NuGet
diff --git a/‎docs/TOC.md‎
Lines changed: 3 additions & 0 deletions b/‎docs/TOC.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/concepts/Auditing-Packages.md‎
Lines changed: 93 additions & 57 deletions b/‎docs/concepts/Auditing-Packages.md‎
Lines changed: 93 additions & 57 deletions
diff --git a/‎docs/concepts/Security-Best-Practices.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/concepts/Security-Best-Practices.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/consume-packages/consuming-packages-authenticated-feeds.md‎
Lines changed: 6 additions & 2 deletions b/‎docs/consume-packages/consuming-packages-authenticated-feeds.md‎
Lines changed: 6 additions & 2 deletions
@@ -172,6 +172,7 @@
 ### [NU1212](reference/errors-and-warnings/NU1212.md)
 ### [NU1213](reference/errors-and-warnings/NU1213.md)
 ### [NU1301](reference/errors-and-warnings/NU1301.md)
+### [NU1302](reference/errors-and-warnings/NU1302.md)
 ### [NU1401](reference/errors-and-warnings/NU1401.md)
 ### [NU1402](reference/errors-and-warnings/NU1402.md)
 ### [NU1403](reference/errors-and-warnings/NU1403.md)
@@ -189,6 +190,7 @@
 ### [NU1605](reference/errors-and-warnings/NU1605.md)
 ### [NU1608](reference/errors-and-warnings/NU1608.md)
 ### [NU1701](reference/errors-and-warnings/NU1701.md)
+### [NU1702](reference/errors-and-warnings/NU1702.md)
 ### [NU1703](reference/errors-and-warnings/NU1703.md)
 ### [NU1900](reference/errors-and-warnings/NU1900.md)
 ### [NU1901](reference/errors-and-warnings/NU1901-NU1904.md)
@@ -339,6 +341,7 @@
 ### [Known Issues](release-notes/known-issues.md)
 
 ### NuGet 6.x
+#### [NuGet 6.11](release-notes/NuGet-6.11.md)
 #### [NuGet 6.10](release-notes/NuGet-6.10.md)
 #### [NuGet 6.9](release-notes/NuGet-6.9.md)
 #### [NuGet 6.8](release-notes/NuGet-6.8.md)
 
@@ -3,7 +3,7 @@ title: Auditing package dependencies for security vulnerabilities
 description: How to audit package dependencies for security vulnerabilities and acting on security audit reports.
 author: JonDouglas
 ms.author: jodou
-ms.date: 10/11/2023
+ms.date: 07/19/2024
 ms.topic: conceptual
 ---
 
@@ -16,24 +16,107 @@ This involves identifying vulnerabilities, evaluating risks, and making recommen
 The audit can include a review of the packages themselves, as well as any dependencies and their associated risks.
 The goal of the audit is to identify and mitigate any security vulnerabilities that could be exploited by attackers, such as code injection or cross-site scripting attacks.
 
-| Project Type | NuGet | .NET SDK | Visual Studio |
-|--------------|-------|----------|---------------|
-| PackageReference | 6.8 |  .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 |
-| packages.config | 6.10 | N/A | Visual Studio 2022 17.10 |
+We also have a [blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) which discusses our recommended method for taking action when a package with a known vulnerability is found to be used by your project, and tools to help get more information.
+
+### Feature availability
+
+| NuGet | .NET SDK | Visual Studio | Feature |
+|-------|----------|---------------|---------|
+| 5.9 | .NET 5 SDK (5.0.200) | N/A | [`dotnet list package --vulnerable`](#dotnet-list-package---vulnerable) |
+| 6.8 | .NET 8 SDK (8.0.100) | Visual Studio 2022 17.8 | [NuGetAudit](#running-a-security-audit-with-restore) for PackageReference |
+| 6.10 | N/A | Visual Studio 2022 17.10 | [NuGetAudit](#running-a-security-audit-with-restore) for packages.config|
+| 6.11 | .NET 8 SDK (8.0.400) | Visual Studio 2022 17.11 | [NuGetAuditSuppress](#excluding-advisories) for PackageReference |
+| 6.12 | .NET 9 SDK (9.0.100) | Visual Studio 2022 17.12 | [Audit sources](#audit-sources). [NuGetAuditSuppress](#excluding-advisories) for packages.config. |
 
 ## Running a security audit with `restore`
 
 The `restore` command automatically runs when you do a common package operation such as loading a project for the first time, adding a new package, updating a package version, or removing a package from your project in your favorite IDE.
-A description of your dependencies is checked against a report of known vulnerabilities on the [GitHub Advisory Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget).
-
-> [!IMPORTANT]
-> For Audit to check packages, a package source that provides a vulnerability database must be used.
-> NuGet.org's V3 URL is one such example (https://api.nuget.org/v3/index.json), but note that NuGet.org's V2 endpoint does not.
+Your dependencies are checked against a list of known vulnerabilities provided by your [audit sources](#audit-sources).
 
 1. On the command line, navigate to your project or solution directory.
 1. Run `restore` using your preferred tooling (i.e. dotnet, MSBuild, NuGet.exe, VisualStudio etc).
 1. Review the warnings and address the known security vulnerabilities.
 
+### Configuring NuGet Audit
+
+Audit can be configured via MSBuild properties in a `.csproj` or MSBuild file being evaluated as part of your project.
+We recommend that audit is configured at a repository level.
+
+| MSBuild Property | Default | Possible values | Notes |
+|------------------|---------|-----------------|-------|
+| NuGetAuditMode | all (1) | `direct` and `all` | If you'd like to audit both top-level and transitive dependencies, you can set the value to `all`. NuGetAuditMode is not applicable for packages.config projects |
+| NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | The minimum severity level to report. If you'd like to see `moderate`, `high`, and `critical` advisories (exclude `low`), set the value to `moderate` |
+| NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |
+
+(1) NuGetAuditMode defaulted to `direct` when it was introduced in the .NET 8.0.100 SDK and VS 17.8. In .NET 9.0.100 SDK and VS 17.12 the default changed to `all`.
+
+#### Audit Sources
+
+Restore downloads a server's [`VulnerabilityInfo` resource](../api/vulnerability-info.md) to check against the list of packages each project is using.
+The list of sources are defined by [the `auditSources` element in NuGet.Config](../reference/nuget-config-file.md#auditsources), and [warning NU1905](#warning-codes) is raised if any of the audit sources do not provide any vulnerability info.
+If `auditSources` is not defined or is cleared without adding any sources, then `packageSources` will be used and warning NU1905 is suppressed.
+
+Since a common mitigation for package substitution attacks is [to use a single package source that upstreams from nuget.org, so that NuGet is not configured to use nuget.org as a package source](Security-Best-Practices.md#nuget-feeds), audit sources can be used to use nuget.org (or any other source that provides vulnerability information) without also using it as a package source.
+
+The data source for nuget.org's vulnerability database is [GitHub Advisory Database](https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget).
+Note that the [V2 protocol is deprecated](../nuget-org/overview-nuget-org.md#api-endpoint-for-nugetorg), so if your nuget.config is still using the V2 endpoint, you must migrate to the V3 endpoint.
+
+```xml
+<configuration>
+    <auditSources>
+        <clear />
+        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+    </auditSources>
+</configuration>
+```
+
+Audit sources are available from NuGet 6.12, .NET 9.0.100 SDK, and Visual Studio 2022 17.12.
+Prior to this version, NuGet Audit will only use package sources to download vulnerability information.
+Audit sources are not used by `dotnet list package --vulnerable` at this time.
+
+#### Excluding advisories
+
+You can choose to exclude specific advisories from the audit report by adding a new `NuGetAuditSuppress` MSBuild item for each advisory.
+Define a `NuGetAuditSuppress` item with the `Include=` metadata set to the advisory URL you wish to suppress.
+
+```xml
+<ItemGroup>
+    <NuGetAuditSuppress Include="https://github.com/advisories/XXXX" />
+</ItemGroup>
+```
+
+Similar to the other NuGet audit configuration properties, `NuGetAuditSuppress` items can be defined at the project or repository level.
+
+`NuGetAuditSuppress` is available for PackageReference projects starting from NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK.
+It is available for packages.config with Visual Studio 17.12 and NuGet 6.12.
+
+### Warning codes
+
+| Warning Code | Reason |
+|--------------|----------|
+| [NU1900](../reference/errors-and-warnings/NU1900.md) | Error communicating with package source, while getting vulnerability information. |
+| [NU1901](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with low severity detected |
+| [NU1902](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with moderate severity detected |
+| [NU1903](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with high severity detected |
+| [NU1904](../reference/errors-and-warnings/NU1901-NU1904.md) | Package with critical severity detected |
+| [NU1905](../reference/errors-and-warnings/NU1905.md) | An audit source does not provide a vulnerability database |
+
+You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors).
+For example, if you're already using `<TreatWarningsAsErrors>` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to prevent vulnerabilities discovered in the future from breaking your build.
+Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `<WarningsAsErrors>NU1903;NU1904</WarningsAsErrors>`.
+
+> [!NOTE]
+> MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects.
+
+## `dotnet list package --vulnerable`
+
+Once a project is successfully restored, [`dotnet list package`](/dotnet/core/tools/dotnet-list-package) has a `--vulnerable` argument to filter the packages based on which packages have known vulnerabilities.
+Note that `--include-transitive` is not default, so should be included 
+
+## Actions when packages with known vulnerabilities are reported
+
+We also have a [blog post](https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) which discusses our recommended method for taking action when a package with a known vulnerability is found to be used by your project, and tools to help get more information.
+
 ### Security vulnerabilities found with updates
 
 If security vulnerabilities are found and updates are available for the package, you can either:
@@ -74,53 +157,6 @@ On NuGet.org, you can navigate to the package details page and click `Report pac
 If no security vulnerabilities are found, this means that packages with known vulnerabilities were not found in your package graph at the present moment of time you checked.
 Since the advisory database can be updated at any time, we recommend regularly checking your `dotnet restore` output and ensuring the same in your continuous integration process.
 
-### Configuring NuGet audit
-
-Audit can be configured via MSBuild properties in a `.csproj` or MSBuild file being evaluated as part of your project.
-We recommend that audit is configured at a repository level.
-
-| MSBuild Property | Default | Possible values | Notes |
-|------------------|---------|-----------------|-------|
-| NuGetAuditMode | direct | `direct` and `all` | If you'd like to audit both top-level and transitive dependencies, you can set the value to `all`. NuGetAuditMode is not applicable for packages.config projects |
-| NuGetAuditLevel | low | `low`, `moderate`, `high`, and `critical` | If you'd like to see `moderate`, `high`, and `critical` advisories, set the value to `moderate` |
-| NuGetAudit | true | `true` and `false` | If you wish to not receive security audit reports, you can opt-out of the experience entirely by setting the value to `false` |
-
-### Excluding advisories
-
-You can choose to exclude specific advisories from the audit report by adding a new `NuGetAuditSuppress` MSBuild item for each advisory.
-Define a `NuGetAuditSuppress` item with the `Include=` metadata set to the advisory URL you wish to suppress.
-
-```xml
-<ItemGroup>
-    <NuGetAuditSuppress Include="https://github.com/advisories/XXXX" />
-</ItemGroup>
-```
-
-Similar to the other NuGet audit configuration properties, `NuGetAuditSuppress` items can be defined at the project or repository level.
-
-`NuGetAuditSuppress` is available for PackageReference projects starting from NuGet 6.11, Visual Studio 17.11, and the .NET 8.0.400 SDK.
-It is not currently available for packages.config projects.
-
-Additionally, you have the option to suppress warnings based on their severity.
-You can use `<NoWarn>` to suppress `NU1901`-`NU1904` warnings or use the `<NuGetAuditLevel>` functionality to ensure your audit reports are useful to your workflow.
-
-### Warning codes
-
-| Warning Code | Reason |
-|--------------|----------|
-| NU1900 | Error communicating with package source, while getting vulnerability information. |
-| NU1901 | Package with low severity detected |
-| NU1902 | Package with moderate severity detected |
-| NU1903 | Package with high severity detected |
-| NU1904 | Package with critical severity detected |
-
-You can customize your build to treat these warnings as errors to [treat warnings as errors, or treat warnings not as errors](/dotnet/csharp/language-reference/compiler-options/errors-warnings#warningsaserrors-and-warningsnotaserrors).
-For example, if you're already using `<TreatWarningsAsErrors>` to treat all (C#, NuGet, MSBuild, etc) warnings as errors, you can use `<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>` to prevent vulnerabilities discovered in the future from breaking your build.
-Alternatively, if you want to keep low and moderate vulnerabilities as warnings, but treat high and critical vulnerabilities as errors, and you're not using `TreatWarningsAsErrors`, you can use `<WarningsAsErrors>NU1903;NU1904</WarningsAsErrors>`.
-
-> [!NOTE]
-> MSBuild properties for message severity such as `NoWarn` and `TreatWarningsAsErrors` are not supported for packages.config projects.
-
 ## Summary
 
 Security auditing features are crucial for maintaining the security and integrity of software projects.
 
@@ -117,7 +117,7 @@ For more information about Dependabot alerts & security updates, [see the follow
 
 **📦 Package Consumer**
 
-When using multiple public & private NuGet source feeds, a package can be downloaded from any of the feeds. To ensure your build is predictable and secure from known attacks such as [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), knowing what specific feed(s) your packages are coming from is a best practice. You can use a single feed or private feed with upstreaming capabilities for protection.
+Use package sources that you trust. When using multiple public & private NuGet source feeds, a package can be downloaded from any of the feeds. To ensure your build is predictable and secure from known attacks such as [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), knowing what specific feed(s) your packages are coming from is a best practice. You can use a single feed or private feed with upstreaming capabilities for protection.
 
 For more information to secure your package feeds, see [3 Ways to Mitigate Risk When Using Private Package Feeds](https://azure.microsoft.com/resources/3-ways-to-mitigate-risk-using-private-package-feeds/en-us/).
 
 
@@ -10,6 +10,10 @@ ms.topic: conceptual
 # Consuming packages from authenticated feeds
 
 Many NuGet operations, such as restore and install, require communication with one or more package sources, which [can be configured in *nuget.config* files](../reference/nuget-config-file.md#packagesources).
+
+> [!NOTE]
+> Use package sources that you trust.
+
 For HTTP feeds, NuGet will make an unauthenticated request, and if the server responds with an HTTP 401 response, NuGet will search for credentials in the following order:
 
 1. [An environment variable `NuGetPackageSourceCredentials_{name}`](#credentials-in-environment-variables).
@@ -37,11 +41,11 @@ This approach provides an extra layer of security by storing the credentials in
 For more information, refer to the section on [credentials in *nuget.config* files](#credentials-in-nugetconfig-files).
 
     > [!NOTE]
-    > Be aware that encrypted passwords are only supported on Windows. 
+    > Be aware that encrypted passwords are only supported on Windows.
     > Moreover, they can only be decrypted on the same machine and by the same user who originally encrypted them.
 
 1. **Using Environment Variable Macros in nuget.config**: If using encrypted credentials is not possible, consider storing the credentials in the *nuget.config* file with environment variable macros.
-This approach allows you to reference environment variables that contain the actual credentials. 
+This approach allows you to reference environment variables that contain the actual credentials.
 It enhances transparency and helps end users understand how their credentials are configured.
 For more information, refer to the section on [credentials in *nuget.config* files](#credentials-in-nugetconfig-files).