Vulnerability inspection does not warn for Nuget package with known CVE
Recently we (manually) found a vulnerability in a Nuget package we use. The package is listed as vulnerable both on Nuget and on the Checkmarx site that ReSharper claims it uses, yet we got no warning from ReSharper. Tried setting the severity to Error instead of Warning but no change.
I know the VS command line tool only works with package reference projects and we use packages.config but thought ReSharper should work.
Please sign in to leave a comment.
Hello Per Trelje, thank you for your question. Unfortunately, packages.config format is not yet supported for vulnerability analysis. Please comment or vote for the feature request to get notifications about status changes. Thank you!