NU1903 is logged twice

[ViktorHofer]

C:\Users\vihofer\Downloads\testapp>..\dotnet-sdk-9.0.100-preview.7.24358.3-win-x64\dotnet.exe build
Restore succeeded with 2 warning(s) in 0.3s
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy
  testapp succeeded with 2 warning(s) (0.3s) → bin\Debug\netstandard1.6\testapp.dll
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

I assume the warning is logged both during restore and during the build target.

[dotnet-policy-service]

Issue is missing Type label, remember to add a Type label

[nkolev92]

For hotseat:

• Does this happen every time?
• Does this happen with dotnet restore or with dotnet build only?
• What about nuget.exe/msbuild?

A binlog might help us narrow down where the 2nd warning is coming from.

[ViktorHofer]

This happens when doing a dotnet build which implicitly and incrementally performs a restore. It doesn't happen when only doing a dotnet restore as then, only the Restore target is called, but not the Build target.

Here's a sample:

app.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netstandard1.6</TargetFramework>
  </PropertyGroup>

</Project>

Invoke dotnet build on it (with a nightly P7 SDK -> https://github.com/dotnet/sdk/blob/main/documentation/package-table.md) and you will see the warning logged twice.

[nkolev92]

I'm guessing the 2nd warning is somehow replayed by the SDK then? Might be an SDK bug.

[donnie-msft]

For hotseat:

• Does this happen every time?
• Does this happen with dotnet restore or with dotnet build only?
• What about nuget.exe/msbuild?

A binlog might help us narrow down where the 2nd warning is coming from.

1. Yes, everytime with dotnet build
2. No, dotnet restore only reports the error once
3. No, nuget.exe restore does not show any vulnerability warnings. msbuild /t:restore only shows 1 warning.

[donnie-msft]

I also reproduced this with .NET SDK 8.0.400-preview.0.24324.5

[nkolev92]

Team Triage: Since the replaying of the warnings is happening at build time as confirmed by both Donie and Viktor, we'll move this to the .NET SDK.