A .NET Core global tool to check the packages for known vulnerabilities using the Sonatype OSS Index API.
Download and install the .NET Core 2.1, 3.1, 5, or 6 SDK. Once installed, run the following command:
dotnet tool install --global dotnet-ossindexIf you already have a previous version of dotnet-ossindex installed, you can upgrade to the latest version using the following command:
dotnet tool update --global dotnet-ossindexUsage: dotnet ossindex [arguments] [options]
Arguments:
Path The path to a .sln, .csproj or .vbproj file
Options:
-u|--username <USERNAME> OSS Index Username
-a|--api-token <API_TOKEN> OSS Index API Token
-?|-h|--help Show help information
To run the dotnet-ossindex tool you need to specify a solution or project file. In case you pass a solution, the tool will automatically scan all the projects for vulnerabilities.
dotnet ossindex YourSolution.sln
The OSS Index REST API has a rate limit for unauthenticated requests. If you exceed the limit, you can create an account on their website and use the --username/--api-token options to execute authenticated requests.
dotnet ossindex YourSolution.sln --username <YOUR-USERNAME> --api-token <YOUR-API-TOKEN>OSS Index is a free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities.
You can read more about the service here https://ossindex.sonatype.org.