Merge branch 'master' into v1.x

README.md

@@ -11,12 +11,15 @@ View the full documentation for NuGetDefense [here](https://digitalcoyote.github
 ## Features  
 
 * Uses Multiple Sources to check for known vulnerabilities in third-party libraries (NuGet packages)
-  * [OSS Index](https://ossindex.sonatype.org/)
+  * [OSS Index](https://ossindex.sonatype.org/) (Caching Coming Soon!)
   * [National Vulnerability Database](https://nvd.nist.gov/) (Optionally Self-Updating)
+  * [Google's Open Source Vulnerabilities Database](https://osv.dev/) ([Coming Soon!](https://github.com/digitalcoyote/NuGetDefense/discussions/53))
 * Simple installation/configuration: the [NuGet Package](https://www.nuget.org/packages/NuGetDefense/) is all you need.
 * Transitive Dependency Checking
   * SDK style projects only (older project format is not supported by the dotnet cli)
   * Uses the versions resolved by the dotnet cli at build
+* Project Reference Scanning
+  * Scan all projects in a hierarchy by installing NuGet Defense to the top level package ([pre-release](https://www.nuget.org/packages/NuGetDefense/2.1.0-pre0011))
 * Allow breaking the build based on severity of vulnerability.
 * Ignore specific vulnerabilities/packages.
 * Sensitive/Internal Packages filtering

Src/NuGetDefense.sln.DotSettings

@@ -0,0 +1,2 @@
+<wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=pkgs/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>

Src/NuGetDefense/Configuration/Settings.cs

@@ -10,25 +10,26 @@ namespace NuGetDefense.Configuration
 {
     public class Settings
     {
-        public bool WarnOnly { get; set; } = false;
+        public bool WarnOnly { get; set; }
 
         public FileLogSettings Log
         {
             get => Logs?.Length > 0 ? Logs[0] : null;
             set { Logs = new[] {value}; }
         }
 
-        public VulnerabilityReportsSettings VulnerabilityReports { get; set; } = new VulnerabilityReportsSettings();
+        public VulnerabilityReportsSettings VulnerabilityReports { get; set; } = new();
 
         public FileLogSettings[] Logs { get; set; }
         public bool CheckTransitiveDependencies { get; set; } = true;
+        public bool CheckReferencedProjects{ get; set; }
 
-        public BuildErrorSettings ErrorSettings { get; set; } = new BuildErrorSettings();
+        public BuildErrorSettings ErrorSettings { get; set; } = new();
 
-        public RemoteVulnerabilitySourceConfiguration OssIndex { get; set; } = new RemoteVulnerabilitySourceConfiguration();
+        public RemoteVulnerabilitySourceConfiguration OssIndex { get; set; } = new();
 
         public OfflineVulnerabilitySourceConfiguration NVD { get; set; } =
-            new OfflineVulnerabilitySourceConfiguration();
+            new();
 
         public string[] SensitivePackages { get; set; } = new string[0];
 

Src/NuGetDefense/NuGetDefense.csproj

@@ -8,7 +8,7 @@
         <Description>NuGetDefense ~ Check for Known Vulnerabilities at Build</Description>
         <PackageDescription>NuGetDefense was inspired by [OWASP SafeNuGet](https://nuget.org/packages/SafeNuGet/) but aims to check with multiple sources for known vulnerabilities.</PackageDescription>
         <Copyright>Curtis Carter 2020</Copyright>
-        <LangVersion>8</LangVersion>
+        <LangVersion>9</LangVersion>
         <Configurations>Debug;Release;DotNetTool</Configurations>
         <Platforms>AnyCPU</Platforms>
         <PackageProjectUrl>https://digitalcoyote.github.io/NuGetDefense/</PackageProjectUrl>
@@ -30,15 +30,19 @@
         <ToolCommandName>nugetdefense</ToolCommandName>
         <Version>1.0.15</Version>
     </PropertyGroup>
+    <ItemGroup>
+        <None Include="icon.png" Pack="true" PackagePath="\" />
+    </ItemGroup>
 
     <ItemGroup>
-      <PackageReference Include="NuGet.Versioning" Version="5.8.0" />
-      <PackageReference Include="NuGetDefense.Core" Version="1.0.8" />
-      <PackageReference Include="NuGetDefense.NVD" Version="1.0.3.3" />
-      <PackageReference Include="NuGetDefense.OSSIndex" Version="1.0.6" />
+      <PackageReference Include="ByteDev.DotNet" Version="7.1.0" />
+      <PackageReference Include="NuGet.Versioning" Version="5.8.1" />
+      <PackageReference Include="NuGetDefense.Core" Version="1.0.9" />
+      <PackageReference Include="NuGetDefense.NVD" Version="1.0.4" />
+      <PackageReference Include="NuGetDefense.OSSIndex" Version="1.0.7" />
       <PackageReference Include="Serilog.Sinks.Console" Version="[3.1.1]" />
       <PackageReference Include="Serilog.Sinks.File" Version="[4.1.0]" />
-      <PackageReference Include="System.Text.Json" Version="5.0.0" />
+      <PackageReference Include="System.Text.Json" Version="5.0.1" />
     </ItemGroup>
 
     <ItemGroup>

Src/NuGetDefense/NuGetDefense.nuspec

@@ -3,7 +3,7 @@
   <metadata>
     <id>NuGetDefense</id>
     <title>NuGetDefense</title>
-    <version>1.0.15.1</version>
+    <version>1.0.16</version>
     <authors>Curtis Carter</authors>
     <owners>Curtis Carter</owners>
     <projectUrl>https://digitalcoyote.github.io/NuGetDefense/</projectUrl>