Is your feature request related to a problem? Please describe.
As part of most dotnet commands, MSBuild resolves the version of the SDK to use. As I understand it, the chain is MSBuild -> DotNetMSBuildSdkResolver -> NETCoreSdkResolver -> NETCoreSdkResolverNativeWrapper. It chooses the most compatible SDK based on: Available SDK versions, MSBuild version compatibility, global.json requirements, and preview/release preferences.
I have no easy way of knowing if the resolved SDK version has any applicable vulnerabilities. For an example of what I mean, see NuGet warnings NU1901-NU1904, which warn if any resolved packages have low-high severity security advisories respectively.
Describe the solution you'd like
I'd like to see warnings printed to the console if a .NET SDK with a known vulnerability is used. This information is already available as part of the releases.json for each version. For example, for 9.0.6:
"cve-list": [
{
"cve-id": "CVE-2025-30399",
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30399"
}
]It would also be nice to have a warning printed if an EOL version of the SDK is resolved. This information is available in the releases-index.json:
{
"channel-version": "7.0",
"latest-release": "7.0.20",
"latest-release-date": "2024-05-28",
"security": true,
"latest-runtime": "7.0.20",
"latest-sdk": "7.0.410",
"product": ".NET",
"support-phase": "eol",
"eol-date": "2024-05-14",
"release-type": "sts",
"releases.json": "https://builds.dotnet.microsoft.com/dotnet/release-metadata/7.0/releases.json",
"supported-os.json": "https://builds.dotnet.microsoft.com/dotnet/release-metadata/7.0/supported-os.json"
},Additional context
Is your feature request related to a problem? Please describe.
As part of most
dotnetcommands, MSBuild resolves the version of the SDK to use. As I understand it, the chain is MSBuild ->DotNetMSBuildSdkResolver->NETCoreSdkResolver->NETCoreSdkResolverNativeWrapper. It chooses the most compatible SDK based on: Available SDK versions, MSBuild version compatibility,global.jsonrequirements, and preview/release preferences.I have no easy way of knowing if the resolved SDK version has any applicable vulnerabilities. For an example of what I mean, see NuGet warnings
NU1901-NU1904, which warn if any resolved packages have low-high severity security advisories respectively.Describe the solution you'd like
I'd like to see warnings printed to the console if a .NET SDK with a known vulnerability is used. This information is already available as part of the
releases.jsonfor each version. For example, for9.0.6:It would also be nice to have a warning printed if an EOL version of the SDK is resolved. This information is available in the
releases-index.json:{ "channel-version": "7.0", "latest-release": "7.0.20", "latest-release-date": "2024-05-28", "security": true, "latest-runtime": "7.0.20", "latest-sdk": "7.0.410", "product": ".NET", "support-phase": "eol", "eol-date": "2024-05-14", "release-type": "sts", "releases.json": "https://builds.dotnet.microsoft.com/dotnet/release-metadata/7.0/releases.json", "supported-os.json": "https://builds.dotnet.microsoft.com/dotnet/release-metadata/7.0/supported-os.json" },Additional context