From cb58a2ae81a30d5052cf98e9d186a7ae590de69c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 20:03:32 +0000
Subject: [PATCH 1/3] Initial plan


From 12388f458521c86ca39b68207b7a917145985bac Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 20:11:49 +0000
Subject: [PATCH 2/3] Fix NuGetAuditSuppress with packages.config only applying
 first suppression

Co-authored-by: nkolev92 <2878341+nkolev92@users.noreply.github.com>
Agent-Logs-Url: https://github.com/NuGet/NuGet.Client/sessions/95c933f0-4368-4fdd-8e07-f072331801a7
---
 .../NuGet.SolutionRestoreManager/SolutionRestoreJob.cs |  2 +-
 .../NuGetEndToEndTests/NuGetAuditTests.cs              | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/NuGet.Clients/NuGet.SolutionRestoreManager/SolutionRestoreJob.cs b/src/NuGet.Clients/NuGet.SolutionRestoreManager/SolutionRestoreJob.cs
index a952f18f3cf..d0e40ed50dc 100644
--- a/src/NuGet.Clients/NuGet.SolutionRestoreManager/SolutionRestoreJob.cs
+++ b/src/NuGet.Clients/NuGet.SolutionRestoreManager/SolutionRestoreJob.cs
@@ -803,7 +803,7 @@ static HashSet<string> GetSuppressions(VsMSBuildNuGetProject msbuildProject)
                     var suppressions = new HashSet<string>(items.Count, StringComparer.Ordinal);
                     for (int i = 0; i < items.Count; i++)
                     {
-                        suppressions.Add(items[0].id);
+                        suppressions.Add(items[i].id);
                     }
                     return suppressions;
                 }
diff --git a/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs b/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs
index dbb667473bc..5f9804d5d16 100644
--- a/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs
+++ b/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs
@@ -27,18 +27,19 @@ public class NuGetAuditTests : SharedVisualStudioHostTestClass
         [Timeout(DefaultTimeout)]
         public async Task PackagesConfig_SuppressAdvisory()
         {
-            // 1. Create Directory.Build.props with suppression for package.A cve1
-            // 2. Create mock server with package.A with cve1 and cve2
+            // 1. Create Directory.Build.props with suppression for package.A cve1 and cve2
+            // 2. Create mock server with package.A with cve1, cve2, and cve3
             // 3. Add mock server to nuget.config
             // 3. Create packages.config project
             // 4. Install package.A
-            // 5. check error list to see if only cve2 is listed
+            // 5. check error list to see if only cve3 is listed
 
             // Arrange
             SimpleTestPathContext testPathContext = new();
             var dbpContents = @"<Project>
     <ItemGroup>
         <NuGetAuditSuppress Include=""https://cve.test/1"" />
+        <NuGetAuditSuppress Include=""https://cve.test/2"" />
     </ItemGroup>
 </Project>";
             File.WriteAllText(Path.Combine(testPathContext.SolutionRoot, "Directory.Build.props"), dbpContents);
@@ -48,6 +49,7 @@ public async Task PackagesConfig_SuppressAdvisory()
             {
                 (new Uri("https://cve.test/1"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
                 (new Uri("https://cve.test/2"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
+                (new Uri("https://cve.test/3"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
             });
 
             await CommonUtility.CreatePackageInSourceAsync(testPathContext.PackageSource, TestPackageName, TestPackageVersionV1);
@@ -71,7 +73,7 @@ public async Task PackagesConfig_SuppressAdvisory()
 
             var errors = VisualStudio.ObjectModel.Shell.ToolWindows.ErrorList.AllItems.Select(i => i.Description).ToList();
             errors.Where(msg => msg.Contains(TestPackageName)).Should().ContainSingle();
-            errors.Single(msg => msg.Contains(TestPackageName)).Should().Contain("https://cve.test/2");
+            errors.Single(msg => msg.Contains(TestPackageName)).Should().Contain("https://cve.test/3");
         }
     }
 }

From 00142c9e8715243aa4fed56e1fa5a8197b19de3b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 21:26:21 +0000
Subject: [PATCH 3/3] Fix duplicate comment numbering in NuGetAuditTests

Co-authored-by: nkolev92 <2878341+nkolev92@users.noreply.github.com>
Agent-Logs-Url: https://github.com/NuGet/NuGet.Client/sessions/88d61e75-2636-48c9-bd67-ba44e3f3160f
---
 .../NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs b/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs
index 5f9804d5d16..d90036a2a90 100644
--- a/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs
+++ b/test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs
@@ -30,9 +30,9 @@ public async Task PackagesConfig_SuppressAdvisory()
             // 1. Create Directory.Build.props with suppression for package.A cve1 and cve2
             // 2. Create mock server with package.A with cve1, cve2, and cve3
             // 3. Add mock server to nuget.config
-            // 3. Create packages.config project
-            // 4. Install package.A
-            // 5. check error list to see if only cve3 is listed
+            // 4. Create packages.config project
+            // 5. Install package.A
+            // 6. check error list to see if only cve3 is listed
 
             // Arrange
             SimpleTestPathContext testPathContext = new();