NuGet · martinrrm · May 30, 2023 · Apr 21, 2023 · May 23, 2023
@@ -36,7 +36,7 @@ public DisplayVersion(
             bool autoReferenced = false,
             bool isDeprecated = false,
             string versionFormat = "N")
-            : this(range, version: null, additionalInfo, isValidVersion, isCurrentInstalled, autoReferenced, isDeprecated, versionFormat)
+            : this(range, version: null, additionalInfo, isValidVersion, isCurrentInstalled, autoReferenced, isDeprecated, isVulnerable: false, versionFormat)
         {
         }
 
@@ -48,6 +48,7 @@ public DisplayVersion(
             bool isCurrentInstalled = false,
             bool autoReferenced = false,
             bool isDeprecated = false,
+            bool isVulnerable = false,
             string versionFormat = "N")
         {
             if (versionFormat == null)
@@ -65,6 +66,7 @@ public DisplayVersion(
             IsCurrentInstalled = isCurrentInstalled;
             AutoReferenced = autoReferenced;
             IsDeprecated = isDeprecated;
+            IsVulnerable = isVulnerable;
 
             // Display a single version if the range is locked
             if (range.OriginalString == null && range.HasLowerAndUpperBounds && range.MinVersion == range.MaxVersion)
@@ -83,13 +85,28 @@ public DisplayVersion(
                     AdditionalInfo + " " + Range.OriginalString;
             }
 
-            if (IsDeprecated)
+            if (IsDeprecated && IsVulnerable)
+            {
+                _toString += string.Format(
+                    CultureInfo.CurrentCulture,
+                    "    ({0}, {1})",
+                    Resources.Label_Vulnerable,
+                    Resources.Label_Deprecated);
+            }
+            else if (IsDeprecated)
             {
                 _toString += string.Format(
                     CultureInfo.CurrentCulture,
                     "    ({0})",
                     Resources.Label_Deprecated);
             }
+            else if (IsVulnerable)
+            {
+                _toString += string.Format(
+                    CultureInfo.CurrentCulture,
+                    "    ({0})",
+                    Resources.Label_Vulnerable);
+            }
         }
 
         public bool IsCurrentInstalled { get; set; }
@@ -104,6 +121,8 @@ public DisplayVersion(
 
         public bool IsDeprecated { get; set; }
 
+        public bool IsVulnerable { get; set; }
+
         public override string ToString()
         {
             return _toString;
@@ -115,7 +134,8 @@ public override bool Equals(object obj)
             return other != null
                 && other.Version == Version
                 && string.Equals(other.AdditionalInfo, AdditionalInfo, StringComparison.Ordinal)
-                && IsDeprecated == other.IsDeprecated;
+                && IsDeprecated == other.IsDeprecated
+                && IsVulnerable == other.IsVulnerable;
         }
 
         public override int GetHashCode()

@@ -36,7 +36,7 @@ public abstract class DetailControlModel : INotifyPropertyChanged, IDisposable
 
         // all versions of the _searchResultPackage
         [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1051:DoNotDeclareVisibleInstanceFields")]
-        protected List<(NuGetVersion version, bool isDeprecated)> _allPackageVersions;
+        protected List<(NuGetVersion version, bool isDeprecated, bool isVulnerable)> _allPackageVersions;
 
         [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1051:DoNotDeclareVisibleInstanceFields")]
         protected PackageItemViewModel _searchResultPackage;
@@ -219,9 +219,9 @@ public async virtual Task SetCurrentPackageAsync(
             }
 
             // Show the current package version as the only package in the list at first just in case fetching the versions takes a while.
-            _allPackageVersions = new List<(NuGetVersion version, bool isDeprecated)>()
+            _allPackageVersions = new List<(NuGetVersion version, bool isDeprecated, bool isVulnerable)>()
             {
-                (searchResultPackage.Version, false)
+                (searchResultPackage.Version, false, false)
             };
 
             await CreateVersionsAsync(CancellationToken.None);
@@ -269,15 +269,17 @@ public async virtual Task SetCurrentPackageAsync(
             }
         }
 
-        private (NuGetVersion version, bool isDeprecated) GetVersion(VersionInfoContextInfo versionInfo)
+        private (NuGetVersion version, bool isDeprecated, bool isVulnerable) GetVersion(VersionInfoContextInfo versionInfo)
         {
             var isDeprecated = false;
+            var isVulnerable = false;
             if (versionInfo.PackageSearchMetadata != null)
             {
                 isDeprecated = versionInfo.PackageDeprecationMetadata != null;
+                isVulnerable = versionInfo.PackageSearchMetadata.Vulnerabilities != null;
             }
 
-            return (versionInfo.Version, isDeprecated);
+            return (versionInfo.Version, isDeprecated, isVulnerable);
         }
 
         protected virtual void DependencyBehavior_SelectedChanged(object sender, EventArgs e)

@@ -141,14 +141,14 @@ protected override Task CreateVersionsAsync(CancellationToken cancellationToken)
             // installVersion is null if the package is not installed
             var installedVersion = installedDependency?.VersionRange;
 
-            List<(NuGetVersion version, bool isDeprecated)> allVersions = _allPackageVersions?.OrderByDescending(v => v.version).ToList();
+            List<(NuGetVersion version, bool isDeprecated, bool isVulnerable)> allVersions = _allPackageVersions?.OrderByDescending(v => v.version).ToList();
 
             // null, if no version constraint defined in package.config
             VersionRange allowedVersions = _projectVersionConstraints.Select(e => e.VersionRange).FirstOrDefault();
             // null, if all versions are allowed to be install or update
             var blockedVersions = new List<NuGetVersion>(allVersions.Count);
 
-            List<(NuGetVersion version, bool isDeprecated)> allVersionsAllowed;
+            List<(NuGetVersion version, bool isDeprecated, bool isVulnerable)> allVersionsAllowed;
             if (allowedVersions == null)
             {
                 allowedVersions = VersionRange.All;
@@ -157,7 +157,7 @@ protected override Task CreateVersionsAsync(CancellationToken cancellationToken)
             else
             {
                 allVersionsAllowed = allVersions.Where(v => allowedVersions.Satisfies(v.version)).ToList();
-                foreach ((NuGetVersion version, bool isDeprecated) in allVersions)
+                foreach ((NuGetVersion version, bool isDeprecated, bool isVulnerable) in allVersions)
                 {
                     if (!allVersionsAllowed.Any(a => a.version.Version.Equals(version.Version)))
                     {
@@ -175,7 +175,8 @@ protected override Task CreateVersionsAsync(CancellationToken cancellationToken)
                 VersionRange installedVersionRange = VersionRange.Parse(installedDependency.VersionRange.OriginalString, true);
                 NuGetVersion bestVersion = installedVersionRange.FindBestMatch(allVersionsAllowed.Select(v => v.version));
                 var deprecationInfo = allVersionsAllowed.FirstOrDefault(v => v.version == bestVersion).isDeprecated;
-                DisplayVersion displayVersion = new DisplayVersion(installedVersionRange, bestVersion, additionalInfo: string.Empty, isDeprecated: deprecationInfo);
+                var vulnerableInfo = allVersionsAllowed.FirstOrDefault(v => v.version == bestVersion).isVulnerable;
+                DisplayVersion displayVersion = new DisplayVersion(installedVersionRange, bestVersion, additionalInfo: string.Empty, isDeprecated: deprecationInfo, isVulnerable: vulnerableInfo);
 
                 _versions.Add(displayVersion);
             }
@@ -188,15 +189,15 @@ protected override Task CreateVersionsAsync(CancellationToken cancellationToken)
                 (isInstalledFloatingOrRange || !latestPrerelease.version.Equals(installedVersion?.MinVersion)))
             {
                 VersionRange latestPrereleaseVersionRange = VersionRange.Parse(latestPrerelease.version.ToString(), allowFloating: false);
-                _versions.Add(new DisplayVersion(latestPrereleaseVersionRange, latestPrerelease.version, Resources.Version_LatestPrerelease, isDeprecated: latestPrerelease.isDeprecated));
+                _versions.Add(new DisplayVersion(latestPrereleaseVersionRange, latestPrerelease.version, Resources.Version_LatestPrerelease, isDeprecated: latestPrerelease.isDeprecated, isVulnerable: latestPrerelease.isVulnerable));
             }
 
             // Add latest stable if needed
             if (latestStableVersion.version != null &&
                 (isInstalledFloatingOrRange || !latestStableVersion.version.Equals(InstalledVersion)))
             {
                 VersionRange latestStableVersionRange = VersionRange.Parse(latestStableVersion.version.ToString(), allowFloating: false);
-                _versions.Add(new DisplayVersion(latestStableVersionRange, latestStableVersion.version, Resources.Version_LatestStable, isDeprecated: latestStableVersion.isDeprecated));
+                _versions.Add(new DisplayVersion(latestStableVersionRange, latestStableVersion.version, Resources.Version_LatestStable, isDeprecated: latestStableVersion.isDeprecated, isVulnerable: latestStableVersion.isVulnerable));
             }
 
             // add a separator
@@ -218,7 +219,7 @@ protected override Task CreateVersionsAsync(CancellationToken cancellationToken)
                 }
 
                 VersionRange versionRange = VersionRange.Parse(version.version.ToString(), allowFloating: false);
-                _versions.Add(new DisplayVersion(versionRange, version.version, additionalInfo: null, isCurrentInstalled: installed, autoReferenced: autoReferenced, isDeprecated: version.isDeprecated));
+                _versions.Add(new DisplayVersion(versionRange, version.version, additionalInfo: null, isCurrentInstalled: installed, autoReferenced: autoReferenced, isDeprecated: version.isDeprecated, isVulnerable: version.isVulnerable));
             }
 
             // Disable controls if this is an auto referenced package.

@@ -205,14 +205,14 @@ protected override async Task CreateVersionsAsync(CancellationToken cancellation
             }
 
             _versions.Clear();
-            List<(NuGetVersion version, bool isDeprecated)> allVersions = _allPackageVersions?.Where(v => v.version != null).OrderByDescending(v => v.version).ToList();
+            List<(NuGetVersion version, bool isDeprecated, bool isVulnerable)> allVersions = _allPackageVersions?.Where(v => v.version != null).OrderByDescending(v => v.version).ToList();
 
             // null, if no version constraint defined in package.config
             VersionRange allowedVersions = await GetAllowedVersionsAsync(cancellationToken);
             var allVersionsAllowed = allVersions.Where(v => allowedVersions.Satisfies(v.version)).ToArray();
 
             var blockedVersions = new List<NuGetVersion>(allVersions.Count);
-            foreach ((NuGetVersion version, bool isDeprecated) in allVersions)
+            foreach ((NuGetVersion version, bool isDeprecated, bool isVulnerable) in allVersions)
             {
                 if (!allVersionsAllowed.Any(a => a.version.Version.Equals(version.Version)))
                 {

@@ -990,4 +990,7 @@ Please see https://aka.ms/troubleshoot_nuget_cache for more help.</value>
   <data name="Text_PackageMappingsDisabled" xml:space="preserve">
     <value>Package source mapping is off.</value>
   </data>
+  <data name="Label_Vulnerable" xml:space="preserve">
+    <value>Vulnerable</value>
+  </data>
 </root>
@@ -3,13 +3,11 @@
 
 using System;
 using System.Collections.Generic;
-using System.ComponentModel;
 using System.Linq;
 using System.Windows;
 using System.Windows.Controls;
 using System.Windows.Data;
 using System.Windows.Input;
-using Microsoft.TeamFoundation.Common;
 using NuGet.Versioning;
 
 namespace NuGet.PackageManagement.UI
@@ -170,7 +168,7 @@ protected override void OnKeyUp(KeyEventArgs e)
                                 bool isBestOption = rangeBestVersion.ToString() == _versions.Items[_versions.SelectedIndex].ToString();
                                 if (isBestOption)
                                 {
-                                    PackageDetailControlModel.SelectedVersion = new DisplayVersion(userRequestedVersionRange, rangeBestVersion, additionalInfo: null);
+                                    PackageDetailControlModel.SelectedVersion = new DisplayVersion(userRequestedVersionRange, rangeBestVersion, additionalInfo: null, isVulnerable: false);
                                     _versions.Text = comboboxText;
                                 }
                                 else
@@ -253,7 +251,7 @@ private void SetComboboxCurrentVersion(string comboboxText, IEnumerable<NuGetVer
                 if (currentItem != null && (comboboxText == _versions.Items[i].ToString() || _versions.Items[i].ToString() == matchVersion?.ToString()))
                 {
                     _versions.SelectedIndex = i; // This is the "select" effect in the dropdown
-                    PackageDetailControlModel.SelectedVersion = new DisplayVersion(userRange, matchVersion, additionalInfo: null);
+                    PackageDetailControlModel.SelectedVersion = new DisplayVersion(userRange, matchVersion, additionalInfo: null, isVulnerable: currentItem.IsVulnerable);
                 }
             }
         }