Introduce auditSourceMapping similar to packageSourceMapping

[drieseng]

NuGet Product(s) Involved

dotnet.exe

The Elevator Pitch

To optimize package restore and vulnerability scanning, it would've been great if it were possible to configure audit source mapping similar to the existing package source mapping.

If I have a large set of home brew packages, there's no use in verifying whether these packages were listed as vulnerable on nuget.org. They are not even listed there anyway.

I propose to allow something like this:

<configuration>
    <packageSources>
        <clear />
        <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
        <add key="whatever" value="https://pkgs.dev.azure.com/whatever/nuget/v3/index.json" />
    </packageSources>
    <packageSourceMapping>
        <packageSource key="nuget.org">
            <package pattern="*" />
        </packageSource>
        <packageSource key="whatever">
            <package pattern="My.Company.*" />
        </packageSource>
    </packageSourceMapping>
    <auditSourceMapping>
        <auditSource key="nuget.org" value="https://api.nuget.org/v3/index.json" />
        <auditSource key="whatever" value="https://my.company/v3/index.json" />
    </auditSourceMapping>
</configuration>

This should improve performance when scanning for vulnerabilities and NuGet could even decide not to fetch vulnerability information from a given audit source if there are no NuGet packages for that audit source.

Additional Context and Details

No response