-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable NuGet Audit #6303
base: main
Are you sure you want to change the base?
Enable NuGet Audit #6303
Conversation
Contributes to dotnet/arcade#15019 @joperezr we recommend also setting the following WarningsNotAsErrors property so that local dev builds / PRs don't stop working on a Patch Tuesday: https://github.com/dotnet/arcade/blob/964e434191bd3ca5675743d08ff742ec0f1e79a9/Directory.Build.props#L17-L18 It's important to keep this enabled for official builds though. |
@@ -34,6 +34,8 @@ | |||
|
|||
<DashboardPublishedArtifactsOutputDir>$([MSBuild]::NormalizeDirectory('$(ArtifactsDir)', 'DashboardArtifacts', '$(Configuration)'))</DashboardPublishedArtifactsOutputDir> | |||
<WorkloadsPackageSource>$(ArtifactsShippingPackagesDir)</WorkloadsPackageSource> | |||
<!-- Only upgrade NuGetAudit warnings to errors for official builds. --> | |||
<WarningsNotAsErrors Condition="'$(OfficialBuild)' != 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a way to alert the team, or a subset of the team, when an OfficialBuild fails?
Maybe this shouldn't be based on OfficialBuild, but instead in our rolling CI build? For sure I don't want PRs to start failing on the day a security release comes out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Along those lines.... this PR is failing due to NU1903
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We just found out that there's an underlying msbuild bug which ignores WarningsNotAsErrors when operating on solution files. See https://teams.microsoft.com/l/message/19:[email protected]/1728680077070?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47&groupId=4ba7372f-2799-4677-89f0-7a1aaea3706c&parentMessageId=1728680077070&teamName=.NET%20Developer%20Experience&channelName=MSBuild&createdTime=1728680077070 for more details
Here's the workaround that you would need to add meanwhile: https://github.com/dotnet/templating/pull/8451/files#diff-f428536807848d69e9884e86523c06dc1b05d1b281dadd8dd4c3a6d413171519
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workaround doesn't work. I would hold this PR off for a few days until we reach consensus on how to react to the msbuild bug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like understanding why WarningsNotAsErrors doesn't correctly work with solutions will take longer. If things work for you I would not block this PR on it. You always have the option to turn NuGet Audit on/off if something doesn't work. You can NoWarn individual nuget warnings, suppress specific vulerability reports and/or disable NuGet Audit entirely.
As this feature is enabled by default for our customers starting with .NET 8.0.2xx and .NET 9, please give this a try and give feedback back to the NuGet team and me/us in the Arcade issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should merge this change until it doesn't fail PRs. Getting all our PRs (and local builds) broken when someone marks a NuGet package as vulnerable isn't a good situation to be in.
Co-authored-by: Eric Erhardt <[email protected]>
FYI - #6319 should fix the current failure in this PR - transitively referencing Microsoft.Extensions.Caching.Memory 8.0.0. I've pushed that chagne to this branch as well. |
Description
Enabling NuGet Audit so that our build can catch issues when one of our dependencies is marked as vulnerable, so we are able to pin to a higher version in order to lift the dependency out of the vulnerability.
Checklist
<remarks />
and<code />
elements on your triple slash comments?Microsoft Reviewers: Open in CodeFlow