Enable vulnerability checking for packages.config projects during commandline restore #5639
Conversation
nkolev92
force-pushed
the
dev-nkolev92-PCVulnerabilityInRestore
branch
from
7dba399 to
35a7083
Compare
| internal bool IsAuditEnabled { get; set; } = true; | ||
|
|
||
| internal int Severity0VulnerabilitiesFound { get; set; } | ||
| internal int Severity1VulnerabilitiesFound { get; set; } | ||
| internal int Severity2VulnerabilitiesFound { get; set; } | ||
| internal int Severity3VulnerabilitiesFound { get; set; } | ||
| internal int InvalidSeverityVulnerabilitiesFound { get; set; } | ||
| internal List<PackageIdentity>? Packages { get; set; } | ||
| internal double? DownloadDurationInSeconds { get; set; } | ||
| internal double? CheckPackagesDurationInSeconds { get; set; } | ||
| internal int? SourcesWithVulnerabilities { get; set; } |
There was a problem hiding this comment.
Considering this type is a record, and therefore a struct, I think it's important to make all these properties get; init;, rather than get; set;.
The problem with get; set; in a struct, is if one is passed in as a method parameter (but not as a ref, changing the value of properties will cause the values to be lost when the method returns. So, it's significant risk of bugs if people use it wrong.
Making it only possible to set at initialization time reduces the risk that it gets set wrong.
There was a problem hiding this comment.
These are not always known/available in every audit situation.
I have tests ensuring things get set in the expected scenarios. Obviously that doesn't guard against future additions.
I can have a bunch of internal constructors I guess if you'd prefer that.
There was a problem hiding this comment.
init does not mean required, it just means that the type is read only, and needs to have a new "instance" created to change a value. Using the with expression makes this very easy. Therefore multiple constructors are not needed, unless you want to validate that when "property 1" is set "property 2" must be as well.
And when I reviewed this PR last week, I didn't see any examples of the type having any values changed after initialization. At least in the product code, I only saw properties being set on init.
Obviously that doesn't guard against future additions.
This is the point of my suggestion. It does prevent future incorrect usage that might otherwise go unnoticed.
|
@zivkan Thanks for taking a look! |
src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/AuditUtility.cs
Outdated
Show resolved
Hide resolved
src/NuGet.Core/NuGet.PackageManagement/IDE/PackageRestoreContext.cs
Outdated
Show resolved
Hide resolved
src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/AuditUtility.cs
Outdated
Show resolved
Hide resolved
| CreateWarnings(packagesWithKnownVulnerabilities, auditSettings, ref Sev0Matches, ref Sev1Matches, ref Sev2Matches, ref Sev3Matches, ref InvalidSevMatches, ref packagesWithReportedAdvisories) : | ||
| Array.Empty<ILogMessage>(); | ||
|
|
||
| foreach (var warning in warnings) |
There was a problem hiding this comment.
| foreach (var warning in warnings) | |
| foreach (var warning in warnings.NoAllocEnumerate()) |
warnings is IReadOnlyList<T>, hence foreach will do a heap alloc by default.
|
thanks @zivkan I'll address these in the next PR. Merging the PR allows me to unblock my VS work. |
Bug
Fixes: NuGet/Home#13253
Fixes: https://github.com/NuGet/Client.Engineering/issues/2698
Regression? Last working version:
Description
See NuGet/Home#13154 for the main design.
Counterintuitively the service part is used more frequently in non-VS scenarios, which is why I have this length explanation.
msbuild /t:restorewill run audit by default, even if packages are downloaded.PR Checklist
PR has a meaningful title
PR has a linked issue.
Described changes
Tests
Documentation