Enable NuGet Audit #6303
Enable NuGet Audit #6303
Conversation
joperezr
requested review from
radical,
sebastienros,
ViktorHofer,
eerhardt and
ericstj
|
Contributes to dotnet/arcade#15019 @joperezr we recommend also setting the following WarningsNotAsErrors property so that local dev builds / PRs don't stop working on a Patch Tuesday: https://github.com/dotnet/arcade/blob/964e434191bd3ca5675743d08ff742ec0f1e79a9/Directory.Build.props#L17-L18 It's important to keep this enabled for official builds though. |
| @@ -34,6 +34,8 @@ | |||
|
|
|||
| <DashboardPublishedArtifactsOutputDir>$([MSBuild]::NormalizeDirectory('$(ArtifactsDir)', 'DashboardArtifacts', '$(Configuration)'))</DashboardPublishedArtifactsOutputDir> | |||
| <WorkloadsPackageSource>$(ArtifactsShippingPackagesDir)</WorkloadsPackageSource> | |||
| <!-- Only upgrade NuGetAudit warnings to errors for official builds. --> | |||
| <WarningsNotAsErrors Condition="'$(OfficialBuild)' != 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> | |||
There was a problem hiding this comment.
Do we have a way to alert the team, or a subset of the team, when an OfficialBuild fails?
Maybe this shouldn't be based on OfficialBuild, but instead in our rolling CI build? For sure I don't want PRs to start failing on the day a security release comes out.
There was a problem hiding this comment.
Along those lines.... this PR is failing due to NU1903
There was a problem hiding this comment.
We just found out that there's an underlying msbuild bug which ignores WarningsNotAsErrors when operating on solution files. See https://teams.microsoft.com/l/message/19:[email protected]/1728680077070?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47&groupId=4ba7372f-2799-4677-89f0-7a1aaea3706c&parentMessageId=1728680077070&teamName=.NET%20Developer%20Experience&channelName=MSBuild&createdTime=1728680077070 for more details
Here's the workaround that you would need to add meanwhile: https://github.com/dotnet/templating/pull/8451/files#diff-f428536807848d69e9884e86523c06dc1b05d1b281dadd8dd4c3a6d413171519
There was a problem hiding this comment.
The workaround doesn't work. I would hold this PR off for a few days until we reach consensus on how to react to the msbuild bug.
There was a problem hiding this comment.
Looks like understanding why WarningsNotAsErrors doesn't correctly work with solutions will take longer. If things work for you I would not block this PR on it. You always have the option to turn NuGet Audit on/off if something doesn't work. You can NoWarn individual nuget warnings, suppress specific vulerability reports and/or disable NuGet Audit entirely.
As this feature is enabled by default for our customers starting with .NET 8.0.2xx and .NET 9, please give this a try and give feedback back to the NuGet team and me/us in the Arcade issue.
There was a problem hiding this comment.
I don't think we should merge this change until it doesn't fail PRs. Getting all our PRs (and local builds) broken when someone marks a NuGet package as vulnerable isn't a good situation to be in.
Co-authored-by: Eric Erhardt <[email protected]>
|
FYI - #6319 should fix the current failure in this PR - transitively referencing Microsoft.Extensions.Caching.Memory 8.0.0. I've pushed that chagne to this branch as well. |
joperezr
added
the
NO-MERGE
Description
Enabling NuGet Audit so that our build can catch issues when one of our dependencies is marked as vulnerable, so we are able to pin to a higher version in order to lift the dependency out of the vulnerability.
Checklist
<remarks />and<code />elements on your triple slash comments?Microsoft Reviewers: Open in CodeFlow