Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGetAudit should not download vulnerabilities database when project does not use any packages #13073

Closed
zivkan opened this issue Dec 7, 2023 · 2 comments · Fixed by NuGet/NuGet.Client#5538
Closed

NuGetAudit should not download vulnerabilities database when project does not use any packages #13073

zivkan opened this issue Dec 7, 2023 · 2 comments · Fixed by NuGet/NuGet.Client#5538
Assignees
@zivkan
Labels
Area:HttpCommunication Area:NuGetAudit Functionality:Restore Priority:1 High priority issues that must be resolved in the current sprint. Type:DCR Design Change Request
Milestone
6.9

Comments

@zivkan
Copy link
Member

zivkan commented Dec 7, 2023

NuGet Product(s) Affected

NuGet.exe, MSBuild.exe, dotnet.exe

Current Behavior

As the title says, NuGetAudit download the vulnerabilities database, even when there are no packages to check.

The "easiest" way to validate is to open a CLI shell, set the environment variable http_proxy to http://localhost:12345/ (make sure there isn't a real HTTP proxy running on this port), then do dotnet new console. Note, if you ran a restore more recently than 30 minutes ago, you might need to run dotnet nuget locals http-cache --clear, to ensure that the cached vulnerabilities isn't used.

Desired Behavior

The scenario described above should not fail. In other words, when there are no packages, NuGetAudit should "skip" itself, and avoid making HTTP requests.

Additional Context

No response
@dtivel
Copy link
Contributor

dtivel commented Dec 7, 2023

Another repro using Docker:

docker run -it mcr.microsoft.com/cbl-mariner/base/core:2.0 bash
tdnf install dotnet-sdk-8.0 -y
dotnet new console -o test

Result

The template "Console App" was created successfully.

Processing post-creation actions...
Restoring /test/test.csproj:
  Determining projects to restore...
/usr/share/dotnet/sdk/8.0.100/NuGet.targets(156,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [/test/test.csproj]
/usr/share/dotnet/sdk/8.0.100/NuGet.targets(156,5): error :   The SSL connection could not be established, see inner exception. [/test/test.csproj]
/usr/share/dotnet/sdk/8.0.100/NuGet.targets(156,5): error :   The remote certificate is invalid because of errors in the certificate chain: UntrustedRoot [/test/test.csproj]
Restore failed.
Post action failed.
Manual instructions: Run 'dotnet restore'

When dotnet/runtime#96874 is fixed, you may need to uninstall ca-certificates first:

tdnf remove ca-certificates

Workaround

Create a file named Directory.Build.props in the root directory with the following content:

<Project>
  <PropertyGroup>
    <NuGetAudit>false</NuGetAudit>
  </PropertyGroup>
</Project>

@nkolev92 nkolev92 added Area:NuGetAudit Priority:1 High priority issues that must be resolved in the current sprint. labels Dec 11, 2023
@nkolev92
Copy link
Member

Team Triage: We should try to fix this in 17.9/6.9.

@zivkan let us know if you have capacity, if not we can try to find someone with more time.

@zivkan zivkan mentioned this issue Dec 12, 2023
Merged
8 tasks
@jgonz120 jgonz120 added this to the 6.9 milestone Jan 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zivkan zivkan

Labels
Area:HttpCommunication Area:NuGetAudit Functionality:Restore Priority:1 High priority issues that must be resolved in the current sprint. Type:DCR Design Change Request
Projects
None yet
Milestone
6.9
Development

Successfully merging a pull request may close this issue.

Skip NuGetAudit when project doesn't use any packages NuGet/NuGet.Client
4 participants
@nkolev92 @zivkan @jgonz120 @dtivel