From 7787057571f064e0b5bbbb55e60759f86ff23000 Mon Sep 17 00:00:00 2001 From: Nigusu Solomon Yenework <59111203+Nigusu-Allehu@users.noreply.github.com> Date: Mon, 28 Jul 2025 15:47:54 -0700 Subject: [PATCH 1/2] Mention audit sources are supported starting 9.0.300 for package list command Fixes: https://github.com/NuGet/Home/issues/14371 --- docs/concepts/Auditing-Packages.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md index 94c2c120f..8f3a07bbf 100644 --- a/docs/concepts/Auditing-Packages.md +++ b/docs/concepts/Auditing-Packages.md @@ -74,7 +74,8 @@ Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api Audit sources are available from [NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12](../release-notes/NuGet-6.12.md). Prior to this version, NuGet Audit will only use package sources to download vulnerability information. -Audit sources are not used by `dotnet list package --vulnerable` at this time. +Starting [NuGet 6.14, .NET 9.0.300 SDK, and Visual Studio 2022 17.14](../release-notes/NuGet-6.14.md) the `dotnet package list --vulnerable` command also uses audit sources. +In earlier versions, the command relied solely on package sources. #### Excluding advisories From 85c8c25ddbab426e0e0e75e732c8f57e5bead30d Mon Sep 17 00:00:00 2001 From: Nigusu Solomon Yenework <59111203+Nigusu-Allehu@users.noreply.github.com> Date: Thu, 31 Jul 2025 14:17:37 -0700 Subject: [PATCH 2/2] tabular --- docs/concepts/Auditing-Packages.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/concepts/Auditing-Packages.md b/docs/concepts/Auditing-Packages.md index 8f3a07bbf..410783efa 100644 --- a/docs/concepts/Auditing-Packages.md +++ b/docs/concepts/Auditing-Packages.md @@ -72,10 +72,13 @@ Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api ``` -Audit sources are available from [NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12](../release-notes/NuGet-6.12.md). -Prior to this version, NuGet Audit will only use package sources to download vulnerability information. -Starting [NuGet 6.14, .NET 9.0.300 SDK, and Visual Studio 2022 17.14](../release-notes/NuGet-6.14.md) the `dotnet package list --vulnerable` command also uses audit sources. -In earlier versions, the command relied solely on package sources. +**Note**: The table below lists features that support Audit Sources. + +| Introduced In | Feature Supporting Audit Sources | +| -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | +| [NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12](../release-notes/NuGet-6.12.md) | Restore | +| [NuGet 6.14, .NET 9.0.300 SDK](../release-notes/NuGet-6.14.md) | `dotnet package list --vulnerable` | +| Not yet supported | NuGet AuditSources support in the Visual Studio Package Manager UI | #### Excluding advisories