Open
Description
Today's NuGet Audit does not include PackageDownloads. PackageDownload is used for many .NET provided packages like the runtime packs or ILLink pack or even the Roslyn Framework compiler. All of these could have security releases that we'd want to warn customers about but the resolution for those customers would be to update their SDK, not update those packages. Many customers use PackageDownload directly for other classes of packages for which they would want to get a notification if there were a security update for their package.
As such, we need to add some metadata to the included PackageDownloads so we can separate them from the 3rd party ones and customize the audit experience in the future.