Merge pull request #3356 from NuGet/main

NuGetAuditMode default change respects SdkAnalysisLevel (#3354)

Author: nkolev92

docs/concepts/Auditing-Packages.md

@@ -3,7 +3,6 @@ title: Auditing package dependencies for security vulnerabilities
 description: How to audit package dependencies for security vulnerabilities and acting on security audit reports.
 author: JonDouglas
 ms.author: jodou
-ms.date: 07/19/2024
 ms.topic: conceptual
 ---
 
@@ -44,11 +43,12 @@ We recommend that audit is configured at a repository level.
 
 | MSBuild Property | Default | Possible values | Notes |
 |------------------|---------|-----------------|-------|
-| NuGetAuditMode | all (1) | `direct` and `all` | If you'd like to audit both top-level and transitive dependencies, you can set the value to `all`. NuGetAuditMode is not applicable for packages.config projects |
+| NuGetAuditMode | all | `direct` and `all` | If you'd like to audit top-level dependencies only, you can set the value to `direct`. NuGetAuditMode is not applicable for packages.config projects.  |
 | NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` |
 | NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |
 
-(1) NuGetAuditMode defaulted to `direct` when it was introduced in [the .NET 8.0.100 SDK and VS 17.8](../release-notes/NuGet-6.8.md). In [.NET 9.0.100 SDK and VS 17.12](../release-notes/NuGet-6.12.md) the default changed to `all`.
+Note: In .NET 8, the default value of NuGetAuditMode is `direct`.
+Therefore, setting [SdkAnalysisLevel](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) to `8.0.400` changes the default value of NuGetAuditMode accordingly.
 
 #### Audit Sources
 
@@ -111,7 +111,7 @@ Alternatively, if you want to keep low and moderate vulnerabilities as warnings,
 ## `dotnet list package --vulnerable`
 
 Once a project is successfully restored, [`dotnet list package`](/dotnet/core/tools/dotnet-list-package) has a `--vulnerable` argument to filter the packages based on which packages have known vulnerabilities.
-Note that `--include-transitive` is not default, so should be included 
+Note that `--include-transitive` is not default, so should be included.
 
 ## Actions when packages with known vulnerabilities are reported
 

docs/reference/errors-and-warnings/NU1901-NU1904.md

@@ -51,3 +51,6 @@ For example `<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-g3q
 
 If you do not want NuGet to check for packages with known vulnerabilities during restore, add `<NuGetAudit>false</NuGetAudit>` inside a `<PropertyGroup>` in your project file, or a [`Directory.Build.props` file](/visualstudio/msbuild/customize-by-directory).
 If you would like to run NuGet Audit on developer machines, but disable it on CI pipelines, you can take advantage of MSBuild importing environment variables, and create a NuGetAudit environment variable set to `false` in your pipeline definition.
+
+In NuGet 6.12 (Visual Studio/MSBuild 17.12 and .NET 9.0.100 SDK), NuGet changed the default for `NuGetAuditMode` to `all`, which means report on transitive packages with known vulnerabilities.
+The value can be explicitly set to `direct` to revert back to .NET 8's default. Alternatively, [the property `SdkAnalysisLevel`](/dotnet/core/project-sdk/msbuild-props#sdkanalysislevel) can be set to `8.0.400` to temporarily disable all new warnings and errors introduced in newer versions of the SDK. Specifically in this case, the default value of `NuGetAuditMode` is changed back to `direct`.