diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs index 9d3d79e4c4ff..699e06d273c8 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs @@ -95,9 +95,9 @@ private string GetRestoreArgs(RestoreSettings restoreSettings) args += " /p:EnableWindowsTargeting=true"; } - if (restoreSettings.ExtraArgs is not null) + if (restoreSettings.NugetSources is not null) { - args += $" {restoreSettings.ExtraArgs}"; + args += $" {restoreSettings.NugetSources}"; } return args; diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs index eec6a2b8d3b2..58d4f9b550b9 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs @@ -17,7 +17,7 @@ public interface IDotNet IList GetNugetFeedsFromFolder(string folderPath); } - public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? ExtraArgs = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false); + public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? NugetSources = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false); public partial record class RestoreResult(bool Success, IList Output) { diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs index b90b388e865c..e97b0b118c68 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs @@ -33,7 +33,7 @@ internal class NugetExeWrapper : IDisposable /// /// Create the package manager for a specified source tree. /// - public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger) + public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger, Func useDefaultFeed) { this.fileProvider = fileProvider; this.packageDirectory = packageDirectory; @@ -43,7 +43,7 @@ public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDir { logger.LogInfo($"Found packages.config files, trying to use nuget.exe for package restore"); nugetExe = ResolveNugetExe(); - if (HasNoPackageSource()) + if (HasNoPackageSource() && useDefaultFeed()) { // We only modify or add a top level nuget.config file nugetConfigPath = Path.Combine(fileProvider.SourceDir.FullName, "nuget.config"); diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index 1d01412ee051..39fabdc3d2ec 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -27,8 +27,13 @@ internal sealed partial class NugetPackageRestorer : IDisposable private readonly IDiagnosticsWriter diagnosticsWriter; private readonly DependencyDirectory legacyPackageDirectory; private readonly DependencyDirectory missingPackageDirectory; + private readonly DependencyDirectory emptyPackageDirectory; private readonly ILogger logger; private readonly ICompilationInfoContainer compilationInfoContainer; + private readonly Lazy lazyCheckNugetFeedResponsiveness = new(() => EnvironmentVariables.GetBooleanOptOut(EnvironmentVariableNames.CheckNugetFeedResponsiveness)); + private bool CheckNugetFeedResponsiveness => lazyCheckNugetFeedResponsiveness.Value; + private HashSet PrivateRegistryFeeds => dependabotProxy?.RegistryURLs ?? []; + private bool HasPrivateRegistryFeeds => PrivateRegistryFeeds.Any(); public DependencyDirectory PackageDirectory { get; } @@ -52,6 +57,7 @@ public NugetPackageRestorer( PackageDirectory = new DependencyDirectory("packages", "package", logger); legacyPackageDirectory = new DependencyDirectory("legacypackages", "legacy package", logger); missingPackageDirectory = new DependencyDirectory("missingpackages", "missing package", logger); + emptyPackageDirectory = new DependencyDirectory("empty", "empty package", logger); } public string? TryRestore(string package) @@ -110,25 +116,53 @@ public DirectoryInfo[] GetOrderedPackageVersionSubDirectories(string packagePath public HashSet Restore() { var assemblyLookupLocations = new HashSet(); - var checkNugetFeedResponsiveness = EnvironmentVariables.GetBooleanOptOut(EnvironmentVariableNames.CheckNugetFeedResponsiveness); - logger.LogInfo($"Checking NuGet feed responsiveness: {checkNugetFeedResponsiveness}"); - compilationInfoContainer.CompilationInfos.Add(("NuGet feed responsiveness checked", checkNugetFeedResponsiveness ? "1" : "0")); + logger.LogInfo($"Checking NuGet feed responsiveness: {CheckNugetFeedResponsiveness}"); + compilationInfoContainer.CompilationInfos.Add(("NuGet feed responsiveness checked", CheckNugetFeedResponsiveness ? "1" : "0")); - HashSet? explicitFeeds = null; - HashSet? allFeeds = null; + HashSet explicitFeeds = []; + string? explicitNugetSources = null; try { - if (checkNugetFeedResponsiveness && !CheckFeeds(out explicitFeeds, out allFeeds)) + // Find feeds that are configured in NuGet.config files and divide them into ones that + // are explicitly configured for the project or by a private registry, and "all feeds" + // (including inherited ones) from other locations on the host outside of the working directory. + (explicitFeeds, var allFeeds) = GetAllFeeds(); + + if (CheckNugetFeedResponsiveness) + { + var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet(); + + if (inheritedFeeds.Count > 0) + { + compilationInfoContainer.CompilationInfos.Add(("Inherited NuGet feed count", inheritedFeeds.Count.ToString())); + } + + if (!CheckSpecifiedFeeds(explicitFeeds, out var reachableFeeds)) + { + // If we experience a timeout, we use this fallback. + // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too. + var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds); + return unresponsiveMissingPackageLocation is null + ? [] + : [unresponsiveMissingPackageLocation]; + } + + // Inherited feeds should only be used, if they are indeed reachable (as they may be environment specific). + reachableFeeds.UnionWith(GetReachableNuGetFeeds(inheritedFeeds, isFallback: false, out var _)); + + // If feed responsiveness is being checked, we only want to use the feeds that are reachable (note this set includes private + // registry feeds if they are reachable). + explicitNugetSources = MakeRestoreSourcesArgument(reachableFeeds); + } + else if (HasPrivateRegistryFeeds) { - // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too. - var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds); - return unresponsiveMissingPackageLocation is null - ? [] - : [unresponsiveMissingPackageLocation]; + // If private registries are configured they need to be included as sources for the restore, which requires that + // they are provided as source arguments for the restore. The private registries are included in the `allFeeds` set. + explicitNugetSources = MakeRestoreSourcesArgument(allFeeds); } - using (var nuget = new NugetExeWrapper(fileProvider, legacyPackageDirectory, logger)) + using (var nuget = new NugetExeWrapper(fileProvider, legacyPackageDirectory, logger, IsDefaultFeedReachable)) { var count = nuget.InstallPackages(); @@ -167,9 +201,10 @@ public HashSet Restore() logger.LogError($"Failed to restore NuGet packages with nuget.exe: {exc.Message}"); } - var restoredProjects = RestoreSolutions(out var container); + // Restore project dependencies with `dotnet restore`. + var restoredProjects = RestoreSolutions(explicitNugetSources, out var container); var projects = fileProvider.Projects.Except(restoredProjects); - RestoreProjects(projects, allFeeds, out var containers); + RestoreProjects(projects, explicitNugetSources, out var containers); var dependencies = containers.Flatten(container); @@ -181,7 +216,7 @@ public HashSet Restore() var usedPackageNames = GetAllUsedPackageDirNames(dependencies); - var missingPackageLocation = checkNugetFeedResponsiveness + var missingPackageLocation = CheckNugetFeedResponsiveness ? DownloadMissingPackagesFromSpecificFeeds(usedPackageNames, explicitFeeds) : DownloadMissingPackages(usedPackageNames); @@ -192,6 +227,48 @@ public HashSet Restore() return assemblyLookupLocations; } + /// + /// Tests which of the feeds given by are reachable. + /// + /// The feeds to check. + /// Whether the feeds are fallback feeds or not. + /// Whether a timeout occurred while checking the feeds. + /// The list of feeds that could be reached. + private List GetReachableNuGetFeeds(HashSet feedsToCheck, bool isFallback, out bool isTimeout) + { + var fallbackStr = isFallback ? "fallback " : ""; + logger.LogInfo($"Checking {fallbackStr}NuGet feed reachability on feeds: {string.Join(", ", feedsToCheck.OrderBy(f => f))}"); + + var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback); + var timeout = false; + var reachableFeeds = feedsToCheck + .Where(feed => + { + var reachable = IsFeedReachable(feed, initialTimeout, tryCount, out var feedTimeout); + timeout |= feedTimeout; + return reachable; + }) + .ToList(); + + if (reachableFeeds.Count == 0) + { + logger.LogWarning($"No {fallbackStr}NuGet feeds are reachable."); + } + else + { + logger.LogInfo($"Reachable {fallbackStr}NuGet feeds: {string.Join(", ", reachableFeeds.OrderBy(f => f))}"); + } + + isTimeout = timeout; + return reachableFeeds; + } + + private bool IsDefaultFeedReachable() + { + var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: false); + return IsFeedReachable(PublicNugetOrgFeed, initialTimeout, tryCount, out var _); + } + private List GetReachableFallbackNugetFeeds(HashSet? feedsFromNugetConfigs) { var fallbackFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.FallbackNugetFeeds).ToHashSet(); @@ -212,17 +289,7 @@ private List GetReachableFallbackNugetFeeds(HashSet? feedsFromNu } } - logger.LogInfo($"Checking fallback NuGet feed reachability on feeds: {string.Join(", ", fallbackFeeds.OrderBy(f => f))}"); - var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: true); - var reachableFallbackFeeds = fallbackFeeds.Where(feed => IsFeedReachable(feed, initialTimeout, tryCount, allowExceptions: false)).ToList(); - if (reachableFallbackFeeds.Count == 0) - { - logger.LogWarning("No fallback NuGet feeds are reachable."); - } - else - { - logger.LogInfo($"Reachable fallback NuGet feeds: {string.Join(", ", reachableFallbackFeeds.OrderBy(f => f))}"); - } + var reachableFallbackFeeds = GetReachableNuGetFeeds(fallbackFeeds, isFallback: true, out var _); compilationInfoContainer.CompilationInfos.Add(("Reachable fallback NuGet feed count", reachableFallbackFeeds.Count.ToString())); @@ -237,7 +304,7 @@ private List GetReachableFallbackNugetFeeds(HashSet? feedsFromNu /// Populates dependencies with the relevant dependencies from the assets files generated by the restore. /// Returns a list of projects that are up to date with respect to restore. /// - private IEnumerable RestoreSolutions(out DependencyContainer dependencies) + private IEnumerable RestoreSolutions(string? nugetSources, out DependencyContainer dependencies) { var successCount = 0; var nugetSourceFailures = 0; @@ -248,7 +315,7 @@ private IEnumerable RestoreSolutions(out DependencyContainer dependencie var projects = fileProvider.Solutions.SelectMany(solution => { logger.LogInfo($"Restoring solution {solution}..."); - var res = dotnet.Restore(new(solution, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, TargetWindows: isWindows)); + var res = dotnet.Restore(new(solution, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, NugetSources: nugetSources, TargetWindows: isWindows)); if (res.Success) { successCount++; @@ -267,39 +334,34 @@ private IEnumerable RestoreSolutions(out DependencyContainer dependencie return projects; } + private string? MakeRestoreSourcesArgument(IEnumerable feeds) + { + // If there are no feeds, we want to override any default feeds that `dotnet restore` would use by passing a dummy source argument. + if (!feeds.Any()) + { + return $" -s \"{emptyPackageDirectory.DirInfo.FullName}\""; + } + + // Add package sources. If any are present, they override all sources specified in + // the configuration file(s). + var feedArgs = new StringBuilder(); + foreach (var feed in feeds) + { + feedArgs.Append($" -s {feed}"); + } + + return feedArgs.ToString(); + } + /// /// Executes `dotnet restore` on all projects in projects. /// This is done in parallel for performance reasons. /// Populates dependencies with the relative paths to the assets files generated by the restore. /// /// A list of paths to project files. - private void RestoreProjects(IEnumerable projects, HashSet? configuredSources, out ConcurrentBag dependencies) - { - // Conservatively, we only set this to a non-null value if a Dependabot proxy is enabled. - // This ensures that we continue to get the old behaviour where feeds are taken from - // `nuget.config` files instead of the command-line arguments. - string? extraArgs = null; - - if (this.dependabotProxy is not null) - { - // If the Dependabot proxy is configured, then our main goal is to make `dotnet` aware - // of the private registry feeds. However, since providing them as command-line arguments - // to `dotnet` ignores other feeds that may be configured, we also need to add the feeds - // we have discovered from analysing `nuget.config` files. - var sources = configuredSources ?? new(); - this.dependabotProxy.RegistryURLs.ForEach(url => sources.Add(url)); - - // Add package sources. If any are present, they override all sources specified in - // the configuration file(s). - var feedArgs = new StringBuilder(); - foreach (string source in sources) - { - feedArgs.Append($" -s {source}"); - } - - extraArgs = feedArgs.ToString(); - } - + /// The explicit restore sources argument. + private void RestoreProjects(IEnumerable projects, string? explicitRestoreSources, out ConcurrentBag dependencies) + { var successCount = 0; var nugetSourceFailures = 0; ConcurrentBag collectedDependencies = []; @@ -314,7 +376,7 @@ private void RestoreProjects(IEnumerable projects, HashSet? conf foreach (var project in projectGroup) { logger.LogInfo($"Restoring project {project}..."); - var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, extraArgs, TargetWindows: isWindows)); + var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, NugetSources: explicitRestoreSources, TargetWindows: isWindows)); assets.AddDependenciesRange(res.AssetsFilePaths); lock (sync) { @@ -623,28 +685,22 @@ private void TryChangeProjectFile(DirectoryInfo projectDir, Regex pattern, strin } } - private static async Task ExecuteGetRequest(string address, HttpClient httpClient, CancellationToken cancellationToken) + private static async Task ExecuteGetRequest(string address, HttpClient httpClient, CancellationToken cancellationToken) { - using var stream = await httpClient.GetStreamAsync(address, cancellationToken); - var buffer = new byte[1024]; - int bytesRead; - while ((bytesRead = stream.Read(buffer, 0, buffer.Length)) > 0) - { - // do nothing - } + return await httpClient.GetAsync(address, cancellationToken); } - private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, bool allowExceptions = true) + private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, out bool isTimeout) { logger.LogInfo($"Checking if NuGet feed '{feed}' is reachable..."); // Configure the HttpClient to be aware of the Dependabot Proxy, if used. HttpClientHandler httpClientHandler = new(); - if (this.dependabotProxy != null) + if (dependabotProxy != null) { - httpClientHandler.Proxy = new WebProxy(this.dependabotProxy.Address); + httpClientHandler.Proxy = new WebProxy(dependabotProxy.Address); - if (this.dependabotProxy.Certificate != null) + if (dependabotProxy.Certificate != null) { httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, _) => { @@ -659,7 +715,7 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, return false; } chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; - chain.ChainPolicy.CustomTrustStore.Add(this.dependabotProxy.Certificate); + chain.ChainPolicy.CustomTrustStore.Add(dependabotProxy.Certificate); return chain.Build(cert); }; } @@ -667,13 +723,17 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, using HttpClient client = new(httpClientHandler); + isTimeout = false; + for (var i = 0; i < tryCount; i++) { using var cts = new CancellationTokenSource(); cts.CancelAfter(timeoutMilliSeconds); try { - ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult(); + logger.LogInfo($"Attempt {i + 1}/{tryCount} to reach NuGet feed '{feed}'."); + var response = ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult(); + response.EnsureSuccessStatusCode(); logger.LogInfo($"Querying NuGet feed '{feed}' succeeded."); return true; } @@ -688,14 +748,13 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, continue; } - // We're only interested in timeouts. - var start = allowExceptions ? "Considering" : "Not considering"; - logger.LogInfo($"Querying NuGet feed '{feed}' failed in a timely manner. {start} the feed for use. The reason for the failure: {exc.Message}"); - return allowExceptions; + logger.LogInfo($"Querying NuGet feed '{feed}' failed. The reason for the failure: {exc.Message}"); + return false; } } logger.LogWarning($"Didn't receive answer from NuGet feed '{feed}'. Tried it {tryCount} times."); + isTimeout = true; return false; } @@ -719,53 +778,60 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, } /// - /// Checks that we can connect to all NuGet feeds that are explicitly configured in configuration files - /// as well as any private package registry feeds that are configured. + /// Retrieves a list of excluded NuGet feeds from the corresponding environment variable. /// - /// Outputs the set of explicit feeds. - /// Outputs the set of all feeds (explicit and inherited). - /// True if all feeds are reachable or false otherwise. - private bool CheckFeeds(out HashSet explicitFeeds, out HashSet allFeeds) + private HashSet GetExcludedFeeds() { - (explicitFeeds, allFeeds) = GetAllFeeds(); - HashSet feedsToCheck = explicitFeeds; - - // If private package registries are configured for C#, then check those - // in addition to the ones that are configured in `nuget.config` files. - this.dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url)); - - var allFeedsReachable = this.CheckSpecifiedFeeds(feedsToCheck); + var excludedFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.ExcludedNugetFeedsFromResponsivenessCheck) + .ToHashSet(); - var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet(); - if (inheritedFeeds.Count > 0) + if (excludedFeeds.Count > 0) { - logger.LogInfo($"Inherited NuGet feeds (not checked for reachability): {string.Join(", ", inheritedFeeds.OrderBy(f => f))}"); - compilationInfoContainer.CompilationInfos.Add(("Inherited NuGet feed count", inheritedFeeds.Count.ToString())); + logger.LogInfo($"Excluded NuGet feeds from responsiveness check: {string.Join(", ", excludedFeeds.OrderBy(f => f))}"); } - return allFeedsReachable; + return excludedFeeds; } /// /// Checks that we can connect to the specified NuGet feeds. /// /// The set of package feeds to check. - /// True if all feeds are reachable or false otherwise. - private bool CheckSpecifiedFeeds(HashSet feeds) + /// The list of feeds that were reachable. + /// + /// True if there is no timeout when trying to reach the feeds (excluding any feeds that are configured + /// to be excluded from the check) or false otherwise. + /// + private bool CheckSpecifiedFeeds(HashSet feeds, out HashSet reachableFeeds) { - logger.LogInfo("Checking that NuGet feeds are reachable..."); - - var excludedFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.ExcludedNugetFeedsFromResponsivenessCheck) - .ToHashSet(); + // Exclude any feeds from the feed check that are configured by the corresponding environment variable. + // These feeds are always assumed to be reachable. + var excludedFeeds = GetExcludedFeeds(); - if (excludedFeeds.Count > 0) + HashSet feedsToCheck = feeds.Where(feed => { - logger.LogInfo($"Excluded NuGet feeds from responsiveness check: {string.Join(", ", excludedFeeds.OrderBy(f => f))}"); - } + if (excludedFeeds.Contains(feed)) + { + logger.LogInfo($"Not checking reachability of NuGet feed '{feed}' as it is in the list of excluded feeds."); + return false; + } + return true; + }).ToHashSet(); - var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: false); + reachableFeeds = GetReachableNuGetFeeds(feedsToCheck, isFallback: false, out var isTimeout).ToHashSet(); + + var noTimeout = !isTimeout; + EmitUnreachableFeedsDiagnostics(noTimeout); + return noTimeout; + } - var allFeedsReachable = feeds.All(feed => excludedFeeds.Contains(feed) || IsFeedReachable(feed, initialTimeout, tryCount)); + /// + /// If is `false`, logs this and emits a diagnostic. + /// Adds a `CompilationInfos` entry either way. + /// + /// Whether all feeds were reachable or not. + private void EmitUnreachableFeedsDiagnostics(bool allFeedsReachable) + { if (!allFeedsReachable) { logger.LogWarning("Found unreachable NuGet feed in C# analysis with build-mode 'none'. This may cause missing dependencies in the analysis."); @@ -779,8 +845,6 @@ private bool CheckSpecifiedFeeds(HashSet feeds) )); } compilationInfoContainer.CompilationInfos.Add(("All NuGet feeds reachable", allFeedsReachable ? "1" : "0")); - - return allFeedsReachable; } private IEnumerable GetFeeds(Func> getNugetFeeds) @@ -828,11 +892,11 @@ private IEnumerable GetFeeds(Func> getNugetFeeds) if (invalidNugetConfigs.Count() > 0) { - this.logger.LogWarning(string.Format( + logger.LogWarning(string.Format( "Found incorrectly named NuGet configuration files: {0}", string.Join(", ", invalidNugetConfigs) )); - this.diagnosticsWriter.AddEntry(new DiagnosticMessage( + diagnosticsWriter.AddEntry(new DiagnosticMessage( Language.CSharp, "buildless/case-sensitive-nuget-config", "Found NuGet configuration files which are not correctly named", @@ -864,13 +928,23 @@ private IEnumerable GetFeeds(Func> getNugetFeeds) logger.LogDebug("No NuGet feeds found in nuget.config files."); } - // todo: this could be improved. - HashSet? allFeeds = null; + // If private package registries are configured for C#, then consider those + // in addition to the ones that are configured in `nuget.config` files. + if (HasPrivateRegistryFeeds) + { + logger.LogInfo($"Found {PrivateRegistryFeeds.Count} private registry feeds configured for C#: {string.Join(", ", PrivateRegistryFeeds.OrderBy(f => f))}"); + explicitFeeds.UnionWith(PrivateRegistryFeeds); + } + + HashSet allFeeds = []; + + // Add all explicitFeeds to the set of all feeds. + allFeeds.UnionWith(explicitFeeds); if (nugetConfigs.Count > 0) { // We don't have to get the feeds from each of the folders from below, it would be enought to check the folders that recursively contain the others. - allFeeds = nugetConfigs + var nugetConfigFeeds = nugetConfigs .Select(config => { try @@ -887,18 +961,13 @@ private IEnumerable GetFeeds(Func> getNugetFeeds) .SelectMany(folder => GetFeeds(() => dotnet.GetNugetFeedsFromFolder(folder!))) .ToHashSet(); - // If we have discovered any explicit feeds, then we also expect these to be in the set of all feeds. - // Normally, it is a safe assumption to make that `GetNugetFeedsFromFolder` will include the feeds configured - // in a NuGet configuration file in the given directory. There is one exception: on a system with case-sensitive - // file systems, we may discover a configuration file such as `Nuget.Config` which is not recognised by `dotnet nuget`. - // In that case, our call to `GetNugetFeeds` will retrieve the feeds from that file (because it is accepted when - // provided explicitly as `--configfile` argument), but the call to `GetNugetFeedsFromFolder` will not. - allFeeds.UnionWith(explicitFeeds); + allFeeds.UnionWith(nugetConfigFeeds); } else { // If we haven't found any `nuget.config` files, then obtain a list of feeds from the root source directory. - allFeeds = GetFeeds(() => dotnet.GetNugetFeedsFromFolder(this.fileProvider.SourceDir.FullName)).ToHashSet(); + var nugetFeedsFromRoot = GetFeeds(() => dotnet.GetNugetFeedsFromFolder(fileProvider.SourceDir.FullName)); + allFeeds.UnionWith(nugetFeedsFromRoot); } logger.LogInfo($"Found {allFeeds.Count} NuGet feeds (with inherited ones) in nuget.config files: {string.Join(", ", allFeeds.OrderBy(f => f))}"); @@ -923,6 +992,7 @@ public void Dispose() PackageDirectory?.Dispose(); legacyPackageDirectory?.Dispose(); missingPackageDirectory?.Dispose(); + emptyPackageDirectory?.Dispose(); } /// diff --git a/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md b/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md new file mode 100644 index 000000000000..6247527b3372 --- /dev/null +++ b/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* When resolving dependencies in `build-mode: none`, `dotnet restore` now always receives the NuGet feeds configured in `nuget.config` (if reachable) and any private registries directly, improving reliability when default feeds are unavailable or restricted.