Conversation
|
Learn Build status updates of commit 1829394: 💡 Validation status: suggestions
docs/concepts/Security-Best-Practices.md
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
There was a problem hiding this comment.
Pull request overview
Documents the new data.nuget.org service index so customers can configure vulnerability-only audit sources in networks that block api.nuget.org.
Changes:
- Added guidance about using
https://data.nuget.org/v3/index.jsonas an audit source when package downloads are blocked. - Updated audit-related docs and warning guidance (NU1905) to reference the vulnerability-only endpoint.
- Expanded NuGet.org overview and API implementation guidance to mention the endpoint and intended scenarios.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/reference/nuget-config-file.md | Adds a TIP under auditSources about the vulnerability-only service index. |
| docs/reference/errors-and-warnings/NU1905.md | Adds remediation guidance for networks blocking api.nuget.org. |
| docs/nuget-org/overview-nuget-org.md | Documents the data.nuget.org endpoint alongside existing NuGet.org endpoints. |
| docs/concepts/Security-Best-Practices.md | Adds a TIP recommending data.nuget.org as an audit source when api.nuget.org is blocked. |
| docs/concepts/Auditing-Packages.md | Describes the two nuget.org service indexes usable for auditing and updates the example. |
| docs/api/implementation-guide.md | Mentions data.nuget.org as an alternative for vulnerability data access and its impact on feed implementations. |
|
|
||
| `https://www.nuget.org/api/v2` (**The V2 protocol is deprecated!**) | ||
|
|
||
| nuget.org also provides a vulnerability-data-only endpoint: |
There was a problem hiding this comment.
In this file, the product name is used as “NuGet.org” elsewhere. Consider capitalizing “nuget.org” here for consistency and branding.
| nuget.org also provides a vulnerability-data-only endpoint: | |
| NuGet.org also provides a vulnerability-data-only endpoint: |
| This service index only contains the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource and doesn't serve packages. | ||
| It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level. | ||
| Because this endpoint doesn't provide package content, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked. |
There was a problem hiding this comment.
“Service index … doesn't serve packages” is a bit misleading because service indexes typically list resource endpoints rather than serving package content directly. Consider rewording to clarify that https://data.nuget.org/v3/index.json doesn't advertise package download/search resources (it only advertises VulnerabilityInfo).
| This service index only contains the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource and doesn't serve packages. | |
| It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level. | |
| Because this endpoint doesn't provide package content, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked. | |
| This service index only advertises the [`VulnerabilityInfo`](../api/vulnerability-info.md) resource. | |
| It doesn't advertise package search or package download resources. | |
| It's designed for use as an [audit source](../concepts/Auditing-Packages.md#audit-sources) in environments where access to `api.nuget.org` is blocked at the network level. | |
| Because this endpoint doesn't advertise package download resources, network administrators who block `api.nuget.org` to prevent package downloads might be willing to allow `data.nuget.org` if asked. |
| > [!TIP] | ||
| > If your organization blocks access to `api.nuget.org`, consider asking the network administrator to allow `https://data.nuget.org/v3/index.json` and configure it as an [audit source](Auditing-Packages.md#audit-sources) for [NuGet Audit](Auditing-Packages.md). | ||
| > This endpoint only serves vulnerability data, not packages, so it might be allowed even when `api.nuget.org` is blocked. |
There was a problem hiding this comment.
This file uses “NuGetAudit” earlier (for example, the link text in the prior paragraph). Consider using the same name here (either “NuGetAudit” everywhere, or “NuGet Audit” everywhere) to avoid implying they’re different features.
| - `https://api.nuget.org/v3/index.json` — The full nuget.org service index, which includes all NuGet resources (package download, search, vulnerability data, and more). | ||
| - `https://data.nuget.org/v3/index.json` — A vulnerability-data-only service index that doesn't include package content or other resources. | ||
|
|
There was a problem hiding this comment.
The phrase “doesn't include package content” can be confusing for a service index (which normally only lists resource endpoints). Consider rewording this bullet to explicitly say it doesn't include package download/search (or other non-vulnerability) resources, rather than referring to “package content”.
donnie-msft
left a comment
donnie-msft
left a comment
There was a problem hiding this comment.
Nice updates! Left one idea to update the VSOptions as well. I can do that separately if you want to leave your ideas on whether any UI changes should occur (eg, the VS Options watermark textbox could be changed to show the audit.nuget.org, or a message could indicate that it's an option, etc).
Otherwise, just updating the docs page works for me. Let me know your thoughts on what to put there and I can help if needed.
| ``` | ||
|
|
||
| > [!TIP] | ||
| > nuget.org also provides `https://data.nuget.org/v3/index.json`, a service index that only contains vulnerability data and doesn't serve packages. |
There was a problem hiding this comment.
What do you think about updating VS Options docs to also have a similar callout?
This is linked from the Sources -> Audit Sources VS Options page today:
https://learn.microsoft.com/en-us/nuget/consume-packages/nuget-visual-studio-options#audit-sources
There was a problem hiding this comment.
@copilot add a similar message in the managing audit sources section of the visual studio options docs
There was a problem hiding this comment.
Added the similar data.nuget.org callout in the Managing Audit Sources section of the Visual Studio options docs in commit 7ea61f7.
I agree the VS options page is the right place for this guidance, and I added that callout in the docs (commit |
|
Learn Build status updates of commit 7ea61f7: 💡 Validation status: suggestions
docs/concepts/Security-Best-Practices.md
For more details, please refer to the build report. Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them. |
PoliCheck Scan ReportThe following report lists PoliCheck issues in PR files. Before you merge the PR, you must fix all severity-1 and severity-2 issues. The AI Review Details column lists suggestions for either removing or replacing the terms. If you find a false positive result, mention it in a PR comment and include this text: #policheck-false-positive. This feedback helps reduce false positives in future scans. ✅ No issues foundMore information about PoliCheckInformation: PoliCheck | Severity Guidance | Term |
The following issue has been implemented, so document it making it easier to discover.