Skip to content

Enable proactive NuGet vulnerability auditing (gating) in PostSharp CI #67

Description

@gfraiteur

Follow-up to #39.

The dependency fix from #39 is done: the compiler now ships NuGet.Packaging 6.14.3 in dependencies.xml, so the NU1901 advisory no longer reaches user builds via the compiler host's DependencyRestore. That addressed the first ask of #39.

The second ask of #39 — enable proactive NuGet auditing in PostSharp''s own build pipeline so vulnerabilities surface in our CI rather than in customer builds — is still open.

Current state

  • NuGetAudit is on by default, so NU1901–NU1904 advisories appear as warnings in our build logs.
  • They are non-gating: nothing fails CI on a new advisory. The only TreatWarningsAsErrors is for Release-config compile warnings, which does not reliably promote NU19xx restore warnings.
  • Vulnerability auditing is therefore still a manual process (see Documentation/Package Vulnerability Audit.md). A future vulnerable dependency could again reach customers before we notice.

Proposed work

  1. Promote restore vulnerability warnings to errors for the shipped + fetched dependency graphs, e.g. <WarningsAsErrors>$(WarningsAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsAsErrors> (or MSBuildTreatWarningsAsErrors on restore) in a shared build props file.
  2. Exclude the internal-only PostSharp.Build.Tasks, which legitimately carries advisories with no available fix (SharpCompress — no patched release ≤0.47.4; Microsoft.Build.Utilities.Core — host-provided MSBuild). These should not gate CI.
  3. Decide the severity threshold (e.g. gate on High/Critical = NU1903/NU1904, warn on Low/Moderate) so that unfixable Low/Moderate advisories do not permanently block the build.
  4. Optionally add a scheduled CI audit (the .deps.proj / DependencyRestore graph is not covered by an ordinary project restore — see the audit doc) so newly published advisories against already-shipped versions are caught between releases.

Notes / open questions

  • A hard gate on all NU19xx would currently break the build because of the internal-tooling advisories above; the exclusion + severity threshold are required, not optional.
  • The DependencyRestore graph audit cannot rely on dotnet list package --vulnerable (custom RestoreOutputPath); it needs a dotnet restore + NU19xx scan, as documented.

-- Claude for Gael

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions