Merge branch 'dev' into dev-nkolev92-vulnerabilityAPICleanup

src/NuGet.Core/NuGet.Build.Tasks/NuGet.targets

@@ -61,8 +61,6 @@ Copyright (c) .NET Foundation. All rights reserved.
     <GetReferenceNearestTargetFrameworkTaskSupportsTargetPlatformParameter>true</GetReferenceNearestTargetFrameworkTaskSupportsTargetPlatformParameter>
     <!-- Flag if the Central package file is enabled -->
     <_CentralPackageVersionsEnabled Condition="'$(ManagePackageVersionsCentrally)' == 'true' AND '$(CentralPackageVersionsFileImported)' == 'true'">true</_CentralPackageVersionsEnabled>
-    <!-- NuGetAudit is enabled by default when using the .NET 8 SDK or above. Customers should set 'true', so we'll use 'default' to signal implicit opt-in -->
-    <NuGetAudit Condition=" '$(NuGetAudit)' == '' AND $([MSBuild]::VersionGreaterThanOrEquals($([MSBuild]::ValueOrDefault('$(NETCoreSdkVersion)', '0.0')), '8.0'))">default</NuGetAudit>
   </PropertyGroup>
 
   <PropertyGroup>

src/NuGet.Core/NuGet.Commands/RestoreCommand/RestoreCommand.cs

@@ -303,9 +303,12 @@ await _logger.LogAsync(RestoreLogMessage.CreateWarning(NuGetLogCode.NU1803,
                     });
                 }
 
-                AuditUtility.EnabledValue enableAudit = AuditUtility.ParseEnableValue(_request.Project.RestoreMetadata?.RestoreAuditProperties?.EnableAudit);
+                AuditUtility.EnabledValue enableAudit = AuditUtility.ParseEnableValue(
+                    _request.Project.RestoreMetadata?.RestoreAuditProperties?.EnableAudit,
+                    _request.Project.FilePath,
+                    _logger);
                 telemetry.TelemetryEvent[AuditEnabled] = AuditUtility.GetString(enableAudit);
-                if (enableAudit == AuditUtility.EnabledValue.ImplicitOptIn || enableAudit == AuditUtility.EnabledValue.ExplicitOptIn)
+                if (enableAudit != AuditUtility.EnabledValue.ExplicitOptOut)
                 {
                     await PerformAuditAsync(enableAudit, graphs, telemetry, token);
                 }

src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/AuditUtility.cs

@@ -22,7 +22,7 @@ namespace NuGet.Commands.Restore.Utility
     internal class AuditUtility
     {
         private readonly EnabledValue _auditEnabled;
-        private readonly ProjectModel.RestoreAuditProperties _restoreAuditProperties;
+        private readonly ProjectModel.RestoreAuditProperties? _restoreAuditProperties;
         private readonly string _projectFullPath;
         private readonly IEnumerable<RestoreTargetGraph> _targetGraphs;
         private readonly IReadOnlyList<IVulnerabilityInformationProvider> _vulnerabilityInfoProviders;
@@ -49,7 +49,7 @@ internal class AuditUtility
 
         public AuditUtility(
             EnabledValue auditEnabled,
-            ProjectModel.RestoreAuditProperties restoreAuditProperties,
+            ProjectModel.RestoreAuditProperties? restoreAuditProperties,
             string projectFullPath,
             IEnumerable<RestoreTargetGraph> graphs,
             IReadOnlyList<IVulnerabilityInformationProvider> vulnerabilityInformationProviders,
@@ -366,7 +366,7 @@ private static (string severityLabel, NuGetLogCode code) GetSeverityLabelAndCode
 
         private PackageVulnerabilitySeverity ParseAuditLevel()
         {
-            string? auditLevel = _restoreAuditProperties.AuditLevel?.Trim();
+            string? auditLevel = _restoreAuditProperties?.AuditLevel?.Trim();
 
             if (auditLevel == null)
             {
@@ -402,7 +402,7 @@ internal enum NuGetAuditMode { Unknown, Direct, All }
         // Enum parsing and ToString are a magnitude of times slower than a naive implementation. 
         private NuGetAuditMode ParseAuditMode()
         {
-            string? auditMode = _restoreAuditProperties.AuditMode?.Trim();
+            string? auditMode = _restoreAuditProperties?.AuditMode?.Trim();
 
             if (auditMode == null)
             {
@@ -426,16 +426,16 @@ private NuGetAuditMode ParseAuditMode()
 
         internal enum EnabledValue
         {
-            Undefined,
+            Invalid,
             ImplicitOptIn,
             ExplicitOptIn,
             ExplicitOptOut
         }
 
         // Enum parsing and ToString are a magnitude of times slower than a naive implementation.
-        public static EnabledValue ParseEnableValue(string value)
+        public static EnabledValue ParseEnableValue(string? value, string projectFullPath, ILogger logger)
         {
-            if (string.Equals(value, "default", StringComparison.OrdinalIgnoreCase))
+            if (string.IsNullOrEmpty(value) || string.Equals(value, "default", StringComparison.OrdinalIgnoreCase))
             {
                 return EnabledValue.ImplicitOptIn;
             }
@@ -449,15 +449,20 @@ public static EnabledValue ParseEnableValue(string value)
             {
                 return EnabledValue.ExplicitOptOut;
             }
-            return EnabledValue.Undefined;
+
+            string messageText = string.Format(Strings.Error_InvalidNuGetAuditValue, value, "true, false");
+            RestoreLogMessage message = RestoreLogMessage.CreateError(NuGetLogCode.NU1014, messageText);
+            message.ProjectPath = projectFullPath;
+            logger.Log(message);
+            return EnabledValue.Invalid;
         }
 
         // Enum parsing and ToString are a magnitude of times slower than a naive implementation.
         internal static string GetString(EnabledValue enableAudit)
         {
             return enableAudit switch
             {
-                EnabledValue.Undefined => nameof(EnabledValue.Undefined),
+                EnabledValue.Invalid => nameof(EnabledValue.Invalid),
                 EnabledValue.ExplicitOptIn => nameof(EnabledValue.ExplicitOptIn),
                 EnabledValue.ExplicitOptOut => nameof(EnabledValue.ExplicitOptOut),
                 EnabledValue.ImplicitOptIn => nameof(EnabledValue.ImplicitOptIn),

src/NuGet.Core/NuGet.Commands/Strings.resx

@@ -1069,7 +1069,7 @@ Non-HTTPS access will be removed in a future version. Consider migrating to 'HTT
 {3} - URL for more info on the known vulnerability</comment>
   </data>
   <data name="Error_InvalidNuGetAuditLevelValue" xml:space="preserve">
-    <value>Invalid NuGetAuditLevel value '{0}'. Expected values: {1}</value>
+    <value>Invalid NuGetAuditLevel value '{0}'. Valid values: {1}</value>
     <comment>Don't translate 'NuGetAuditLevel'
 {0} - is the value from the customer's project file
 {1} is the list of valid values "low, moderate, high, critical" (these should not be translated either)</comment>
@@ -1083,7 +1083,7 @@ Non-HTTPS access will be removed in a future version. Consider migrating to 'HTT
     <comment>{0} is the value supplied </comment>
   </data>
   <data name="Error_InvalidNuGetAuditModeValue" xml:space="preserve">
-    <value>Invalid NuGetAuditMode value '{0}'. Expected values: {1}</value>
+    <value>Invalid NuGetAuditMode value '{0}'. Valid values: {1}</value>
     <comment>Don't translate 'NuGetAuditMode'
 {0} - is the value from the customer's project file
 {1} is the list of valid values "direct, all"</comment>
@@ -1092,4 +1092,10 @@ Non-HTTPS access will be removed in a future version. Consider migrating to 'HTT
     <value>NuGetAudit is enabled, but no package sources contain known vulnerability data.</value>
     <comment>Do not translate NuGetAudit</comment>
   </data>
+  <data name="Error_InvalidNuGetAuditValue" xml:space="preserve">
+    <value>Invalid NuGetAudit value '{0}'. Valid values: {1}</value>
+    <comment>Don't translate 'NuGetAudit'
+{0} - is the value from the customer's project file
+{1} is the list of valid values "true, false"</comment>
+  </data>
 </root>

src/NuGet.Core/NuGet.Common/Errors/NuGetLogCode.cs

@@ -122,7 +122,7 @@ public enum NuGetLogCode
         NU1013 = 1013,
 
         /// <summary>
-        /// NuGetAuditLevel input errors
+        /// NuGetAudit* MSBuild property input errors
         /// </summary>
         NU1014 = 1014,
 

test/NuGet.Core.FuncTests/NuGet.Commands.FuncTest/RestoreCommandTests.cs

@@ -2135,7 +2135,8 @@ public async Task RestoreCommand_RestoreFloatingVersionWithIgnoreFailingLocalSou
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())
@@ -2184,7 +2185,8 @@ public async Task RestoreCommand_RestoreFloatingVersionWithIgnoreFailingHttpSour
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())
@@ -2402,7 +2404,8 @@ public async Task RestoreCommand_RestoreNonExistingWithIgnoreFailingLocalSourceA
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())
@@ -2451,7 +2454,8 @@ public async Task RestoreCommand_RestoreNonExistingWithIgnoreFailingHttpSourceAs
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())
@@ -2500,7 +2504,8 @@ public async Task RestoreCommand_RestoreNonExistingWithIgnoreFailingV3HttpSource
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())
@@ -2549,7 +2554,8 @@ public async Task RestoreCommand_RestoreInexactWithIgnoreFailingLocalSourceAsync
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())
@@ -2598,7 +2604,8 @@ public async Task RestoreCommand_RestoreInexactWithIgnoreFailingHttpSourceAsync(
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())
@@ -2647,7 +2654,8 @@ public async Task RestoreCommand_RestoreInexactWithIgnoreFailingV3HttpSourceAsyn
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 using (var context = new SourceCacheContext())

test/NuGet.Core.FuncTests/NuGet.Commands.FuncTest/UWPRestoreTests.cs

@@ -146,7 +146,8 @@ public async Task UWPRestore_BlankUWPAppWithExcludes()
                 }");
 
                 var specPath = Path.Combine(projectDir, "TestProject", "project.json");
-                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath);
+                var spec = JsonPackageSpecReader.GetPackageSpec(configJson.ToString(), "TestProject", specPath)
+                    .EnsureProjectJsonRestoreMetadata();
 
                 var logger = new TestLogger();
                 var clientPolicyContext = ClientPolicyContext.GetClientPolicy(NullSettings.Instance, logger);