Enable NuGet audit #75049
Enable NuGet audit #75049
Conversation
This enables NuGet audit using the audit sources from nuget.org. This is the standard that is being pushed into all of our repositories. The end result is that we will get early warning on CVE and won't need to wait until CG scans on our scheduled builds reveal them. I've set this up so that it warns not errors. That is deliberate because the audit warnings are asynchronous. Setting them up as errors would mean that builds, which were passing one minute, could start failing the next t. A warning here feels like the right balance but we can experiment and see how it goes. Related dotnet/arcade#15019
dotnet-issue-labeler
bot
added
Area-Compilers
untriaged
| and then potentially fail on the next. This is meant to be an early warning system, not a | ||
| random CI failure generator. | ||
| --> | ||
| <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> |
There was a problem hiding this comment.
Looks like this doesn't work, CI is failing with NU1903 :)
There was a problem hiding this comment.
Yes I know. It's quite frustrating. Trying to understand why that is happening.
| @@ -16,6 +16,14 @@ | |||
| <!-- TODO: https://github.com/dotnet/roslyn/issues/71667 --> | |||
| <NoWarn>$(NoWarn);NU1507</NoWarn> | |||
|
|
|||
| <!-- | |||
| Do not error on NuGet audit warnings. These are warnings that are introduced asynchronously as | |||
| new vulnerabilities are discovered. Having these as errors means that CI would pass on on job, | |||
| @@ -163,7 +163,7 @@ public static ImmutableArray<byte> HexToByte(ReadOnlySpan<char> input) | |||
|
|
|||
| return ImmutableCollectionsMarshal.AsImmutableArray(bytes); | |||
|
|
|||
| byte parseByte(ReadOnlySpan<char> input, NumberStyles numberStyle) | |||
| static byte parseByte(ReadOnlySpan<char> input, NumberStyles numberStyle) | |||
There was a problem hiding this comment.
I don't have any objection, but this change (and the one in Silverlight.cs) are unexpected in this PR. Just want to confirm these were intentional
There was a problem hiding this comment.
It was intentional. It's a follow up comment from a previous PR that I forgot to merge.
jaredpar
dismissed
jjonescz’s stale review
There were issues with this PR i did'n tsee locally
|
Reverting to draft as there were a number of audit warnings. There is an up to date check issue in NuGet / MSBuild that caused me to see no errors locally and believe we were clean. This PR showed me there was still work left. Dealing with that locally and will update this PR In a bit. |
This enables NuGet audit using the audit sources from nuget.org. This is the standard that is being pushed into all of our repositories. The end result is that we will get early warning on CVE and won't need to wait until CG scans on our scheduled builds reveal them.
I've set this up so that it warns not errors. That is deliberate because the audit warnings are asynchronous. Setting them up as errors would mean that builds, which were passing one minute, could start failing the next t. A warning here feels like the right balance but we can experiment and see how it goes.
Related dotnet/arcade#15019