NuGet Avoid Public Repositories

ID

avoid_public_repositories_nuget

Severity

high

Family

Avoid public repositories

Description

Some organizations may have the policy of using private repositories only, with a carefully curated approach to load dependencies into their private repository from the public repositories.

This detector checks if in the configuration there is a public repository configured. Or only has the private repositories configured.

The public repository configured to check is:

  https://api.nuget.org/v3/index.json

you can change, to add or remove repositories, in the public-repositories parameter. You can configure private repositories, in the private-repositories parameter.

If you configure private repositories, the public will not apply. The detector only check that url repositories in nuget config files are in private repositories configured.

Security

Organizations have the policy of restricting artifacts to private inner repositories for security reasons. For example, to avoid download artifacts that have not been checked by the security team.

Examples

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

  ...
</configuration>

Mitigation / Fix

You can remove the repositories from the configuration files or override the sources adding <clear/> and adding only the private repositories in the NuGet.Config solution file.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <clear/>
    <add key="private-repo.com" value="https://private-repo.com/packages/" />
  </packageSources>

  ...
</configuration>