Skip to content

Fix <NuGetAuditSuppress> with packages.config ignoring all suppressions after the first #7234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nkolev92 merged 3 commits into from
Mar 27, 2026
+9 −7
Merged

Fix <NuGetAuditSuppress> with packages.config ignoring all suppressions after the first #7234

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cb58a2a
Initial plan
Copilot Mar 25, 2026
12388f4
Fix NuGetAuditSuppress with packages.config only applying first suppr…
Copilot Mar 25, 2026
00142c9
Fix duplicate comment numbering in NuGetAuditTests
Copilot Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/NuGet.Clients/NuGet.SolutionRestoreManager/SolutionRestoreJob.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -803,7 +803,7 @@ static HashSet<string> GetSuppressions(VsMSBuildNuGetProject msbuildProject)
var suppressions = new HashSet<string>(items.Count, StringComparer.Ordinal);
for (int i = 0; i < items.Count; i++)
{
suppressions.Add(items[0].id);
suppressions.Add(items[i].id);
}
return suppressions;
}
Expand Down
14 changes: 8 additions & 6 deletions test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,18 +27,19 @@ public class NuGetAuditTests : SharedVisualStudioHostTestClass
[Timeout(DefaultTimeout)]
public async Task PackagesConfig_SuppressAdvisory()
{
// 1. Create Directory.Build.props with suppression for package.A cve1
// 2. Create mock server with package.A with cve1 and cve2
// 1. Create Directory.Build.props with suppression for package.A cve1 and cve2
// 2. Create mock server with package.A with cve1, cve2, and cve3
// 3. Add mock server to nuget.config
// 3. Create packages.config project
// 4. Install package.A
// 5. check error list to see if only cve2 is listed
// 4. Create packages.config project
// 5. Install package.A
// 6. check error list to see if only cve3 is listed

// Arrange
SimpleTestPathContext testPathContext = new();
var dbpContents = @"<Project>
<ItemGroup>
<NuGetAuditSuppress Include=""https://cve.test/1"" />
<NuGetAuditSuppress Include=""https://cve.test/2"" />
</ItemGroup>
</Project>";
File.WriteAllText(Path.Combine(testPathContext.SolutionRoot, "Directory.Build.props"), dbpContents);
Expand All @@ -48,6 +49,7 @@ public async Task PackagesConfig_SuppressAdvisory()
{
(new Uri("https://cve.test/1"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
(new Uri("https://cve.test/2"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
(new Uri("https://cve.test/3"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
});

await CommonUtility.CreatePackageInSourceAsync(testPathContext.PackageSource, TestPackageName, TestPackageVersionV1);
Expand All @@ -71,7 +73,7 @@ public async Task PackagesConfig_SuppressAdvisory()

var errors = VisualStudio.ObjectModel.Shell.ToolWindows.ErrorList.AllItems.Select(i => i.Description).ToList();
errors.Where(msg => msg.Contains(TestPackageName)).Should().ContainSingle();
errors.Single(msg => msg.Contains(TestPackageName)).Should().Contain("https://cve.test/2");
errors.Single(msg => msg.Contains(TestPackageName)).Should().Contain("https://cve.test/3");
}
}
}
Loading