No vulns shown for vulnerable & deprecated package version when using dotnet list package --vulnerable

[dscheg]

NuGet Product Used

dotnet.exe

Product Version

.NET SDK 9.0.8

Worked before?

Unknown

Impact

It's more difficult to complete my work

Repro Steps & Context

1. Create an empty C# .NET console App project
2. Add NuGet package dependency OpenTelemetry.Instrumentation.AspNetCore version 1.0.0-rc9.14 (note the vulnerability message in nuget.org)
3. Use the dependency:

   Console.WriteLine(OpenTelemetry.Sdk.SuppressInstrumentation);

4. Restore/Build the project
5. Use dotnet list package -v diag --vulnerable, the result is "No vulnerable packages" (BUG):

   $ dotnet list package -v diag --vulnerable
   
     CACHE https://api.nuget.org/v3/registration5-gz-semver2/opentelemetry.instrumentation.aspnetcore/index.json
   
   The following sources were used:
     https://api.nuget.org/v3/index.json
     C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
   
   The given project `VulnTestApp` has no vulnerable packages given the current sources.
   

Despite the fact that package registration endpoint contains vulnerability info:

"version": "1.0.0-rc9.14",
"vulnerabilities": [
  {
    "advisoryUrl": "https://github.com/advisories/GHSA-vh2m-22xx-q94f",
    "severity": "1"
  }
]

Also, if you add nuget.config the behavior will change:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <auditSources>
      <clear />
      <add key="NuGetAudit" value="https://api.nuget.org/v3/index.json" />
  </auditSources>
</configuration>

Now because of using another (VulnerabilityInfo) endpoints the result is (CORRECT):

$ dotnet list package -v diag --vulnerable

  CACHE https://api.nuget.org/v3/vulnerabilities/index.json
  CACHE https://api.nuget.org/v3-vulnerabilities/2025.07.31.17.40.39/vulnerability.base.json
  CACHE https://api.nuget.org/v3-vulnerabilities/2025.07.31.17.40.39/2025.08.14.05.17.51/vulnerability.update.json

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `VulnTestApp` has the following vulnerable packages
   [net9.0]:
   Top-level Package                               Requested      Resolved       Severity   Advisory URL

   > OpenTelemetry.Instrumentation.AspNetCore      1.0.0-rc9.14   1.0.0-rc9.14   Moderate   https://github.com/advisories/GHSA-vh2m-22xx-q94f

Verbose Logs

[nkolev92]

I can repro it.

[mycroes]

I'm not sure if something has changed in the meantime, because I actually get NU1904 warnings during the restore (and even had those as errors due to TreatWarningsAsErrors, disabled that for this test), but it still reports no vulnerabilities:

$ dotnet package list --vulnerable
Restore succeeded with 2 warning(s) in 0,9s
    D:\Projects\-REDACTED-.Core\PLC\-REDACTED-.csproj : warning NU1904: Package 'log4net' 2.0.8 has a known critical severity vulnerability, https://github.com/advisories/GHSA-2cwj-8chv-9pp9
    D:\Projects\-REDACTED-.Core\-REDACTED-.Core\-REDACTED-.Core.csproj : warning NU1904: Package 'log4net' 2.0.8 has a known critical severity vulnerability, https://github.com/advisories/GHSA-2cwj-8chv-9pp9

Build succeeded with 2 warning(s) in 1,0s

The following sources were used:
   https://api.nuget.org/v3/index.json
   https://nuget.-REDACTED-.eu/v3/index.json

The given project `Benchmarks` has no vulnerable packages given the current sources.
The given project `-REDACTED-` has no vulnerable packages given the current sources.
The given project `-REDACTED-.Sally7` has no vulnerable packages given the current sources.
The given project `Sample.Next` has no vulnerable packages given the current sources.
The given project `Sample` has no vulnerable packages given the current sources.
The given project `-REDACTED-.Core` has no vulnerable packages given the current sources.

Dotnet version: 10.0.101

[zivkan]

@mycroes Thanks for commenting. I forgot about this issue, and your comment prompted me to investigate.

The problem you reported with log4net is because they unlisted the package version you're referencing.

The problem from this issue's original post is because the package is pre-release, and dotnet list package --vulnerable wasn't run with --prerelease.

There's a bug in how list package gets the package metadata from package sources: https://github.com/NuGet/NuGet.Client/blob/fa192027829141c8593fa61b72bf9a62f4d1b73c/src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs#L693-L694

Changing both of these to hardcoded true fixes the issue, but writing tests to make sure this doesn't regress again in the future is the hard part of fixing this bug.

Using an audit source in nuget.config is a workaround, since it uses the vulnerability database to look up vulnerable packages, rather than querying the package source with the wrong flags.

[mycroes]

@zivkan Thanks for the response (I actually missed it at first because I still had this tab open from yesterday, hence you might have seen a comment that has now been deleted). It's very unfortunate that it'll skip unlisted packages, because that seems like a common thing to happen for packages with security vulnerabilities. This also is the one that can't be mitigated by passing an additional command line argument, so I hope the team can put some effort into this. I'm also not sure why the regression test for unlisted packages would be hard, seems like a pretty straightforward case to me.

Do you want me to open a separate issue for the unlisted package behavior? Is there already an open issue for this problem?