Skip to content

OneBranch SDL

SDL violations for Nuget Multifeed Config

Symptoms

If you get S360 violations for SDL or your OneBranch builds are breaking

Cause

The Template project creates Nuget Config files with artifact feeds for azure-sdk-for-net and nuget.org. Having multiple feeds is a security vulnerability and violates the SDL.

Workaround

Create your own ADO Artifact Feed, and add https://api.nuget.org/v3/index.json and azure-feed://azure-sdk/public/azure-sdk-for-net@Local as upstream feeds. This enables you to only specify your package feed, and then have your feed pull from the upstream feeds.