Skip to content

Commit

Permalink
Enable NuGet auditing (#30)
Browse files Browse the repository at this point in the history
* Enable NuGet auditing

* Add link to documentation

* Update readme

* Update readme

* Add conditions
  • Loading branch information
meziantou authored Jul 15, 2024
1 parent b81fdf8 commit d5fecb9
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 1 deletion.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,12 @@ All rules included in this package **can be disabled or modified** in an `.edito
dotnet_diagnostic.CA2200.severity = none
````

- Disable [NuGet auditing](https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages?WT.mc_id=DT-MVP-5003978) for a specific package
````xml
<PackageReference Include="System.Formats.Asn1" Version="8.0.0" NoWarn="NU1903" />
````

> [!WARNING]
> Remember that this should be a temporary solution to help adopting the package

Expand Down
19 changes: 19 additions & 0 deletions src/build/Workleap.DotNet.CodingStandards.props
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,23 @@
<!-- GenerateDocumentationFile must be set to true for IDE0005 (Remove unnecessary usings/imports) to work -->
<GenerateDocumentationFile Condition="'$(GenerateDocumentationFile)' == ''">true</GenerateDocumentationFile>
</PropertyGroup>

<PropertyGroup>
<!-- Enable NuGet package auditing -->
<!-- https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages -->
<NuGetAudit Condition="'$(NuGetAudit)' == ''">true</NuGetAudit>

<!-- Audit direct and transitive packages -->
<NuGetAuditMode Condition="'$(NuGetAuditMode)' == ''">all</NuGetAuditMode>

<!-- Report low, moderate, high and critical advisories -->
<NuGetAuditLevel Condition="'$(NuGetAuditLevel)' == ''">low</NuGetAuditLevel>

<NuGetAuditTreatWarningsAsErrors Condition="('$(NuGetAuditTreatWarningsAsErrors)' == '') AND ($(ContinuousIntegrationBuild) == 'true' OR '$(Configuration)' == 'Release')">true</NuGetAuditTreatWarningsAsErrors>

<!-- Fails the build on CI or on release when a vulnerability is detected -->
<WarningsAsErrors Condition="$(NuGetAuditTreatWarningsAsErrors) == 'true'">
(WarningsAsErrors);NU1900;NU1901;NU1902;NU1903;NU1904
</WarningsAsErrors>
</PropertyGroup>
</Project>
53 changes: 53 additions & 0 deletions tests/Workleap.DotNet.CodingStandards.Tests/CodingStandardTests.cs
Original file line number Diff line number Diff line change
Expand Up @@ -99,4 +99,57 @@ class Sample
Assert.False(data.HasError("IDE1006"));
Assert.False(data.HasWarning("IDE1006"));
}

[Fact]
public async Task ReportVulnerablePackage_Release_ShouldReportError()
{
using var project = new ProjectBuilder(fixture, testOutputHelper);
project.AddCsprojFile(packageReferences: new Dictionary<string, string> { { "System.Text.Json", "8.0.1" } });
project.AddFile("sample.cs", """
Console.WriteLine();
""");
var data = await project.BuildAndGetOutput(["--configuration", "Release"]);
Assert.True(data.HasError("NU1903"));
}

[Fact]
public async Task ReportVulnerablePackage_Debug_ShouldReportWarning()
{
using var project = new ProjectBuilder(fixture, testOutputHelper);
project.AddCsprojFile(packageReferences: new Dictionary<string, string> { { "System.Text.Json", "8.0.1" } });
project.AddFile("sample.cs", """
Console.WriteLine();
""");
var data = await project.BuildAndGetOutput(["--configuration", "Debug"]);
Assert.False(data.HasError("NU1903"));
Assert.True(data.HasWarning("NU1903"));
}
[Fact]
public async Task ReportVulnerablePackage_DisabledWarningOnPackage()
{
using var project = new ProjectBuilder(fixture, testOutputHelper);
project.AddFile("test.csproj", $"""
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>exe</OutputType>
<TargetFramework>net$(NETCoreAppMaximumVersion)</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<ErrorLog>{ProjectBuilder.SarifFileName},version=2.1</ErrorLog>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Workleap.DotNet.CodingStandards" Version="*" />
<PackageReference Include="System.Text.Json" Version="8.0.1" NoWarn="NU1903" />
</ItemGroup>
</Project>
""");

project.AddFile("sample.cs", """
Console.WriteLine();
""");
var data = await project.BuildAndGetOutput(["--configuration", "Release"]);
Assert.False(data.HasError("NU1903"));
Assert.False(data.HasWarning("NU1903"));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ namespace Workleap.DotNet.CodingStandards.Tests.Helpers;

internal sealed class ProjectBuilder : IDisposable
{
private const string SarifFileName = "BuildOutput.sarif";
public const string SarifFileName = "BuildOutput.sarif";

private readonly TemporaryDirectory _directory;
private readonly ITestOutputHelper _testOutputHelper;
Expand Down

0 comments on commit d5fecb9

Please sign in to comment.