Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix NuGetAudit severity level mapping (#5313) #5315

Closed
wants to merge 1 commit into from
Closed

Fix NuGetAudit severity level mapping (#5313) #5315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 18 additions & 17 deletions src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/AuditUtility.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,11 @@ public async Task CheckPackageVulnerabilitiesAsync(CancellationToken cancellatio
stopwatch.Stop();
DownloadDurationSeconds = stopwatch.Elapsed.TotalSeconds;

if (allVulnerabilityData?.Exceptions is not null)
{
ReplayErrors(allVulnerabilityData.Exceptions);
}

if (allVulnerabilityData is null || !AnyVulnerabilityDataFound(allVulnerabilityData.KnownVulnerabilities))
{
if (_auditEnabled == EnabledValue.ExplicitOptIn)
Expand All @@ -84,12 +89,7 @@ public async Task CheckPackageVulnerabilitiesAsync(CancellationToken cancellatio
return;
}

if (allVulnerabilityData.Exceptions != null)
{
ReplayErrors(allVulnerabilityData.Exceptions);
}

if (allVulnerabilityData.KnownVulnerabilities != null)
if (allVulnerabilityData.KnownVulnerabilities is not null)
{
CheckPackageVulnerabilities(allVulnerabilityData.KnownVulnerabilities);
}
Expand Down Expand Up @@ -119,7 +119,8 @@ private void ReplayErrors(AggregateException exceptions)
foreach (Exception exception in exceptions.InnerExceptions)
{
var messageText = string.Format(Strings.Error_VulnerabilityDataFetch, exception.Message);
RestoreLogMessage logMessage = RestoreLogMessage.CreateError(NuGetLogCode.NU1900, messageText);
RestoreLogMessage logMessage = RestoreLogMessage.CreateWarning(NuGetLogCode.NU1900, messageText);
logMessage.ProjectPath = _projectFullPath;
_logger.Log(logMessage);
}
}
Expand Down Expand Up @@ -237,13 +238,13 @@ private static (string severityLabel, NuGetLogCode code) GetSeverityLabelAndCode
{
switch (severity)
{
case 1:
case 0:
return (Strings.Vulnerability_Severity_1, NuGetLogCode.NU1901);
case 2:
case 1:
return (Strings.Vulnerability_Severity_2, NuGetLogCode.NU1902);
case 3:
case 2:
return (Strings.Vulnerability_Severity_3, NuGetLogCode.NU1903);
case 4:
case 3:
return (Strings.Vulnerability_Severity_4, NuGetLogCode.NU1904);
default:
return (Strings.Vulnerability_Severity_unknown, NuGetLogCode.NU1900);
Expand Down Expand Up @@ -368,31 +369,31 @@ private int ParseAuditLevel()

if (auditLevel == null)
{
return 1;
return 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return 0;

Could we add a comment on when auditLevel is expected to be null? I'm guessing this is the default case, so it would be good to comment that and also comment why the default case was decided to be equivalent to low.

}

if (string.Equals("low", auditLevel, StringComparison.OrdinalIgnoreCase))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

I'm a bit worried that these are not constants defined somewhere. A typo in a later change could make the strings to be mismatched when written/read from the properties.

{
return 1;
return 0;
}
if (string.Equals("moderate", auditLevel, StringComparison.OrdinalIgnoreCase))
{
return 2;
return 1;
}
if (string.Equals("high", auditLevel, StringComparison.OrdinalIgnoreCase))
{
return 3;
return 2;
}
if (string.Equals("critical", auditLevel, StringComparison.OrdinalIgnoreCase))
{
return 4;
return 3;
}

string messageText = string.Format(Strings.Error_InvalidNuGetAuditLevelValue, auditLevel, "low, moderate, high, critical");
RestoreLogMessage message = RestoreLogMessage.CreateError(NuGetLogCode.NU1014, messageText);
message.ProjectPath = _projectFullPath;
_logger.Log(message);
return 1;
return 0;
}

internal enum NuGetAuditMode { Unknown, Direct, All }
Expand Down
Loading