Proj0301: Clear previously defined package sources

Explicit declaration of all package sources ensures reproducible builds and mitigates the risk of supply chain attacks. no package sources should be inherited from globally defined sources that could contain malicious sources. By adding <clear />, all previously defined sources are removed.

Non-compliant 

 <configuration>
  <packageSources>
    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
</configuration>

Compliant 

 <configuration>
  <packageSources>
    <clear />
    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
</configuration>

Edit this page on GitHub.