From c0102886523609d1d7d0a8efdad323ac8f867165 Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Thu, 16 Jan 2025 11:54:26 -0800 Subject: [PATCH 1/2] Update dotnet-restore-audit.md --- .../sdk/8.0/dotnet-restore-audit.md | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md b/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md index 5940d7679d441..2c872d159f90b 100644 --- a/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md +++ b/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md @@ -29,14 +29,44 @@ Many users want to know whether the packages they restore contain any known secu ## Recommended action -- To explicitly reduce the probability of this breaking your build due to warnings, you can consider your usage of `` and use `NU1901;NU1902;NU1903;NU1904` to ensure known security vulnerabilities are still allowed in your environment. +The properties mentioned in the recommended actions can be set either in your project file (for example, \*.csproj or \*.fsproj file) or *Directory.Build.props* file. + +- To explicitly reduce the probability of this breaking your build due to warnings, you can consider your usage of `` and set `NU1901;NU1902;NU1903;NU1904` to ensure known security vulnerabilities are still allowed in your environment. + + ```xml + + ... + NU1901;NU1902;NU1903;NU1904 + + ``` - If you want to set a different security audit level, add the `` property to your project file with possible values of `low`, `moderate`, `high`, and `critical`. + ```xml + + ... + low + + ``` + - If you want to ignore these warnings, you can use `` to suppress `NU1901-NU1904` warnings. + ```xml + + ... + $(NoWarn);NU1901-NU1904 + + ``` + - To disable the new behavior entirely, you can set the `` project property to `false`. + ```xml + + ... + false + + ``` + ## See also - [Audit for security vulnerabilities (`dotnet restore`)](../../../tools/dotnet-restore.md#audit-for-security-vulnerabilities) From 2c2ac2c1fe504161da6f390e614d6e2821af84fc Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Thu, 16 Jan 2025 11:56:59 -0800 Subject: [PATCH 2/2] Add TreatWarningsAsErrors property in documentation --- docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md b/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md index 2c872d159f90b..f0b15d2ce914f 100644 --- a/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md +++ b/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md @@ -36,6 +36,7 @@ The properties mentioned in the recommended actions can be set either in your pr ```xml ... + true NU1901;NU1902;NU1903;NU1904 ```