Enable NuGet audit on all builds (#3713)

Author: paulmedynski

NuGet.config

@@ -4,8 +4,4 @@
     <clear />
     <add key="sqlclient" value="https://sqlclientdrivers.pkgs.visualstudio.com/public/_packaging/sqlclient/nuget/v3/index.json" />
   </packageSources>
-  <auditSources>
-    <clear />
-    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
-  </auditSources>
 </configuration>

eng/pipelines/common/templates/jobs/build-signed-package-job.yml

@@ -51,6 +51,7 @@ jobs:
   - template: ../steps/generate-nuget-package-step.yml@self
     parameters:
       OutputDirectory: $(artifactDirectory)
+      installNuget: false
 
   - template: ../steps/esrp-code-signing-step.yml@self
     parameters:

eng/pipelines/steps/compound-nuget-pack-step.yml

@@ -27,10 +27,26 @@ parameters:
           - Project
 
 steps:
-    - task: NuGetToolInstaller@1
-      displayName: 'Install Latest Nuget'
-      inputs:
-          checkLatest: true
+    # This tool is failing on OneBranch pipelines, possibly due to new
+    # network isolation rules:
+    #
+    #   ERR:Client network socket disconnected before secure TLS connection was established
+    #
+    # Our AKV Official build uses this 1ES image:
+    #
+    #   Image: 1ES-OB-2022-D8-Netlock-V2_westus2_1_image
+    #
+    # An ICM for this issue exists:
+    #
+    #   https://portal.microsofticm.com/imp/v5/incidents/details/690355343/summary
+    #
+    # Recommendation is to remove this step since NuGet is already present on
+    # the 1ES images.
+    #
+    # - task: NuGetToolInstaller@1
+    #   displayName: 'Install Latest Nuget'
+    #   inputs:
+    #       checkLatest: true
 
     - ${{ if parameters.generateSymbolsPackage }}:
           - task: NuGetCommand@2

src/Directory.Build.props

@@ -62,27 +62,54 @@
     <NuGetRoot Condition="'$(NuGetRoot)' == ''">$(RepoRoot).nuget\</NuGetRoot>
     <NuGetCmd>$(NuGetRoot)nuget.exe</NuGetCmd>
     <!-- Respect environment variable for the .NET install directory if set; otherwise, use the current default location -->
-    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-    <WarningsNotAsErrors>$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904;NU1905</WarningsNotAsErrors>
     <BuildSimulator Condition="'$(BuildSimulator)' != 'true'">false</BuildSimulator>
   </PropertyGroup>
   <PropertyGroup Condition="'$(BuildSimulator)' == 'true'">
     <DefineConstants>$(DefineConstants);ENCLAVE_SIMULATOR</DefineConstants>
   </PropertyGroup>
 
   <!-- NuGet Audit Settings -->
-  <PropertyGroup Condition="'$(TF_BUILD)' == 'true'">
+  <PropertyGroup>
+    <!--
+      See the NuGet Audit documentation here:
+
+      https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
+    -->
+
     <!--
-      ADO does not support audit/vulnerability feeds, so the audit feed is specified (in
-      nuget.config) as nuget.org. OneBranch default network isolation does not allow connections
-      to nuget.org. To avoid this issue, we will disable auditing for official builds, but leave it
-      enabled for local builds.
-      @TODO: If/when auditing is enabled for central feeds services, this can be removed. 
+      We always want NuGet auditing enabled.  There are no build scenarios
+      where auditing should be disabled.
     -->
-    <NuGetAudit>false</NuGetAudit>
+    <NuGetAudit>true</NuGetAudit>
+
+    <!-- We want all dependencies audited. -->
+    <NuGetAuditMode>all</NuGetAuditMode>
+
+    <!-- We want all possible audit severity messages. -->
+    <NuGetAuditLevel>low</NuGetAuditLevel>
   </PropertyGroup>
+
+  <!-- Build Warning/Error Settings -->
   <PropertyGroup>
-    <NuGetAuditMode>all</NuGetAuditMode>
+    <!-- We treat all warnings as errors. -->
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+
+    <!--
+      There may be a few specific warnings that should _not_ be considered an
+      error.  This list should be used sparingly to avoid important warnings
+      being ignored.
+    -->
+    <WarningsNotAsErrors></WarningsNotAsErrors>
+
+    <!--
+      If a build is failing due to vulnerable dependencies, you may temporarily
+      uncomment the following line to treat the audit warnings as non-errors.
+      This should only be done as a temporary measure while addressing the
+      vulnerable dependencies.  See:
+
+      https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1901-nu1904
+    -->
+    <!-- <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> -->
   </PropertyGroup>
 
   <!-- Packaging  for source link-->

src/Microsoft.Data.SqlClient/tests/Directory.Build.props

@@ -14,11 +14,6 @@
     <ReferenceType Condition="'$(ReferenceType)'==''">Project</ReferenceType>
   </PropertyGroup>
 
-  <!-- Audit Settings -->
-  <PropertyGroup>
-    <NuGetAudit>false</NuGetAudit>
-  </PropertyGroup>
-
   <!--These properties can be modified locally to target .NET version of choice to build and test entire test suite-->
   <PropertyGroup>
     <TargetNetFxVersion Condition="'$(TargetNetFxVersion)' == ''">net462</TargetNetFxVersion>

tools/GenAPI/Directory.Build.props

@@ -4,9 +4,4 @@
 
   <!-- Import parent Directory.build.props -->
   <Import Project="..\..\src\Directory.Build.props" />
-
-  <!-- Audit Settings -->
-  <PropertyGroup>
-    <NuGetAudit>false</NuGetAudit>
-  </PropertyGroup>
 </Project>