Question 1

Should I upgrade to the latest version of every dependency?

Accepted Answer

Not necessarily. The latest version might have:
- Breaking API changes (especially true for major version bumps)
- Different performance characteristics (newer isn't always faster)
- Unrelated features you don't need (increased surface area)

Instead, upgrade to the earliest version that fixes the vulnerability AND maintains compatibility with your code. For example:

Current: Newtonsoft.Json 11.0.2 (vulnerable to RCE)
Latest: Newtonsoft.Json 13.0.3

Your app only uses basic JSON serialization (no type handling).
Safe upgrade: 13.0.1 (first version to fix CVE-2022-24765)
Test it. If no breaking changes, you can upgrade to 13.0.3 later for features.

Question 2

How often should I scan my NuGet dependencies?

Accepted Answer

Minimum: Weekly automated scans (via CI/CD).
Recommended: Daily automated scans for production applications.
Emergency: Immediate ad-hoc scans when a critical vulnerability is announced.

If you're running ASP.NET Core in production, a new critical CVE can be announced any day. The longer you wait to scan, the longer you're exposed.

Question 3

What's the difference between EPSS and CVSS scores?

Accepted Answer

CVSS (Common Vulnerability Scoring System): Measures the severity of a vulnerability (how bad it is if exploited). Range: 0.0-10.0.
- 0-3.9: Low
- 4.0-6.9: Medium
- 7.0-8.9: High
- 9.0-10.0: Critical

Example: Newtonsoft.Json RCE has CVSS 9.8 (critical).

EPSS (Exploit Prediction Scoring System): Predicts the likelihood of active exploitation in the next 30 days. Range: 0.0–1.0.
- 0.0–0.1: Unlikely to be exploited
- 0.1–0.4: Possible
- 0.4+: Likely to be exploited soon

Example: Same Newtonsoft.Json RCE has EPSS 0.87, meaning an 87% chance of exploitation in the next month.

Why both matter: A critical vulnerability (CVSS 9.8) that's not being exploited yet (EPSS 0.02) might be lower priority than a medium vulnerability (CVSS 6.5) being actively exploited today (EPSS 0.92). Learn more: Understanding EPSS.

Question 4

Can I scan NuGet packages in private repositories?

Accepted Answer

Yes, but you need to provide NuGet credentials. GeekWala supports:
- NuGet.config authentication (API keys, Azure AD, GitHub Packages)
- Custom registry URLs (internal myget.org feeds, Azure Artifacts)

When you upload your project, include your NuGet.config (with credentials masked), and GeekWala will resolve packages from private feeds.

Question 5

What if there's no patch available for a vulnerability?

Accepted Answer

This happens. An open-source library might be unmaintained, or the vulnerability might be in an old version that the maintainer no longer supports.

Your options:
1. Fork and patch: Create a private fork, apply a fix, deploy your patched version
2. Switch libraries: Evaluate a maintained alternative
3. Mitigate in code: If the vulnerability requires specific conditions, can you eliminate those conditions?
4. Accept the risk: Document why, set a review date, monitor for active exploitation

Example: A library is vulnerable to XXE attacks. You can mitigate by:
csharp
var xmlSettings = new XmlReaderSettings
{
    DtdProcessing = DtdProcessing.Prohibit,
    XmlResolver = null // Disable external entity resolution
};
using var reader = XmlReader.Create(stream, xmlSettings);
var doc = XDocument.Load(reader);

If you mitigate the root cause, the vulnerability is no longer exploitable in your context—but still flag it as "mitigated, not patched" in your scan results.

Question 6

How do I know if a vulnerability affects my specific code?

Accepted Answer

Not all vulnerabilities affect all projects using a library. For example, Newtonsoft.Json's RCE only triggers if you explicitly enable TypeNameHandling = TypeNameHandling.All.

To determine impact:
1. Check the CVE details: Read the full advisory
2. Audit your usage: Search your codebase for the vulnerable code pattern
3. Check configuration: Is the dangerous setting enabled in your config?
4. Test the POC: If a proof-of-concept exists, run it against your app

Example decision tree:

Newtonsoft.Json 11.0.2 detected (CVE-2022-24765)
│
├─ Search codebase: "TypeNameHandling.All" → NOT FOUND
├─ Search config: "TypeNameHandling" → NOT FOUND
└─ Check JsonSerializerSettings defaults → TypeNameHandling.None (safe)

Result: VULNERABILITY PRESENT BUT NOT EXPLOITABLE
Action: Still upgrade (defense in depth), but not emergency-level