.2 2,623 9/11/2018
2.3.1 189 9/8/2018
2.1.1 216 8/22/2018
2.1.0 178 8/18/2018
2.0.0 173 8/18/2018
1.0.4 7,063 6/8/2017
1.0.3 339 6/8/2017
1.0.3-beta007 250 5/31/2017
1.0.2 4,687 5/19/2017
1.0.1 3,003 5/16/2017
1.0.0 10,303 5/15/2017
1.0.0-beta002 261 5/15/2017
1.0.0-beta001 261 5/15/2017