If you want to check your dependencies for security vulnerabilities right in Visual Studio, then the approach with Dependency-Check and SonarQube is not good enough. In this case, you should try Audit.Net.
This post is part three of a small series on finding security vulnerabilities in your project dependencies:
- Finding Security Vulnerabilities in your Dependencies with Dependency-Check
- Using Dependency-Check with VSTS and SonarQube
- Finding Security Vulnerabilities in your Project Dependencies with Audit.Net
Installation
You can download the Audit.Net extension from the market place or directly in Visual Studio using Tools > Extensions and Updates…:
Check your dependencies
You can right-click on the solution explorer and use the menu entry "Audit NuGet Packages for Solution" to check your dependencies.
When this is done, you find the result in the Error window:
It display all the things you need to pinpoint the project who uses this vulnerable package. If you need more details, you can right-click on the error message and open "Show Error Help". This will open your web browser and show the vulnerability in the OSS Index.
The good parts: those errors do not prevent you from compiling your code and I only got one error instead of the 26 by Dependency-Check. However, there is currently no way to supress false-positive results. In addition, since this vulnerability check runs with the build task of your project, you will always see those errors right next to those who stop your solution from compiling.
Conclusion
Audit.Net offers a nice integration directly into Visual Studio. The matcher is much better than Dependency-Check, but when you hit a false-positive, you see that error all the time. I do not like this behaviour at all. Until the developers implement the item to supress false-positives, I will not use this extension. Your mileage may vary and if you can live with this restriction, do not let me stop you using this extension.