Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit at restore time must not throw and fail the operation #13085

Closed
nkolev92 opened this issue Dec 13, 2023 · 1 comment · Fixed by NuGet/NuGet.Client#5608
Closed

Audit at restore time must not throw and fail the operation #13085

nkolev92 opened this issue Dec 13, 2023 · 1 comment · Fixed by NuGet/NuGet.Client#5608
Assignees
@zivkan
Labels
Area:NuGetAudit Category:Quality Week Issues that should be considered for quality week Functionality:Restore Priority:2 Issues for the current backlog. Tenet:Reliability Crashes, hangs etc. Type:Bug
Milestone
6.10

Comments

@nkolev92
Copy link
Member

Found this in an activity log:

<description>NuGet.Protocol.Core.Types.FatalProtocolException: Unable to load the service index for source https://pkgs.dev.azure.com/<redacted>/_packaging/<redacted>/nuget/v3/index.json. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized). at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() at NuGet.Protocol.HttpSource.<>c__DisplayClass15_0`1.<<GetAsync>b__0>d.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__5`1.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__5`1.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Protocol.HttpSource.<GetAsync>d__15`1.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at NuGet.Protocol.ServiceIndexResourceV3Provider.<GetServiceIndexResourceV3>d__11.MoveNext() --- End of inner exception stack trace --- at NuGet.Protocol.ServiceIndexResourceV3Provider.<GetServiceIndexResourceV3>d__11.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Protocol.ServiceIndexResourceV3Provider.<TryCreate>d__10.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__16`1.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Protocol.Providers.VulnerabilityInfoResourceV3Provider.<TryCreate>d__1.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__16`1.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.VulnerabilityInformationProvider.<GetVulnerabilityInfoAsync>d__5.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.VulnerabilityInformationProvider.<GetVulnerabilityInformationAsync>d__4.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.Restore.Utility.AuditUtility.<GetAllVulnerabilityDataAsync>d__83.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.Restore.Utility.AuditUtility.<CheckPackageVulnerabilitiesAsync>d__77.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.RestoreCommand.<PerformAuditAsync>d__69.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.RestoreCommand.<ExecuteAsync>d__68.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.RestoreRunner.<ExecuteAsync>d__7.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.Commands.RestoreRunner.<ExecuteAndCommitAsync>d__6.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at NuGet.SolutionRestoreManager.RestoreOperationLogger.<RunWithProgressAsync>d__35.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.SolutionRestoreManager.SolutionRestoreJob.<RestorePackageSpecProjectsAsync>d__26.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.SolutionRestoreManager.SolutionRestoreJob.<RestoreAsync>d__24.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at NuGet.SolutionRestoreManager.SolutionRestoreJob.<RestoreAsync>d__24.MoveNext() --- 
End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at NuGet.SolutionRestoreManager.SolutionRestoreJob.<ExecuteAsync>d__23.MoveNext()</description>

If you follow the stack trace, you'll see that the throw is happening in restore command project level and throwing all the way to the solution restore job.

I think the original idea behind this was a warning NU1900, https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1900, but we should consider whether need to differentiate between a source being inaccessible altogether and a source not supporting vulnerabilities.

IMO, we should not log a warning if we can't access the feed altogether, as that'd be surfaced by other means potentially, but that would break some scenarios, so maybe we log a min message instead in that case?
We should log an NU1900 warning if the source has vulnerabilities and they're broken for any reason.

cc @zivkan thoughts?
@nkolev92
Copy link
Member Author

Note that this should probably lead to some changes in the solution restore job as well, since it shouldn't throw and write in the acitvity log. There's a chance that it didn't throw but just wrote to the acitvity log, but the idea stands that the whole stack needs to be more resilient.

@jeffkl jeffkl added Priority:2 Issues for the current backlog. Category:Quality Week Issues that should be considered for quality week labels Dec 14, 2023
@zivkan zivkan mentioned this issue Jan 24, 2024
Merged
8 tasks
@zivkan zivkan self-assigned this Jan 24, 2024
@zivkan zivkan mentioned this issue Jan 24, 2024
Open
@jgonz120 jgonz120 added this to the 6.10 milestone Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zivkan zivkan

Labels
Area:NuGetAudit Category:Quality Week Issues that should be considered for quality week Functionality:Restore Priority:2 Issues for the current backlog. Tenet:Reliability Crashes, hangs etc. Type:Bug
Projects
None yet
Milestone
6.10
Development

Successfully merging a pull request may close this issue.

NuGetAudit must not cause restore to fail NuGet/NuGet.Client
4 participants
@nkolev92 @zivkan @jgonz120 @jeffkl