-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability checking in PC restore #13154
Conversation
The configuration knobs for packages.config restore auditing functionality will be NuGet.config based. | ||
In particular, there will be 2 new configuration keys: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree with this.
Firstly, as you already listed in the unanswered questions section, should PackageReference projects use this config?
Secondly, from a customer point of view, it means they'll have to duplicate the config (when not using defaults), and will have (at least) two places to update when changing values. This will have even higher impact when suppressing specific advisories is implemented, as that feature will have to design a packages.config specific alternative, and customers may need to duplicate the suppressions.
packages.config already reads MSBuild properties for lock files, so configuring and using lock files is the same, regardless if the project uses packages.config or PackageReference. I think NuGetAudit for packages.config should be the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usage of packages.config lock is minimal, so I'm not sure it's necessarily a well established pattern.
Maybe we make the nuget.config apply to everything?
I'm also wondering if the technical overhead of adding individual project support in packages.config is worth it in V1 of the feature.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fwiw, I'll schedule a meeting to discuss this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there any technical or feasibility issues with using the same pattern we've established earlier w/ MSBuild properties?
I like re-using the same pattern if possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My argument is that it's not a pattern we've adopted for packages.config projects.
Technically, they're both feasible, but for packages.config projects using MSBuild property is not really a thing like it is in PackageReference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In VS, we have the Vulnerability InfoBar that appears directing customers to the PM UI.
Wondering if we need to ensure customers are aware this feature has become enabled for their packages.config projects. Is VS' "What's New" page enough?
Scenario: a legacy project has been used internally for years with a vulnerable package. Suddenly, VS vNext begins showing errors/infobars popping up, despite no change in vulnerabilities. As a customer, would it be obvious this is a new feature lighting up, or would it appear as a new vulnerability in my project and cost me time verifying and potentially raising false alarms in my org?
Co-authored-by: Donnie Goodson <49205731+donnie-msft@users.noreply.github.com>
Thanks for the comments @donnie-msft
I think this is something we should figure out in general for new features. I think we can do that separately from this particular feature and not block on the spec. |
Sure, feel free. Not aware of anyone else asking this question. It is just a thought I had reading the spec. FYI, I'm not blocking on this spec (hence I didn't use the Changes Requested state). It's probably fine to call out that we expect customers to see What's New or we're just not concerned with any jarring effects caused by lighting it up at this time. EDIT: this comment highlights the "no new warnings for minor releases" idea. Wonder how that applies to this spec. |
|
||
## Unresolved Questions | ||
|
||
- Should we use MSBuild properties instead? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
## Unresolved Questions | ||
|
||
- Should we use MSBuild properties instead? | ||
- Should the NuGet.config configuration *affect* the PackageReference defaults as well? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I like the idea of nuget.config config being introduced here nor affecting PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It covers the in depth thought process.
Let me know what you think.
| auditLevelForPackagesConfig | Critical, high, moderate, low | Configures the default audit level for NuGet audit for packages config projects | If not specified, the default will be `low` | | ||
|
||
The audit functionality for packages.config restore will be enabled by default. | ||
To disable it, one can specify a property in the config section of the configuration file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might get confusing between having this and also a MSBuild property.
Is the rationale here that this would be used for legacy project system?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have places where we have duplicate configurations, one via nuget.config and another one via property. The property tends to override the nuget.config value.
The reasoning here is that in packages.config world, for those customers, nuget.config makes more sense.
TLDR from the meeting:
|
Design for #12307