Build server | Platform | Status |
---|---|---|
AppVeyor | Windows | |
Travis | Linux | |
Azure DevOps | Linux |
A dotnet
CLI extension to check your project for known vulnerabilities.
$ dotnet tool install -g dotnet-retire
$ dotnet retire
Additional options:
-
loglevel=Trace|Debug|Information|Warning|Error|Critical
(default:Information
) -
rooturl=<url>
to feed> (default:https://raw.githubusercontent.com/RetireNet/Packages/master/index.json)
Sample:
$ dotnet retire loglevel=debug
It fetches the packages listed in the corresponding packages
repo in this GitHub organization (link), and checks your projects obj\project.assets.json
or project.lock.json
file for any match (direct, or transient).
Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.
Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.
Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.