Fix NuGetAuditSuppress with packages.config only applying first suppression

Co-authored-by: nkolev92 <[email protected]>
Agent-Logs-Url: https://github.com/NuGet/NuGet.Client/sessions/95c933f0-4368-4fdd-8e07-f072331801a7

Author: Copilot

src/NuGet.Clients/NuGet.SolutionRestoreManager/SolutionRestoreJob.cs

@@ -803,7 +803,7 @@ static HashSet<string> GetSuppressions(VsMSBuildNuGetProject msbuildProject)
                     var suppressions = new HashSet<string>(items.Count, StringComparer.Ordinal);
                     for (int i = 0; i < items.Count; i++)
                     {
-                        suppressions.Add(items[0].id);
+                        suppressions.Add(items[i].id);
                     }
                     return suppressions;
                 }

test/NuGet.Tests.Apex/NuGet.Tests.Apex/NuGetEndToEndTests/NuGetAuditTests.cs

@@ -27,18 +27,19 @@ public class NuGetAuditTests : SharedVisualStudioHostTestClass
         [Timeout(DefaultTimeout)]
         public async Task PackagesConfig_SuppressAdvisory()
         {
-            // 1. Create Directory.Build.props with suppression for package.A cve1
-            // 2. Create mock server with package.A with cve1 and cve2
+            // 1. Create Directory.Build.props with suppression for package.A cve1 and cve2
+            // 2. Create mock server with package.A with cve1, cve2, and cve3
             // 3. Add mock server to nuget.config
             // 3. Create packages.config project
             // 4. Install package.A
-            // 5. check error list to see if only cve2 is listed
+            // 5. check error list to see if only cve3 is listed
 
             // Arrange
             SimpleTestPathContext testPathContext = new();
             var dbpContents = @"<Project>
     <ItemGroup>
         <NuGetAuditSuppress Include=""https://cve.test/1"" />
+        <NuGetAuditSuppress Include=""https://cve.test/2"" />
     </ItemGroup>
 </Project>";
             File.WriteAllText(Path.Combine(testPathContext.SolutionRoot, "Directory.Build.props"), dbpContents);
@@ -48,6 +49,7 @@ public async Task PackagesConfig_SuppressAdvisory()
             {
                 (new Uri("https://cve.test/1"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
                 (new Uri("https://cve.test/2"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
+                (new Uri("https://cve.test/3"), PackageVulnerabilitySeverity.High, VersionRange.Parse("(, 2.0.0)")),
             });
 
             await CommonUtility.CreatePackageInSourceAsync(testPathContext.PackageSource, TestPackageName, TestPackageVersionV1);
@@ -71,7 +73,7 @@ public async Task PackagesConfig_SuppressAdvisory()
 
             var errors = VisualStudio.ObjectModel.Shell.ToolWindows.ErrorList.AllItems.Select(i => i.Description).ToList();
             errors.Where(msg => msg.Contains(TestPackageName)).Should().ContainSingle();
-            errors.Single(msg => msg.Contains(TestPackageName)).Should().Contain("https://cve.test/2");
+            errors.Single(msg => msg.Contains(TestPackageName)).Should().Contain("https://cve.test/3");
         }
     }
 }