Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a utility for checking vulnerabilities during packages.config restore #5383

Merged
merged 8 commits into from
Aug 30, 2023
Merged

Add a utility for checking vulnerabilities during packages.config restore #5383

merged 8 commits into from
Aug 30, 2023

Conversation

nkolev92
Copy link
Member

@nkolev92 nkolev92 commented Aug 28, 2023
edited
Loading

Bug

Fixes: NuGet/Home#12852

Regression? Last working version:

Description

This PR adds the core code for adding vulnerability checking for package.config restore.
This change is just a 1st part of PC vulnerability checking.

This PR mimics some of the work in https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/AuditUtility.cs, but it adds more explicit test coverage for the methods.
Note that I did make small changes in the NuGet.Commands code. These changes shorten the code and match the implementation in the PR side.

I didn't want to create a public class as I have no proposal better than a bunch of statics. As we add more scenarios such as vulnerability checking during package installation, we'll be able to create better APIs.

Reasons why this PR doesn't enable the feature.

  1. There's no configuration knobs design for packages.config vulnerability. PR is project based so all those things naturally come from there, for packages.config, that's not the case.
  2. This would likely cause an immediate RPS regression.

Note

I did test that this API works well and is sufficient for the purposes of packages.config restore vulnerability reporting.

PR Checklist

  • PR has a meaningful title

  • PR has a linked issue.

  • Described changes

  • Tests

    • Automated tests added - A lot of tests
    • OR
    • Test exception
    • OR
    • N/A

  • Documentation

    • Documentation PR or issue filled
    • OR
    • N/A - Not yet. A different PR that enables the feature will create the docs issues.

@nkolev92 nkolev92 requested a review from a team as a code owner August 28, 2023 21:52
@nkolev92 nkolev92 mentioned this pull request Aug 28, 2023
Closed
6 tasks
@nkolev92 nkolev92 enabled auto-merge (squash) August 30, 2023 18:57
@nkolev92 nkolev92 force-pushed the dev-nkolev92-pcvuln branch from 4c797f6 to 891374e Compare August 30, 2023 19:45
@nkolev92 nkolev92 merged commit 124002e into dev Aug 30, 2023
@nkolev92 nkolev92 deleted the dev-nkolev92-pcvuln branch August 30, 2023 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinrrm martinrrm martinrrm approved these changes

@jeffkl jeffkl jeffkl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add an API for checking vulnerability during packages.config restore
3 participants
@nkolev92 @jeffkl @martinrrm