comments (not for humans)

Are you a developing NuGet packages? Good. Me too. We developers all make mistakes from time to time. And the problem is, some of those mistakes become vulnerabilities. Now the problem is, how will the users of your library know?

Update 2013-06-17: This is now an OWASP Project

Using libraries with known vulnerabilities is a big problem. So big that it has in fact made it to the newly published OWASP Top 10 2013. It's under A9 Using Known Vulnerable Components.

How can you help?

Help me help you, or rather help me help your package's users. I have created a NuGet pacakge called OWASP SafeNuGet. After installing this package into a project, OWASP SafeNuGet will check the status of the references libraries on every build, and warn the developers if anything is found to be vulnerable. However the status of the libraries need to be maintained. This is where you come in. We help the users of our libraries by maintaining a a list of vulnerable versions of our packages. And in the true spirit of OWASP, everything is free and open.

So how do you submit your list of vulnerable versions? You can either register an issue, create a pull request or send me an email at erlend.oftedal@owasp.org. Please include the package id, the versions affected and a URL for more information.

Thank you for helping out.

Code contributions

If you want to help improve OWASP SafeNuGet itself as well, pull requests are more than welcome, and so are suggested enhancements through github's issue tracker.

Like the idea?

Help me spread the word, by telling your fellow NuGetters.

comments powered by Disqus