.NET - Nuget vulnerability scanning

I can see from previous answers that there isn’t any scanning of Nuget vulnerabilities at the current time in SonarCloud.

I would imagine that one of the main barriers to this implementation is that there is currently no way of getting vulnerability information in a machine-readable way. However, this will change with the forthcoming .NET SDK 7.0.2 where a command such as:

dotnet list package --vulnerable --include-transitive --format json

will result in JSON output from the dotnet CLI tool. See the bottom of this GitHub issue for more information.

Can you advise whether Nuget vulnerability scanning is in the short-term roadmap for SonarCloud at all, given this enabling change?

If it is - fantastic!

If not, we’ll write our own DevOps step to run the command and transform the data into Generic Issue Data format. As an aside, can you clarify whether the message value within that format accepts any kind of markup/markdown at all? Or is it just plain text?

All the best,


This would be a good add as I was asking about it in my previous post. We ultimately had to purchase Open Source Security Management | SCA Tool | Snyk as we are a polyglot system and we need it across all our supported languages. I love Sonarcloud/sonarqube and this would be a great addition to their product suite. Have a 1 stop shop for static analysis/OWASP scanning/Package scanning would be great. hint hint