I can see from previous answers that there isn’t any scanning of Nuget vulnerabilities at the current time in SonarCloud.
I would imagine that one of the main barriers to this implementation is that there is currently no way of getting vulnerability information in a machine-readable way. However, this will change with the forthcoming .NET SDK 7.0.2 where a command such as:
dotnet list package --vulnerable --include-transitive --format json
will result in JSON output from the dotnet CLI tool. See the bottom of this GitHub issue for more information.
Can you advise whether Nuget vulnerability scanning is in the short-term roadmap for SonarCloud at all, given this enabling change?
If it is - fantastic!
If not, we’ll write our own DevOps step to run the command and transform the data into Generic Issue Data format. As an aside, can you clarify whether the
message value within that format accepts any kind of markup/markdown at all? Or is it just plain text?
All the best,