NuGetAuditSuppress for LegacyPackageReferenceProject in VS (#5714)

Author: zivkan

build/Shared/vs-threading.MembersRequiringMainThread.txt

@@ -11,5 +11,6 @@
 [NuGet.PackageManagement.VisualStudio.EnvDTEProjectUtility]::TryGetFolder
 [NuGet.PackageManagement.VisualStudio.EnvDTEProjectUtility]::TryGetNestedFile
 [NuGet.ProjectManagement.IProjectBuildProperties]::GetPropertyValue
-[NuGet.VisualStudio.IVsProjectBuildProperties]::GetPropertyValue
+[NuGet.VisualStudio.IVsProjectAdapter]::GetBuildItemInformation
 [NuGet.VisualStudio.IVsProjectAdapter]::IsCapabilityMatch
+[NuGet.VisualStudio.IVsProjectBuildProperties]::GetPropertyValue

src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/Projects/LegacyPackageReferenceProject.cs

@@ -128,10 +128,12 @@ protected override async Task<string> GetAssetsFilePathAsync(bool shouldThrow)
             return (new[] { packageSpec }, null);
         }
 
-        private async Task<Dictionary<string, CentralPackageVersion>> GetCentralPackageVersionsAsync()
+        private Dictionary<string, CentralPackageVersion> GetCentralPackageVersions()
         {
+            ThreadHelper.ThrowIfNotOnUIThread();
+
             IEnumerable<(string PackageId, string Version)> packageVersions =
-                        (await _vsProjectAdapter.GetBuildItemInformationAsync(ProjectBuildProperties.PackageVersion, ProjectBuildProperties.Version))
+                        _vsProjectAdapter.GetBuildItemInformation(ProjectBuildProperties.PackageVersion, ProjectBuildProperties.Version)
                         .Select(item => (PackageId: item.ItemId, Version: item.ItemMetadata.FirstOrDefault()));
 
             return packageVersions
@@ -156,6 +158,57 @@ private CentralPackageVersion ToCentralPackageVersion(string packageId, string v
             return new CentralPackageVersion(packageId, VersionRange.Parse(version));
         }
 
+        private RestoreAuditProperties GetRestoreAuditProperties()
+        {
+            ThreadHelper.ThrowIfNotOnUIThread();
+
+            string enableAudit = _vsProjectAdapter.BuildProperties.GetPropertyValue(ProjectBuildProperties.NuGetAudit);
+            string auditLevel = _vsProjectAdapter.BuildProperties.GetPropertyValue(ProjectBuildProperties.NuGetAuditLevel);
+            string auditMode = _vsProjectAdapter.BuildProperties.GetPropertyValue(ProjectBuildProperties.NuGetAuditMode);
+            HashSet<string> suppressedAdvisories = GetSuppressedAdvisories();
+
+            return new RestoreAuditProperties()
+            {
+                EnableAudit = enableAudit,
+                AuditLevel = auditLevel,
+                AuditMode = auditMode,
+                SuppressedAdvisories = suppressedAdvisories,
+            };
+        }
+
+        private HashSet<string> GetSuppressedAdvisories()
+        {
+            ThreadHelper.ThrowIfNotOnUIThread();
+
+            IEnumerable<(string ItemId, string[] ItemMetadata)> buildItems = _vsProjectAdapter.GetBuildItemInformation(ProjectBuildProperties.NuGetAuditSuppress);
+            if (buildItems is null)
+            {
+                return null;
+            }
+            else if (buildItems is ICollection<(string, string[])> collection)
+            {
+                if (collection.Count == 0) return null;
+
+                var suppressedAdvisories = new HashSet<string>(collection.Count, StringComparer.OrdinalIgnoreCase);
+                foreach ((string itemId, _) in buildItems.NoAllocEnumerate())
+                {
+                    suppressedAdvisories.Add(itemId);
+                }
+
+                return suppressedAdvisories;
+            }
+            else
+            {
+                var suppressedAdvisories = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+                foreach ((string itemId, _) in buildItems.NoAllocEnumerate())
+                {
+                    suppressedAdvisories.Add(itemId);
+                }
+
+                return suppressedAdvisories.Count == 0 ? null : suppressedAdvisories;
+            }
+        }
+
         #endregion
 
         #region NuGetProject
@@ -396,7 +449,7 @@ private async Task<PackageSpec> GetPackageSpecAsync(ISettings settings)
             if (isCpvmEnabled)
             {
                 // Add the central version information and merge the information to the package reference dependencies
-                projectTfi.CentralPackageVersions.AddRange(await GetCentralPackageVersionsAsync());
+                projectTfi.CentralPackageVersions.AddRange(GetCentralPackageVersions());
                 LibraryDependency.ApplyCentralVersionInformation(projectTfi.Dependencies, projectTfi.CentralPackageVersions);
             }
 
@@ -441,17 +494,7 @@ private async Task<PackageSpec> GetPackageSpecAsync(ISettings settings)
                 }
             }
 
-            string enableAudit = _vsProjectAdapter.BuildProperties.GetPropertyValue(ProjectBuildProperties.NuGetAudit);
-            string auditLevel = _vsProjectAdapter.BuildProperties.GetPropertyValue(ProjectBuildProperties.NuGetAuditLevel);
-            string auditMode = _vsProjectAdapter.BuildProperties.GetPropertyValue(ProjectBuildProperties.NuGetAuditMode);
-            RestoreAuditProperties auditProperties = !string.IsNullOrEmpty(enableAudit) || !string.IsNullOrEmpty(auditLevel)
-                ? new RestoreAuditProperties()
-                {
-                    EnableAudit = enableAudit,
-                    AuditLevel = auditLevel,
-                    AuditMode = auditMode,
-                }
-                : null;
+            RestoreAuditProperties auditProperties = GetRestoreAuditProperties();
 
             var msbuildProjectExtensionsPath = await GetMSBuildProjectExtensionsPathAsync();
 

src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/Projects/VsProjectAdapter.cs

@@ -212,19 +212,19 @@ public NuGetFramework GetTargetFramework()
             return NuGetFramework.UnsupportedFramework;
         }
 
-        public async Task<IEnumerable<(string ItemId, string[] ItemMetadata)>> GetBuildItemInformationAsync(string itemName, params string[] metadataNames)
+        public IEnumerable<(string ItemId, string[] ItemMetadata)> GetBuildItemInformation(string itemName, params string[] metadataNames)
         {
+            ThreadHelper.ThrowIfNotOnUIThread();
+
             if (itemName == null)
             {
                 throw new ArgumentNullException(nameof(itemName));
             }
             if (metadataNames == null)
             {
-                throw new ArgumentNullException(nameof(itemName));
+                throw new ArgumentNullException(nameof(metadataNames));
             }
 
-            await _threadingService.JoinableTaskFactory.SwitchToMainThreadAsync();
-
             var itemStorage = VsHierarchy as IVsBuildItemStorage;
             if (itemStorage != null)
             {

src/NuGet.Clients/NuGet.VisualStudio.Common/IVsProjectAdapter.cs

@@ -71,7 +71,7 @@ public interface IVsProjectAdapter
         /// <param name="itemName">The item name.</param>
         /// <param name="metadataNames">The metadata names to read.</param>
         /// <returns>An <see cref="IEnumerable{(string ItemId, string[] ItemMetadata)}"/> containing the itemId and the metadata values.</returns>
-        Task<IEnumerable<(string ItemId, string[] ItemMetadata)>> GetBuildItemInformationAsync(string itemName, params string[] metadataNames);
+        IEnumerable<(string ItemId, string[] ItemMetadata)> GetBuildItemInformation(string itemName, params string[] metadataNames);
 
         /// <summary>
         /// See <see cref="Microsoft.VisualStudio.Shell.PackageUtilities.IsCapabilityMatch(IVsHierarchy, string)"/>

src/NuGet.Core/NuGet.PackageManagement/Projects/ProjectBuildProperties.cs

@@ -59,6 +59,7 @@ public static class ProjectBuildProperties
         public const string NuGetAudit = nameof(NuGetAudit);
         public const string NuGetAuditLevel = nameof(NuGetAuditLevel);
         public const string NuGetAuditMode = nameof(NuGetAuditMode);
+        public const string NuGetAuditSuppress = nameof(NuGetAuditSuppress);
         public const string CentralPackageFloatingVersionsEnabled = nameof(CentralPackageFloatingVersionsEnabled);
     }
 }

src/NuGet.Core/NuGet.PackageManagement/PublicAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+~const NuGet.ProjectManagement.ProjectBuildProperties.NuGetAuditSuppress = "NuGetAuditSuppress" -> string

test/NuGet.Clients.Tests/NuGet.PackageManagement.VisualStudio.Test/ProjectSystems/LegacyPackageReferenceProjectTests.cs

@@ -1583,6 +1583,44 @@ public async Task GetPackageSpecs_WithWarningProperties()
             projectBuildProperties.VerifyAll();
         }
 
+        [Fact]
+        public async Task GetPackageSpec_WithNuGetAuditSuppress()
+        {
+            await NuGetUIThreadHelper.JoinableTaskFactory.SwitchToMainThreadAsync();
+
+            // Arrange
+            using var testDirectory = TestDirectory.Create();
+
+            var projectBuildProperties = new Mock<IVsProjectBuildProperties>();
+            var projectAdapter = CreateProjectAdapter(testDirectory, projectBuildProperties);
+
+            Mock<IVsProjectAdapter> projectAdapterMock = Mock.Get(projectAdapter);
+            projectAdapterMock.Setup(m => m.GetBuildItemInformation(ProjectBuildProperties.NuGetAuditSuppress, It.IsAny<string[]>()))
+                .Returns([("https://cve.test/1", Array.Empty<string>())]);
+
+            var projectServices = new TestProjectSystemServices();
+            var testProject = new LegacyPackageReferenceProject(
+                projectAdapter,
+                Guid.NewGuid().ToString(),
+                projectServices,
+                _threadingService);
+
+            var settings = NullSettings.Instance;
+            var testDependencyGraphCacheContext = new DependencyGraphCacheContext(NullLogger.Instance, settings);
+
+            // Act
+            var packageSpecs = await testProject.GetPackageSpecsAsync(testDependencyGraphCacheContext);
+
+            // Assert
+            Assert.NotNull(packageSpecs);
+            var actualRestoreSpec = packageSpecs.Single();
+            SpecValidationUtility.ValidateProjectSpec(actualRestoreSpec);
+
+            var auditProperties = actualRestoreSpec.RestoreMetadata.RestoreAuditProperties;
+            auditProperties.SuppressedAdvisories.Should().NotBeNull();
+            auditProperties.SuppressedAdvisories.Should().BeEquivalentTo(["https://cve.test/1"]);
+        }
+
         private LegacyPackageReferenceProject CreateLegacyPackageReferenceProject(TestDirectory testDirectory, string range)
         {
             return ProjectFactories.CreateLegacyPackageReferenceProject(testDirectory, Guid.NewGuid().ToString(), range, _threadingService);

test/NuGet.Clients.Tests/NuGet.PackageManagement.VisualStudio.Test/ProjectSystems/TestVSProjectAdapter.cs

@@ -158,11 +158,11 @@ public NuGetFramework GetTargetFramework()
             return Task.FromResult(_projectPackageVersions);
         }
 
-        public async Task<IEnumerable<(string ItemId, string[] ItemMetadata)>> GetBuildItemInformationAsync(string itemName, params string[] metadataNames)
+        public IEnumerable<(string ItemId, string[] ItemMetadata)> GetBuildItemInformation(string itemName, params string[] metadataNames)
         {
             if (itemName == "PackageVersion")
             {
-                return await Task.FromResult(_projectPackageVersions.Select(x => (ItemId: x.PackageId, ItemMetadata: new string[] { x.Version })));
+                return _projectPackageVersions.Select(x => (ItemId: x.PackageId, ItemMetadata: new string[] { x.Version }));
             }
 
             return Enumerable.Empty<(string ItemId, string[] ItemMetadata)>();