Proj0303: Define a mapping for each package source

Explicit declaration of package source mappings ensures reproducible builds and mitigates the risk of supply chain attacks. The reasoning is that, when multiple sources are configured, by having mappings defined it is unambiguous which source provides which package.

Non-compliant 

<configuration>

  <packageSources>
    <clear />
    <add key="Internal-packages" value="https://pkgs.dev.azure.com/company/_packaging/Components/nuget/v3/index.json" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>

</configuration>

Compliant 

<configuration>

  <packageSources>
    <clear />
    <add key="Internal-packages" value="https://pkgs.dev.azure.com/company/_packaging/Components/nuget/v3/index.json" />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>

  <packageSourceMapping>
    <packageSource key="nuget.org">
      <package pattern="*" />
    </packageSource>
    <packageSource key="Internal-packages">
      <package pattern="Qowaiv.CodeGeneration" />
      <package pattern="Company.*" />
    </packageSource>
  </packageSourceMapping>

</configuration>

Edit this page on GitHub.