Skip to content

Commit

Permalink
Enable NuGet auditing
Browse files Browse the repository at this point in the history
  • Loading branch information
meziantou committed Jul 15, 2024
1 parent b81fdf8 commit 0baa240
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 1 deletion.
16 changes: 16 additions & 0 deletions src/build/Workleap.DotNet.CodingStandards.props
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,20 @@
<!-- GenerateDocumentationFile must be set to true for IDE0005 (Remove unnecessary usings/imports) to work -->
<GenerateDocumentationFile Condition="'$(GenerateDocumentationFile)' == ''">true</GenerateDocumentationFile>
</PropertyGroup>

<PropertyGroup>
<!-- Enable NuGet package auditing -->
<NuGetAudit>true</NuGetAudit>

<!-- Audit direct and transitive packages -->
<NuGetAuditMode>all</NuGetAuditMode>

<!-- Report low, moderate, high and critical advisories -->
<NuGetAuditLevel>low</NuGetAuditLevel>

<!-- Fails the build on CI or on release when a vulnerability is detected -->
<WarningsAsErrors Condition="$(ContinuousIntegrationBuild) == 'true' OR '$(Configuration)' == 'Release'">
(WarningsAsErrors);NU1900;NU1901;NU1902;NU1903;NU1904
</WarningsAsErrors>
</PropertyGroup>
</Project>
54 changes: 54 additions & 0 deletions tests/Workleap.DotNet.CodingStandards.Tests/CodingStandardTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -99,4 +99,58 @@ class Sample
Assert.False(data.HasError("IDE1006"));
Assert.False(data.HasWarning("IDE1006"));
}

[Fact]
public async Task ReportVulnerablePackage_Release_ShouldReportError()
{
using var project = new ProjectBuilder(fixture, testOutputHelper);
project.AddCsprojFile(packageReferences: new Dictionary<string, string> { { "System.Text.Json", "8.0.1" } });
project.AddFile("sample.cs", """
Console.WriteLine();
""");
var data = await project.BuildAndGetOutput(["--configuration", "Release"]);
Assert.True(data.HasError("NU1903"));
}

[Fact]
public async Task ReportVulnerablePackage_Debug_ShouldReportWarning()
{
using var project = new ProjectBuilder(fixture, testOutputHelper);
project.AddCsprojFile(packageReferences: new Dictionary<string, string> { { "System.Text.Json", "8.0.1" } });
project.AddFile("sample.cs", """
Console.WriteLine();
""");
var data = await project.BuildAndGetOutput(["--configuration", "Debug"]);
Assert.False(data.HasError("NU1903"));
Assert.True(data.HasWarning("NU1903"));
}
[Fact]
public async Task ReportVulnerablePackage_DisabledWarningOnPackage()
{
using var project = new ProjectBuilder(fixture, testOutputHelper);
project.AddCsprojFile(packageReferences: new Dictionary<string, string> { { "", "8.0.1" } });
project.AddFile("test.csproj", $"""
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>exe</OutputType>
<TargetFramework>net$(NETCoreAppMaximumVersion)</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<ErrorLog>{ProjectBuilder.SarifFileName},version=2.1</ErrorLog>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Workleap.DotNet.CodingStandards" Version="*" />
<PackageReference Include="System.Text.Json" Version="8.0.1" NoWarn="NU1903" />
</ItemGroup>
</Project>
""");

project.AddFile("sample.cs", """
Console.WriteLine();
""");
var data = await project.BuildAndGetOutput(["--configuration", "Release"]);
Assert.False(data.HasError("NU1903"));
Assert.False(data.HasWarning("NU1903"));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ namespace Workleap.DotNet.CodingStandards.Tests.Helpers;

internal sealed class ProjectBuilder : IDisposable
{
private const string SarifFileName = "BuildOutput.sarif";
public const string SarifFileName = "BuildOutput.sarif";

private readonly TemporaryDirectory _directory;
private readonly ITestOutputHelper _testOutputHelper;
Expand Down

0 comments on commit 0baa240

Please sign in to comment.