From 5b844bbe17c10658ad5d3c1fa1f2b2fa9c7cb4b5 Mon Sep 17 00:00:00 2001 From: Tom van den Berg Date: Thu, 21 Nov 2024 14:23:23 +0100 Subject: [PATCH] update todo --- workshop/04-dependency-confusion.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workshop/04-dependency-confusion.md b/workshop/04-dependency-confusion.md index 3dd8052..28767ac 100644 --- a/workshop/04-dependency-confusion.md +++ b/workshop/04-dependency-confusion.md @@ -6,7 +6,7 @@ Because of the way a nuget restore works (it uses the first source that responds For example, you are using the package MyCompany.Common with version `1.0.0` and you reference it in your project file like this . You have a connection to your own private feed and the public Nuget feed. The hacker uploads a package with the name MyCompany.Common with version 1.0.1 to the public Nuget feed. When you run a restore, NuGet will restore the package of the hacker because of the resolution rules. You can **unintentionally** introduce a new way for your software to be vulnerable for a supply chain attack. It is good to understand how [Nuget semantic versioning works](https://learn.microsoft.com/en-us/nuget/concepts/package-versioning?tabs=semver20sort#references-in-project-files-packagereference) and what the risks are of the way you reference your packages in your project file. ##### Mitigations -**NOTE**: before you perform the next exercise make sure that you run the command `nuget locals all -clear`. This will clear you local cached packages, so that you can see the effect of the mitigations that you are going to do. If you don't run this command, NuGet will use the cached packages and you will not see the effect of the mitigations. +**NOTE**: before you perform the next exercise make sure that you run the command `dotnet nuget locals all --clear`. This will clear you local cached packages, so that you can see the effect of the mitigations that you are going to do. If you don't run this command, NuGet will use the cached packages and you will not see the effect of the mitigations. By default, having both a public and a private feed is a risk. I would recommend to **only use a private feed**. This way you (your company) has control over the packages that are available to your software projects. You can configure Nuget to only use the private feed. Configuring NuGet to use a certain package source is done via the [`nuget.config` file](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file).