Proj0040: Run NuGet security audits on transitive dependencies too

When enabled, GitHub’s vulnerability database is consulted to check for security issues that come with using any of the referenced packages. By default (this will change for .NET 10 and up) only direct dependencies are taken into consideration. This rule advises to include transitive dependencies too by setting <NuGetAuditMode> to all.

More information: learn.microsoft.com/nuget/concepts/auditing-packages

Non-compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net9.0</TargetFramework>
    <NuGetAuditMode>Direct</NuGetAuditMode>
  </PropertyGroup>

</Project>

Compliant

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net9.0</TargetFramework>
    <NuGetAuditMode>All</NuGetAuditMode>
  </PropertyGroup>

</Project>