Package Type Support Request for NuGet
Package Type
nuget
Package Registry
https://www.nuget.org/packages
Example: https://www.nuget.org/packages/Microsoft.Extensions.Logging/5.0.0-preview.6.20305.6
Directory structure
The same as for the other advisories nuget/<Package name>/<Advisory>
The package name is a NuGet package identifier. It's a dot-separated list of names, like a .NET namespace. Example: Contoso.Utility.UsefulStuff
.
Version syntax
See https://docs.microsoft.com/en-us/nuget/concepts/package-versioning
NuGet 4.3.0+ supports SemVer 2.0.0, which supports pre-release numbers with dot notation, as in 1.0.1-build.23. Dot notation is not supported with NuGet versions before 4.3.0. You can use a form like 1.0.1-build23.
(gitlab-org/gitlab#225219 (closed) only implements NuGet 4.9+ support.)
Affected range syntax
Same as Maven
See https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges
NOTE: If disjunctions (ORs) are not supported by the NuGet version range syntax, we'll use the comma as the OR operator, just like in the Maven version range syntax.
Schema changes
No schema changes required.
Advisory example
---
identifier: "CVE-2015-7384"
package_slug: "nuget/Node.js"
title: "Uncontrolled Resource Consumption"
description: "Node.js allows remote attackers to cause a denial of service."
date: "2017-10-10"
pubdate: "2017-10-27"
affected_range: "(,4.1.2)"
fixed_versions:
- "4.1.2"
affected_versions: "All versions before 4.1.2"
not_impacted: "All versions starting from 4.1.2"
solution: "Upgrade to version 4.1.2 or above."
urls:
- "https://nvd.nist.gov/vuln/detail/CVE-2015-7384"
- "https://github.com/nodejs/node/issues/3138"
cvss_v2: "AV:N/AC:L/Au:N/C:N/I:N/A:P"
cvss_v3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
uuid: "2a3328f9-3855-4e09-b732-40815ea395bf"