Enable NuGet auditing

src/build/Workleap.DotNet.CodingStandards.props

@@ -29,4 +29,20 @@
     <!-- GenerateDocumentationFile must be set to true for IDE0005 (Remove unnecessary usings/imports) to work -->
     <GenerateDocumentationFile Condition="'$(GenerateDocumentationFile)' == ''">true</GenerateDocumentationFile>
   </PropertyGroup>
+
+   <PropertyGroup>
+        <!-- Enable NuGet package auditing -->
+        <NuGetAudit>true</NuGetAudit>
+
+        <!-- Audit direct and transitive packages -->
+        <NuGetAuditMode>all</NuGetAuditMode>
+
+        <!-- Report low, moderate, high and critical advisories -->
+        <NuGetAuditLevel>low</NuGetAuditLevel>
+
+        <!-- Fails the build on CI or on release when a vulnerability is detected -->
+        <WarningsAsErrors Condition="$(ContinuousIntegrationBuild) == 'true' OR '$(Configuration)' == 'Release'">
+            (WarningsAsErrors);NU1900;NU1901;NU1902;NU1903;NU1904
+        </WarningsAsErrors>
+    </PropertyGroup>
 </Project>

tests/Workleap.DotNet.CodingStandards.Tests/CodingStandardTests.cs

@@ -99,4 +99,57 @@ class Sample
         Assert.False(data.HasError("IDE1006"));
         Assert.False(data.HasWarning("IDE1006"));
     }
+
+    [Fact]
+    public async Task ReportVulnerablePackage_Release_ShouldReportError()
+    {
+        using var project = new ProjectBuilder(fixture, testOutputHelper);
+        project.AddCsprojFile(packageReferences: new Dictionary<string, string> { { "System.Text.Json", "8.0.1" } });
+        project.AddFile("sample.cs", """
+            Console.WriteLine();
+            """);
+        var data = await project.BuildAndGetOutput(["--configuration", "Release"]);
+        Assert.True(data.HasError("NU1903"));
+    }
+
+    [Fact]
+    public async Task ReportVulnerablePackage_Debug_ShouldReportWarning()
+    {
+        using var project = new ProjectBuilder(fixture, testOutputHelper);
+        project.AddCsprojFile(packageReferences: new Dictionary<string, string> { { "System.Text.Json", "8.0.1" } });
+        project.AddFile("sample.cs", """
+            Console.WriteLine();
+            """);
+        var data = await project.BuildAndGetOutput(["--configuration", "Debug"]);
+        Assert.False(data.HasError("NU1903"));
+        Assert.True(data.HasWarning("NU1903"));
+    }
+    [Fact]
+    public async Task ReportVulnerablePackage_DisabledWarningOnPackage()
+    {
+        using var project = new ProjectBuilder(fixture, testOutputHelper);
+        project.AddFile("test.csproj", $"""
+                <Project Sdk="Microsoft.NET.Sdk">
+                  <PropertyGroup>
+                    <OutputType>exe</OutputType>
+                    <TargetFramework>net$(NETCoreAppMaximumVersion)</TargetFramework>
+                    <ImplicitUsings>enable</ImplicitUsings>
+                    <Nullable>enable</Nullable>
+                    <ErrorLog>{ProjectBuilder.SarifFileName},version=2.1</ErrorLog>
+                  </PropertyGroup>
+
+                  <ItemGroup>
+                    <PackageReference Include="Workleap.DotNet.CodingStandards" Version="*" />
+                    <PackageReference Include="System.Text.Json" Version="8.0.1" NoWarn="NU1903" />
+                  </ItemGroup>
+                </Project>
+                """);
+
+        project.AddFile("sample.cs", """
+            Console.WriteLine();
+            """);
+        var data = await project.BuildAndGetOutput(["--configuration", "Release"]);
+        Assert.False(data.HasError("NU1903"));
+        Assert.False(data.HasWarning("NU1903"));
+    }
 }

tests/Workleap.DotNet.CodingStandards.Tests/Helpers/ProjectBuilder.cs

@@ -8,7 +8,7 @@ namespace Workleap.DotNet.CodingStandards.Tests.Helpers;
 
 internal sealed class ProjectBuilder : IDisposable
 {
-    private const string SarifFileName = "BuildOutput.sarif";
+    public const string SarifFileName = "BuildOutput.sarif";
 
     private readonly TemporaryDirectory _directory;
     private readonly ITestOutputHelper _testOutputHelper;