[cDAC] Use Moq in CodeVersionsTest

[max-charlamb]

CodeVersionsTest used manually implemented "mocks" before we integration Moq. Changes all tests to use the Moq framework in accordance with newer tests.

Previous comments on draft pr: max-charlamb#2

[dotnet-policy-service]

Tagging subscribers to this area: @tommcdon
See info in area-owners.md if you want to be subscribed.

[ivdiazsa]

Are we sure we want to use Moq instead of NSubstitute? The former has had a history of poor security and potential spyware in more recent versions, while the latter is arguably easier to use, and is considered safe.

I would suggest really reconsidering the use of Moq in our codebase. If we really have to, then let's make sure we don't use a version newer than 4.18.4, which is the last one before these problems were encountered.

[max-charlamb]

Moq is already used in several places in the repo and this PR brings some tests in line with existing usages.

If we want to have a broader discussion on switching to a different mocking framework, I'm open.

edit: It looks like we are pinned on version 4.18.4

runtime/eng/Versions.props

Line 202 in b33f755

<MoqVersion>4.18.4</MoqVersion>

[ivdiazsa]

Moq is already used in several places in the repo and this PR brings some tests in line with existing usages.

If we want to have a broader discussion on switching to a different mocking framework, I'm open.

edit: It looks like we are pinned on version 4.18.4

runtime/eng/Versions.props

Line 202 in b33f755

<MoqVersion>4.18.4</MoqVersion>

That's good at least. We should be fine since we're sticking to the last not unsafe version, but I think moving away from it would be a good idea to bring up to discussion with others, as we can't update it anymore without putting our testing codebase at risk.

[elinor-fung]

There was a fair amount of discussion around this last year. We started with staying on an older version: #90222 (comment)

I don't know where exactly we ended up more broadly, but I'd reach out to Rich if you want to find out or re-open the discussion.

[elinor-fung]

Looks good!

[ivdiazsa]

There was a fair amount of discussion around this last year. We started with staying on an older version: #90222 (comment)

I don't know where exactly we ended up more broadly, but I'd reach out to Rich if you want to find out or re-open the discussion.

I think it's worth discussing it internally again at some point after the holidays because after reading that thread, I have to say I'm left with a bad taste in my mouth and even bigger concerns about using that library. Thanks for pointing the context out @elinor-fung!

[ivdiazsa]

Is there a way to kill that browser-wasm pipeline? It's frozen here but in AzDO it already shows an error that it was canceled by the remote provider. So we can run it again to get Build Analysis green and be able to merge.

[jkoritzinsky]

Re Moq: I recommended Moq to Elinor because it's already referenced in the repo. Personally, I like FakeItEasy (which we also have already in dotnet-public and other repos use), but I didn't feel strongly enough about it to add the dependency. We should consider it as another option if we're reconsidering Moq usage.

[ivdiazsa]

Re Moq: I recommended Moq to Elinor because it's already referenced in the repo. Personally, I like FakeItEasy (which we also have already in dotnet-public and other repos use), but I didn't feel strongly enough about it to add the dependency. We should consider it as another option if we're reconsidering Moq usage.

I just took a quick look at FakeItEasy and it seems like a great alternative option to consider. I agree, we should definitely suggest it next year when the Moq discussions are retaken.

[max-charlamb]

/azp run runtime

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[max-charlamb]

/ba-g failure is dotnet/dnceng#3879