Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Set proper exit code on `dotnet list package --vulnerable` to enable usage in CI pipelines

See original GitHub issue

Running dotnet list package --vulnerable does not use the exit code to indicate issues. I’d think vulnerable packages with medium / high severity would at least be returned with an exitcode <> 0.

Usage example:

I want to include this command in our CI pipeline to enable a shift left mentality and warn us earlier about possible vulnerabilities. Currently the only option I see is parsing the result for something like has the following vulnerable packages.

Alternatively I can image adding a parameter to return either a number of vulnerable packages (that we can then test to larger then 0) or a json object we can parse the right way to look for the numbers per severity.

I’ve been searching the source code but could not find where to look for the exit code setup 😁 .

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:27
  • Comments:12 (3 by maintainers)

github_iconTop GitHub Comments

5reactions
msftbot[bot]commented, Apr 21, 2022

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

5reactions
mrjoopscommented, Apr 14, 2022

Hi,

As a workaround, I use these lines to make my (linux-based) CI work:

dotnet list package --vulnerable --include-transitive | tee vulnerable.out
test `grep -cm 1 'has the following vulnerable packages' vulnerable.out` = 0

So yes, it may break with future dotnet versions but since I’m very optimistic, I hope dotnet will implement a correct return code so my added line will never be executed 😉.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to easily check on your CI/CD pipelines if your app has a ...
You can list any known vulnerabilities in your dependencies within your projects using the dotnet list package --vulnerable command.
Read more >
Build Fails with "Error:The process '/usr/bin/dotnet' failed ...
The CI pipeline works well if I remove the nobuild:true option from the DotNetCoreCLI@2 task to pack the Project (ie to create a...
Read more >
dotnet list package command - .NET CLI
The dotnet list package command provides a convenient option to list all NuGet package references for a specific project or a solution.
Read more >
How to Scan NuGet Packages for Security Vulnerabilities
We have an Azure DevOps Artifacts Feed, the dotnet list package –vulnerable command requires the user to run with “–interactive”; this then ends ......
Read more >
NuGetAuthenticate@1 - NuGet authenticate v1 task
Configure NuGet tools to authenticate with Azure Artifacts and other NuGet repositories. Requires NuGet >= 4.8.5385, dotnet >= 6, ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

RFC: dotnet [Arm64 | x64] coexistence

Next page

Stop adding a runtimeconfig.dev.json by default on built apps