OneBranch SDL
SDL violations for Nuget Multifeed Config
Symptoms
Section titled “Symptoms”If you get S360 violations for SDL or your OneBranch builds are breaking
The Template project creates Nuget Config files with artifact feeds for azure-sdk-for-net and nuget.org. Having multiple feeds is a security vulnerability and violates the SDL.
Workaround
Section titled “Workaround”Create your own ADO Artifact Feed, and add https://api.nuget.org/v3/index.json and azure-feed://azure-sdk/public/azure-sdk-for-net@Local as upstream feeds. This enables you to only specify your package feed, and then have your feed pull from the upstream feeds.