Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dotnet list package --vulnerable uses AuditSources #6237

Open
wants to merge 11 commits into
base: dev
Choose a base branch
from
Open

Dotnet list package --vulnerable uses AuditSources #6237

wants to merge 11 commits into from

Conversation

Nigusu-Allehu
Copy link
Contributor

@Nigusu-Allehu Nigusu-Allehu commented Jan 24, 2025
edited
Loading

Bug

Fixes:

Description

Design Spec: https://github.com/NuGet/Home/blob/dev/accepted/2024/Dotnet-list-package-vulnerable-uses-auditsources.md

I had the following PR, but I could not reopen it after rebasing : #6206

This PR updates dotnet list package --vulnerable to use user configured <AuditSources>.

Currently, the command only looks into <PackageSources> to load vulnerability data. However, with the introduction of NuGet Audit, other commands now support <AuditSources> to specify vulnerability data sources. This PR makes sure dotnet list package --vulnerable is also up to date and supports <AuditSources>

In order to do a manual test, I specified a package that has only one vulnerability data source. That source is only specified as an Audit source. This is what running dotnet list package --vulnerable results in before and after this PR

Before

image

After

image

PR Checklist

@Nigusu-Allehu Nigusu-Allehu self-assigned this Jan 24, 2025
@Nigusu-Allehu Nigusu-Allehu force-pushed the dev-nyenework-dlp-auditsources branch from cb0febb to 8d2c6eb Compare January 24, 2025 21:37
@Nigusu-Allehu Nigusu-Allehu marked this pull request as ready for review January 27, 2025 23:43
@Nigusu-Allehu Nigusu-Allehu requested a review from a team as a code owner January 27, 2025 23:43
nkolev92
nkolev92 reviewed Jan 28, 2025
View reviewed changes
....CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs Outdated Show resolved Hide resolved
test/NuGet.Core.FuncTests/NuGet.XPlat.FuncTest/ListPackageTests.cs Outdated Show resolved Hide resolved
test/NuGet.Core.FuncTests/NuGet.XPlat.FuncTest/ListPackageTests.cs Outdated
</Project>";

// Define the content for assets.json
var assetsContent = @"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use resources for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you please elaborate what you meant by resources?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A file like the following: https://github.com/NuGet/NuGet.Client/tree/dev/test/NuGet.Core.Tests/NuGet.Commands.Test/compiler/resources instead of hard coding everything within the test.

test/NuGet.Core.FuncTests/NuGet.XPlat.FuncTest/ListPackageTests.cs Outdated
}
}
}";
if (!Directory.Exists(projectFolder))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar feedback on the reability of the tests, consider whether these are needed or if there's a better way to priming all this data.

Does the project structure really matter?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback. I have cleaned up the tests to make them more readable. Please let me know if you have more suggestions

@Nigusu-Allehu Nigusu-Allehu force-pushed the dev-nyenework-dlp-auditsources branch from 9e32cfa to 8a89814 Compare January 29, 2025 22:20
jeffkl
jeffkl previously approved these changes Jan 29, 2025
View reviewed changes
@Nigusu-Allehu Nigusu-Allehu force-pushed the dev-nyenework-dlp-auditsources branch from 8a89814 to c04b00f Compare January 31, 2025 18:02
nkolev92
nkolev92 reviewed Jan 31, 2025
View reviewed changes
.../NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommand.cs Outdated Show resolved Hide resolved
....CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs
{
projectModel.AddProjectInformation(ProblemType.Error, ex.Message);
await GetVulnerabilitiesFromAuditSourcesAsync(listPackageArgs, listPackageReportModel, projectModel, frameworks);
return;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This return seems like a bug.
When we use vulnerability from audit sources, we return and we don't print packages later one.

This should probably be an if/else.

btw, if I'm right and this is a bug, it'd be great to ensure we have a test that would've caught this scenario.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code at

NuGet.Client/src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs

Line 140 in fa6bd36

bool printPackages = FilterPackages(frameworks, listPackageArgs);
is responsible for filtering out packages that should not be printed.

For example, when using --vulnerable, it removes packages that do not have any reported vulnerabilities.

However, the actual printing occurs at a higher level in the execution flow:

NuGet.Client/src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs

Line 40 in fa6bd36

reportRenderer.Render(reportModel);

In the new implementation, when retrieving vulnerabilities from AuditSources, only vulnerable packages are added. As a result, there's no need to execute additional filtering logic to remove non-vulnerable packages.

Thus, the printPackages check is redundant because GetVulnerabilitiesFromAuditSourcesAsync only adds vulnerable packages.

....CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs Outdated Show resolved Hide resolved
....CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs Outdated Show resolved Hide resolved
test/NuGet.Core.FuncTests/NuGet.XPlat.FuncTest/ListPackageTests.cs Outdated Show resolved Hide resolved
test/NuGet.Core.FuncTests/NuGet.XPlat.FuncTest/ListPackageTests.cs Outdated
</Project>";

// Define the content for assets.json
var assetsContent = @"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A file like the following: https://github.com/NuGet/NuGet.Client/tree/dev/test/NuGet.Core.Tests/NuGet.Commands.Test/compiler/resources instead of hard coding everything within the test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeffkl jeffkl jeffkl left review comments

@zivkan zivkan Awaiting requested review from zivkan

@jebriede jebriede Awaiting requested review from jebriede

@nkolev92 nkolev92 Awaiting requested review from nkolev92

At least 1 approving review is required to merge this pull request.

Assignees

@Nigusu-Allehu Nigusu-Allehu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Nigusu-Allehu @nkolev92 @jebriede @jeffkl