Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable advisory suppressions in CLI restore for PackageReference projects #5679

Merged
merged 11 commits into from
Mar 27, 2024
Merged

Enable advisory suppressions in CLI restore for PackageReference projects #5679

merged 11 commits into from
Mar 27, 2024

Conversation

advay26
Copy link
Member

@advay26 advay26 commented Mar 9, 2024
edited
Loading

Bug

Fixes: https://github.com/NuGet/Client.Engineering/issues/2720
Fixes: NuGet/Home#13313

Regression? Last working version:

Description

Design spec: https://github.com/NuGet/Home/blob/dev/accepted/2023/NuGetAudit-supress-advisory.md

We're adding a new MSBuild item called NuGetAuditSuppress that allows users to suppress individual advisories during restore. These items will have the advisory URL in the Include= field, looking something like this:

<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-5crp-9r3c-p9vr" />.

This PR implements suppressions for CLI restore paths (dotnet/MSBuild restore, NuGet.exe restore, Static graph restore) for PackageReference projects. The packages.config implementation, as well as the VS restore implementation for PackageReference projects, will follow later.

These are the main pieces:

  • To read the new items, we added a new 'Collect' target called CollectNuGetAuditSuppressions (src/NuGet.Core/NuGet.Build.Tasks/NuGet.targets)
  • We also added a new target called _CollectRestoreInputs, which will run all the individual 'Collect' item targets. This is meant to reduce duplication in our code. Going forward, instead of adding new 'Collect' targets to lists in multiple places, we will be able to add it to the DependsOnTargets= attribute in _CollectRestoreInputs, and use this target everywhere. (See _CollectRestoreInputs target)
  • The new GetRestoreNuGetAuditSuppressionsTask parses the 'NuGetAuditSuppress' items into the _RestoreGraphEntry items that we ultimately read in restore.
  • src/NuGet.Core/NuGet.ProjectModel/ holds all the changes related to reading and writing the dgspec.
  • A new HashSet<string> SuppressedAdvisories member was added src/NuGet.Core/NuGet.ProjectModel/RestoreAuditProperties.cs to store the suppression inputs.
  • The business logic for suppressions is in the src/NuGet.Core/NuGet.Commands/RestoreCommand/Utility/AuditUtility.cs file.
  • I've added tests too, but I'm not sure if they cover everything. Let me know if I need to add tests anywhere else, and I'll go back and make the changes.

PR Checklist

  • PR has a meaningful title

  • PR has a linked issue.

  • Described changes

  • Tests

    • Automated tests added
    • OR
    • Test exception
    • OR
    • N/A

  • Documentation

@advay26 advay26 requested a review from a team as a code owner March 9, 2024 00:08
zivkan
zivkan reviewed Mar 9, 2024
View reviewed changes
Copy link
Member

@zivkan zivkan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job!

Since you're new to the client team, you're not aware of our performance requirements, especially on restore, so there's a bunch of unnecessary memory allocations that should be removed.

src/NuGet.Core/NuGet.Build.Tasks.Console/MSBuildStaticGraphRestore.cs Show resolved Hide resolved
src/NuGet.Core/NuGet.Build.Tasks/GetRestoreNuGetAuditSuppressionsTask.cs Outdated Show resolved Hide resolved
src/NuGet.Core/NuGet.Build.Tasks/GetRestoreNuGetAuditSuppressionsTask.cs Outdated Show resolved Hide resolved
src/NuGet.Core/NuGet.Build.Tasks/NuGet.targets Outdated Show resolved Hide resolved
src/NuGet.Core/NuGet.Build.Tasks/NuGet.targets Show resolved Hide resolved
src/NuGet.Core/NuGet.ProjectModel/PackageSpecWriter.cs Outdated Show resolved Hide resolved
src/NuGet.Core/NuGet.ProjectModel/RestoreAuditProperties.cs Outdated Show resolved Hide resolved
test/NuGet.Core.Tests/NuGet.Build.Tasks.Test/GetRestoreNuGetAuditSuppressionsTaskTests.cs Show resolved Hide resolved
test/NuGet.Core.Tests/NuGet.Commands.Test/RestoreCommandTests/RestoreCommandTests.cs Outdated Show resolved Hide resolved
test/NuGet.Core.Tests/NuGet.Commands.Test/RestoreCommandTests/Utility/AuditUtilityTests.cs Outdated Show resolved Hide resolved
nkolev92
nkolev92 reviewed Mar 11, 2024
View reviewed changes
src/NuGet.Core/NuGet.Commands/PublicAPI/netcoreapp5.0/PublicAPI.Shipped.txt
@@ -947,7 +947,6 @@ override NuGet.Commands.WarningPropertiesCollection.GetHashCode() -> int
~static NuGet.Commands.MSBuildRestoreUtility.GetDependencySpec(System.Collections.Generic.IEnumerable<NuGet.Commands.IMSBuildItem> items) -> NuGet.ProjectModel.DependencyGraphSpec
~static NuGet.Commands.MSBuildRestoreUtility.GetMessageForUnsupportedProject(string path) -> NuGet.Common.RestoreLogMessage
~static NuGet.Commands.MSBuildRestoreUtility.GetPackageSpec(System.Collections.Generic.IEnumerable<NuGet.Commands.IMSBuildItem> items) -> NuGet.ProjectModel.PackageSpec
~static NuGet.Commands.MSBuildRestoreUtility.GetRestoreAuditProperties(NuGet.Commands.IMSBuildItem specItem) -> NuGet.ProjectModel.RestoreAuditProperties
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This an API breaking change.
Sounds like no one is concerned about it, since this is arguably something that ideally wasn't public, but has to be, so I think it's ok to make the breaking change.

However, we should make sure we disclose the API breaking change in our release notes.
You can do that by creating a specific issue with a label Category:BreakingChange that talks about the breaking change and is fixed by this PR (alongside the other one).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From memory, it's a public API so that both static graph restore, as well as "normal" CLI restore, can share the same code. But the method name, the method parameter type and return type are so specific, I just don't see it being useful to anyone else.

I wish we had some way to mark an API as "public because NuGet needs it internally, but we're going to make no effort to avoid breaking changes". InternalsVisibleTo feels like a bad solution. But yes, I noticed this when reviewing the PR, but because of the above justification, I just don't see it impacting anyone.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. I've created an issue here: NuGet/Home#13313, and referenced it in this PR as you mentioned. Let me know if I need to change anything else here

@advay26 advay26 requested review from zivkan, nkolev92 and jeffkl March 13, 2024 08:11
zivkan
zivkan reviewed Mar 13, 2024
View reviewed changes
Copy link
Member

@zivkan zivkan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me!

Just one thing where my gut reaction makes me feel it's a correctness issue, although testing a bunch of popular websites, and all the CVE websites I can find, they're all case insensitive, so maybe my suggestion doesn't actually matter.

src/NuGet.Core/NuGet.Build.Tasks/GetRestoreNuGetAuditSuppressionsTask.cs Outdated Show resolved Hide resolved
@advay26 advay26 requested a review from zivkan March 13, 2024 19:44
@advay26 advay26 changed the base branch from dev to dev-feature-nugetauditsuppress March 14, 2024 20:45
@jeffkl jeffkl added the Merge next release PRs that should not be merged until the dev branch targets the next release label Mar 19, 2024
zivkan
zivkan previously approved these changes Mar 21, 2024
View reviewed changes
@zivkan zivkan mentioned this pull request Mar 25, 2024
Merged
8 tasks
@nkolev92 nkolev92 removed the Merge next release PRs that should not be merged until the dev branch targets the next release label Mar 25, 2024
@nkolev92
Copy link
Member

Removing the label since the target branch is the feature branch anyways

@advay26 advay26 changed the base branch from dev-feature-nugetauditsuppress to dev March 27, 2024 03:35
@advay26 advay26 dismissed zivkan’s stale review March 27, 2024 03:35

The base branch was changed.

@advay26 advay26 force-pushed the dev-advay26-nugetauditsuppress branch from 5d11db8 to 5129e67 Compare March 27, 2024 03:44
@advay26 advay26 requested a review from nkolev92 March 27, 2024 03:54
@advay26 advay26 merged commit cecbc9a into dev Mar 27, 2024
13 of 16 checks passed
@advay26 advay26 deleted the dev-advay26-nugetauditsuppress branch March 27, 2024 21:57
@advay26 advay26 restored the dev-advay26-nugetauditsuppress branch March 27, 2024 21:57
@advay26 advay26 deleted the dev-advay26-nugetauditsuppress branch March 29, 2024 04:12
@advay26 advay26 restored the dev-advay26-nugetauditsuppress branch May 13, 2024 20:09
@advay26 advay26 deleted the dev-advay26-nugetauditsuppress branch June 18, 2024 04:49
@advay26 advay26 mentioned this pull request Jun 26, 2024
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nkolev92 nkolev92 nkolev92 approved these changes

@zivkan zivkan zivkan left review comments

@jeffkl jeffkl Awaiting requested review from jeffkl

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MSBuildRestoreUtility.GetRestoreAuditProperties needs a breaking change to read NuGetAuditSuppress items
4 participants
@advay26 @nkolev92 @zivkan @jeffkl