dotnet list package --vulnerable uses AuditSources

dotnet · Feb 7, 2025 · c73fb63 · c73fb63
1 parent 3b05c5f
commit c73fb63
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/docs/core/tools/dotnet-list-package.md b/docs/core/tools/dotnet-list-package.md
@@ -118,7 +118,7 @@ The project or solution file to operate on. If not specified, the command search
 
 - **`--vulnerable`**
 
-  Lists packages that have known vulnerabilities. Cannot be combined with `--deprecated` or `--outdated` options. Nuget.org is the source of information about vulnerabilities. For more information, see [Vulnerabilities](/nuget/api/registration-base-url-resource) and [How to Scan NuGet Packages for Security Vulnerabilities](https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/).
+  Lists packages that have known vulnerabilities. Cannot be combined with `--deprecated` or `--outdated` options. Use the `<AuditSources>` property in your configuration file to specify your source of vulnerabilities. If `<AuditSources>` have not been specified, your `<PackageSources>` will be used for loading vulnerability data. For more information, see [Vulnerabilities](/nuget/api/registration-base-url-resource) and [How to Scan NuGet Packages for Security Vulnerabilities](https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/).
 
 - **`--format <console|json>`**