Checking for NuGet Package Security Vulnerabilities?

[RehanSaeed]

The dotnet CLI added a new command to check for vulnerable NuGet packages:

dotnet list package --vulnerable --include-transitive > /artifacts/vulnerabilities.txt

We could use this to create a record of vulnerabilities and add them to the build artefacts:

Task("Vulnerabilities")
    .Description("Checks NuGet packages for security vulnerabilities and outputs them to the artefacts directory.")
    .Does(() =>
    {
        var vulnerabilitiesFilePath = artefactsDirectory + new FilePath("Vulnerabilities.txt");
        StartProcess(
            "dotnet",
            new ProcessSettings()
                .WithArguments(x => x
                    .Append("list")
                    .Append("package")
                    .Append("--vulnerable")
                    .Append("--include-transitive"))
                .SetRedirectStandardOutput(true),
                out var output);
        System.IO.File.WriteAllLines(vulnerabilitiesFilePath, output);
    });

I'm not certain it's that useful, since if you use GitHub, there is a Security tab that already does all that for you. Dependabot even submits PR's to upgrade packages and fix them.

cc @VictorioBerra