[Bug Bash] The vulnerable warning flashed and disappeared in the Error List window when reloading the solution which had installed vulnerable package

[v-luzh]

NuGet Product Used

Visual Studio Package Management UI

Product Version

Dev\6.11.0.9

Worked before?

It’s not a regression since it is a new feature.

Impact

It bothers me. A fix would be nice

Repro Steps & Context

Repro Steps:

1. Create a C# Console App (.NET Core 8.0) project.
2. Right-click the project in Solution Explorer and select "Manage NuGet Packages…" menu item to open PM UI.
3. Select the package source: “nuget.org” near the gear button.
4. Go to the "Browse" tab and search for a package (e.g. "Newtonsoft.Json").
5. Select a vulnerable package version (e.g. 12.0.1) and install the package.
6. Close VS with the solution saved and reload that solution again.

Expected Result:

The vulnerable warning should be showing in the Error List window.

Actual Result:

The vulnerable warning flashed and disappeared immediately in the Error List window as below.

Notes:

1.Repro rate: 100%.
2.It is not a regression since it is a new feature.
3.Building the solution will get the warning back.

Verbose Logs

No response

[Nigusu-Allehu]

I was not able to reproduce the issue. I closed VS and opened the solution again, however, I was still able to see the vulnerability warning without having to build the project.

However, I have noticed deleting the obj and bin folders of the project makes the warning disappear. Visual studio restores automatically, and these folders are created again. However, the warning does not appear again. Rebuilding brings the warning back again.

[v-luzh]

The warning didn't show (no flashed) when reloading the solution (as the screenshot I provided above) on Main\34810.77+NuGet Client Dev\6.11.0.17. I didn't delete any folder during the bug reproing.

[Nigusu-Allehu]

I have tried it again on VS Version 17.11.0 [34810.77.main] and I followed these steps

1. Install VS Version 17.11.0 [34810.77.main]
2. Create a Console App
3. Install Newtonsoft,Json 12.0.1 from the PMUI
4. Save the project.
5. Close VS
6. Open VS again an open the solution back again

As expected, I was able to see the vulnerability warning. Please let me know if I missed a step. Otherwise, it would be great if you would be able to provide us with a recording of the issue occurring to help us identify the issue. Thank you!

[v-luzh]

@Nigusu-Allehu, did you install latest NuGet Client from Dev branch on top of VS 34810.77.main? Your repro steps are correct, the only difference in our side is installing NuGet Client from Dev branch on top of VS in your step1. I attached the video for your investigation.

Note: the operation become very slowly when I use the recorder. So, I start to record from my step6 to make sure the video smaller enough to upload.

[nkolev92]

Might be related to https://devdiv.visualstudio.com/DevDiv/_git/VS/pullrequest/543238

There's a chance that this won't repro with newer builds (Thursday and later).

Can you try reproing with the latest build.

[v-luzh]

Hi @nkolev92, we can repro it on the latest build (VS Main\34816.200+NuGet Client Dev\6.11.0.26). Nothing shows in the Error List window when reloading the solution as the screenshot below.

Note: When you reloading the solution, please stare at the Error List window. When you do the first reloading after installing a vulnerable package, the vulnerability warning will flash for a second, then disappear automatically. When you do the second reloading, the vulnerability warning will not flash, it will disappear directly.

[jebriede]

I'm not able to repro this. I followed the repro steps on VS Version 17.11.0 Preview 1.0 [34816.266.main] and using the latest NuGet.Client from the dev branch:

• Installed Newtonsoft,Json 12.0.1 from nuget.org using the PMUI in VS
• Note: At this step, I see the warning in the Error List. It does not disappear. It stays there.
• Save the project.
• Close VS
• Open VS and load the solution.
• After a bit of a delay, once the solution is fully loaded and the restore finishes, I see the warning in the Error list and it does not go away. Here's a screenshot:
  

One thing worth noting is that the Info Bar in the solution explorer shows up before the warning shows up in the Error List. In my repro, the delay was significant, about 10+ seconds later that the warning showed up. But once it showed up, it did not disappear.

I also tried closing the solution (without closing VS) and loading the solution again and the warning showed up immediately in the Error List and did not disappear. I tried repro'ing with a new project first and then tried with an existing console app project. In both cases, the warning shows up in the error list and does not disappear.

Can you help me identify if I did anything differently than you did? Maybe you can point us at a machine with a repro offline or any additional details about the setup?

[v-luzh]

Hi @jebriede, we can repro it on Main\34917.97 installed NuGet Client Dev\6.11.0.27. The steps are same with you mentioned:

• Installed Newtonsoft,Json 12.0.1 from nuget.org using the PMUI in VS.
• Note: At this step, I see the warning in the Error List. It does not disappear. It stays there.
• Save the project.
• Close VS.
• Open VS and load the solution.
• After a bit of a delay, once the solution is fully loaded and the restore finishes, the warning showed for less than half a second and go away.

My repro machine: 172.16.195.27. Note: I have added the access control of the machine for you.

[jgonz120]

I followed those instructions and was unable to get it to reproduce. I'm on VS 17.11.0 Preview 1.0 [34822.286.main].

[v-luzh]

Hi @jebriede @jgonz120 @Nigusu-Allehu, we can still repro it in VS Main\34823.189 installing NuGet Client Dev\6.11.0.28 (on a VM). But it didn't repro in VS Main\34823.184 with implicit NuGet Client Dev\6.11.0.27 (on physical machine). Did you not repro on physical machine?

[jgonz120]

I tried it on my DevBox Vm, I just updated to the latest version of VS and am still unable to reproduce.