Description
Description
When using dotnet list package --vulnerable, if a configured auditsources does not support the VulnerabilityInfoResource, a warning is now shown to inform the user that the source does not provide vulnerability data.
Version
.NET 8
Previous behavior
The command would silently skip auditsources that lacked vulnerability information, because the command did not use auditsources as a source of vulnerability data.
New behavior
The command now emits a warning:
Audit source '{0}' did not provide any vulnerability data.
This helps users understand why certain sources may not influence the reported vulnerabilities.
Type of breaking change
- Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
- Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
- Behavioral change: Existing binaries might behave differently at run time.
Reason for change
This warning came as part of the work we did to allow customers use auditsources when running dotnet package list command.
Recommended action
Check the specified auditsources to ensure it supports the VulnerabilityInfoResource. If it doesn't, either update the source or replace it with one that provides vulnerability data.
Feature area
SDK
Affected APIs
No response