Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

The addition of audit sources does not change audit results #13780

Open
jaredpar opened this issue Sep 11, 2024 · 0 comments
Open

The addition of audit sources does not change audit results #13780

jaredpar opened this issue Sep 11, 2024 · 0 comments
Labels
Area:NuGetAudit Priority:2 Issues for the current backlog. Product:dotnet.exe Type:Bug

Comments

@jaredpar
Copy link

NuGet Product Used

dotnet.exe

Product Version

9.0.100-preview.7.24407.12

Worked before?

No

Impact

It's more difficult to complete my work

Repro Steps & Context

When the auditSources is changed in a NuGet.config this does not invalidate previous restores. That means even when you explicitly add nuget.org and re-run dotnet restore it does not actually do a restore thus the new audit source is not considered and the build produces false negatives. he only way I've found to force it to re-restore is to delete the obj directories so that restore has to run.

To reproduce:

> dotnet new console
> cp ../NuGet.config . (see below) 
> dotnet add package Microsoft.Build.Tasks.Core
> dotnet build

Now edit the NuGet.config to add the following audit sources

  <auditSources>
    <clear />
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </auditSources>

At this point restores should be firing for a CVE against System.Formats.Asn1 but if you run restore nothing is reported.

> dotnet restore
Restore complete (0.2s)

Build succeeded in 0.5s

To get the NU1903 to trigger you have to explicitly delete the obj directory

> rm -re -fo obj
> dotnet restore
Restore succeeded with 1 warning(s) in 0.4s
    C:\Users\jaredpar\temp\console\console.csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm

This is the initial NuGet.config to use:

<?xml version="1.0" encoding="utf-8"?>
<!-- Licensed to the .NET Foundation under one or more agreements. The .NET Foundation licenses this file to you under the MIT license. See the LICENSE file in the project root for more information. -->
<configuration>
  <packageSources>
    <clear />
    <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" />
    <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" />
    <add key="dotnet8" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json" />
    <add key="dotnet9" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9/nuget/v3/index.json" />
    <add key="dotnet9-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9-transport/nuget/v3/index.json" />
    <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
    <add key="dotnet-libraries" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-libraries/nuget/v3/index.json" />
    <add key="dotnet-libraries-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-libraries-transport/nuget/v3/index.json" />
  </packageSources>
  <disabledPackageSources>
    <clear />
  </disabledPackageSources>
</configuration>

Verbose Logs

No response
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Area:NuGetAudit Priority:2 Issues for the current backlog. Product:dotnet.exe Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jaredpar @jeffkl @donnie-msft @Nigusu-Allehu