Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't error for NuGet audit on non-official builds #108718

Merged
merged 1 commit into from
Oct 9, 2024

Conversation

ericstj
Copy link
Member

@ericstj ericstj commented Oct 9, 2024

I added an escape hatch as well in case we do want to make an official build without committing a change (EG: a rebuild of a specific hash).

I had mentioned the same thing when enabling arcade but missed when enabling here in runtime.

@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Oct 9, 2024
@ericstj ericstj requested a review from jkotas October 9, 2024 15:55
@ericstj ericstj added area-Infrastructure and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Oct 9, 2024
Copy link
Contributor

Tagging subscribers to this area: @dotnet/runtime-infrastructure
See info in area-owners.md if you want to be subscribed.

@ericstj ericstj requested review from directhex and zivkan October 9, 2024 16:10
Copy link
Member

@jkotas jkotas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@ericstj ericstj merged commit 9d28160 into dotnet:main Oct 9, 2024
146 of 150 checks passed
rzikm pushed a commit to rzikm/dotnet-runtime that referenced this pull request Oct 11, 2024
ericstj added a commit to ericstj/runtime that referenced this pull request Oct 14, 2024
ericstj added a commit that referenced this pull request Oct 16, 2024
* Enable NuGet Audit and fix issues (#107639)

* Enable NuGet Audit and fix issues

Microsoft.NET.HostModel can reference the live builds of the packages
it depends on.  These will be deployed by the SDK.�
Most other audit alerts were due to tasks pulling in old dependencies
that aren't even used by the task. Avoid these by cherry-picking
just the assemblies needed by the tasks and provided by MSBuild / SDK.
This prevents NuGet from downloading the package closure with the
vulnerable packages.  We don't need those packages since the tasks
aren't responsible for deploying them.  A better solution in the future
would be a targeting pack for MSBuild and the .NET SDK - so that
components that contribute to these hosts have a surface area they can
target without taking on responsibility for servicing.

There is once case where we have a test that references NuGet.* packages
which also bring in stale dependencies that overlap with framework
assemblies.  Avoid these by cherry-picking the NuGet packages in the
same way.

* Fix package path on linux

* Only use live JSON from HostModel

SDK pins S.R.M and a few others, so don't make them upgrade yet.

* Add a couple missing assembly references

* Refactor tasks dependencies

Consolidate representation of msbuild-provided task dependencies

* Fix audit warnings in tests

* Remove MetadataLoadContext from WasmAppBuilder package

* Update Analyzer.Testing packages

* Reduce exposure of Microsoft.Build.Tasks.Core

* Fix audit warnings that only occur on browser

* Update Asn1 used by linker analyzer tests

* React to breaking change in analyzer test SDK

* Enable working DryIoc tests

* Fix double-write when LibrariesConfiguration differs from Configuration

* Fix LibrariesConfiguration update target

* Clean up references and add comments.

* Make HostModel references private

This ensures projects referenced will not be rebuilt by tests.

This also means the HostModel package will not list these as references,
but that's OK since the SDK provides them and this is not a shipping
package.

* Use ProjectReferenceExclusion to avoid framework project references

On .NETCore we want to use the targeting pack and avoid rebuilding libs.

* Update src/libraries/System.Runtime.InteropServices.JavaScript/tests/JSImportGenerator.UnitTest/JSImportGenerator.Unit.Tests.csproj

Co-authored-by: Jeremy Koritzinsky <jkoritzinsky@gmail.com>

---------

Co-authored-by: Jeremy Koritzinsky <jkoritzinsky@gmail.com>

* Remove live System.Text.Json reference from HostModel (#108263)

* Reduce changes to src/installer

Since we're no longer trying to reference live S.T.J we don't need these.

* Update JSON toolset version

* Don't error for NuGet audit on non-official builds (#108718)

* Reference live S.T.JSON from DI.ExternalContainers.Tests

* Update STJ in Wasm.Build.Tests

* Make SystemTextJsonToolsetVersion 8.0.4

We cannot count on VS and MSBuild updating by the time 9.0 ships GA.

Fix WASM projects which only target .NET by referencing the LKG and dropping all assets.

For Microsoft.NET.HostModel and other build tasks, keep them on the version we can garuntee is present in VS.  NoWarn the Audit warnings here.  This is safe because we can ensure one of two things.
1. The package is non-shipping and customers won't see the warning and the referencing repo in the product will ensure an update or exclusion of the dependency. (HostModel)
2. The project excludes the reference entirely as making it PrivateAssets (not in package) and ExcludeAssets=runtime  (no possibility of using runtime).

* Fix STJ audit warning in installer tests

---------

Co-authored-by: Jeremy Koritzinsky <jkoritzinsky@gmail.com>
@github-actions github-actions bot locked and limited conversation to collaborators Nov 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants