diff --git a/docs/core/tools/dotnet-restore.md b/docs/core/tools/dotnet-restore.md index 516b3904795d9..346828175447d 100644 --- a/docs/core/tools/dotnet-restore.md +++ b/docs/core/tools/dotnet-restore.md @@ -199,16 +199,19 @@ Starting in .NET 8, `dotnet restore` includes NuGet security auditing. This audi To opt out of the security auditing, set the `` MSBuild property to `false` in your project file. -To retrieve the known vulnerability dataset from the NuGet.org central registry, define the following in the *nuget.config* file: +To get vulnerability data, starting in .NET 9, you can use [`auditSources`](/nuget/reference/nuget-config-file#auditsources) in addition to [`packageSources`](/nuget/reference/nuget-config-file#packagesources). If no audit sources are provided, `dotnet restore` uses package sources instead. NuGet audits any source as long as the source provides the [`VulnerabilityInfo` resource](/nuget/api/vulnerability-info). + +To list NuGet.org as an audit source, define the following in the *nuget.config* file: ```xml - - - + + + + + + ``` -NuGet.org is the only package source that provides a vulnerability dataset for NuGet auditing. However, NuGet audits any source as long as the source provides the [`VulnerabilityInfo` resource](/nuget/api/vulnerability-info). - You can configure the level at which auditing will fail by setting the `` MSBuild property. Possible values are `low`, `moderate`, `high`, and `critical`. For example if you only want to see moderate, high, and critical advisories, you can set the property to `moderate`. In .NET 8 and .NET 9, only *direct* package references are audited by default. Starting in .NET 10, NuGet audits both *direct* and *transitive* package references by default. You can change the mode by setting the `` MSBuild property to `direct` or `all`.