Introduce Audit Sources to package source VS options (#6970)

Author: donnie-msft

src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/Options/PackageSourceValidator.cs

@@ -22,7 +22,7 @@ internal static PackageSource FindExistingOrCreate(
             string name,
             bool isEnabled,
             bool allowInsecureConnections,
-            List<PackageSource> packageSources)
+            IReadOnlyList<PackageSource> packageSources)
         {
             string trimmedLookupName = lookupName?.Trim() ?? string.Empty;
             if (string.IsNullOrEmpty(trimmedLookupName))
@@ -169,7 +169,7 @@ private static void EnsureUniqueSources(List<PackageSource> packageSources)
             }
         }
 
-        private static PackageSource? FindByName(string packageSourceName, List<PackageSource> packageSources)
+        private static PackageSource? FindByName(string packageSourceName, IReadOnlyList<PackageSource> packageSources)
         {
             _ = packageSources ?? throw new ArgumentNullException(nameof(packageSources));
 

src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/Options/PackageSourcesPage.cs

@@ -17,7 +17,9 @@ namespace NuGet.PackageManagement.VisualStudio.Options
     [Guid("15C605EC-4FD7-446B-BA4A-75ECF0C0B2D0")]
     public class PackageSourcesPage : NuGetExternalSettingsProvider, IExternalSettingValidator
     {
+        internal const bool DefaultNuGetAudit = false;
         internal const string MonikerPackageSources = "packageSources";
+        internal const string MonikerAuditSources = "auditSources";
         internal const string MonikerMachineWideSources = "machineWidePackageSources";
         internal const string MonikerPackageSourceId = "packageSourceId"; // Unique identifier for the package source
         internal const string MonikerSourceName = "sourceName";
@@ -40,32 +42,49 @@ internal override void VsSettings_SettingsChanged(object sender, EventArgs e)
             base.VsSettings_SettingsChanged(sender, e);
         }
 
-        private List<PackageSource> LoadPackageSources(bool isMachineWide)
+        private IReadOnlyList<PackageSource> LoadPackageSources(bool isMachineWide)
         {
-            IEnumerable<PackageSource> all = _packageSourceProvider.LoadPackageSources();
-            List<PackageSource> filteredPackageSources = all
-                .Where(packageSource => packageSource.IsMachineWide == isMachineWide).ToList();
+            IReadOnlyList<PackageSource> filteredPackageSources = _packageSourceProvider.LoadPackageSources()
+                .Where(packageSource => packageSource.IsMachineWide == isMachineWide)
+                .ToList()
+                .AsReadOnly();
             return filteredPackageSources;
         }
 
+        private IReadOnlyList<PackageSource> LoadAuditSources()
+        {
+            var auditSources = _packageSourceProvider.LoadAuditSources();
+            return auditSources;
+        }
+
         public override async Task<ExternalSettingOperationResult<T>> GetValueAsync<T>(string moniker, CancellationToken cancellationToken)
         {
             switch (moniker)
             {
                 case MonikerPackageSources:
-                    var packageSources = await Task.Run(
-                        () => LoadPackageSources(isMachineWide: false),
-                        cancellationToken);
+                    {
+                        var packageSources = await Task.Run(
+                            () => LoadPackageSources(isMachineWide: false),
+                            cancellationToken);
 
-                    return GetValuePackageSources<T>(packageSources);
+                        return GetValuePackageSources<T>(packageSources);
+                    }
+                case MonikerAuditSources:
+                    {
+                        var auditSources = await Task.Run(
+                            () => LoadAuditSources(),
+                            cancellationToken);
 
+                        return GetValuePackageSources<T>(auditSources);
+                    }
                 case MonikerMachineWideSources:
-                    var machineWidePackageSources = await Task.Run(
-                        () => LoadPackageSources(isMachineWide: true),
-                        cancellationToken);
-
-                    return GetValuePackageSources<T>(machineWidePackageSources);
+                    {
+                        var machineWidePackageSources = await Task.Run(
+                            () => LoadPackageSources(isMachineWide: true),
+                            cancellationToken);
 
+                        return GetValuePackageSources<T>(machineWidePackageSources);
+                    }
                 default: break;
             }
 
@@ -75,12 +94,6 @@ public override async Task<ExternalSettingOperationResult<T>> GetValueAsync<T>(s
 
         public override async Task<ExternalSettingOperationResult> SetValueAsync<T>(string moniker, T value, CancellationToken cancellationToken)
         {
-            var packageSourcesList = value as IReadOnlyList<IDictionary<string, object>>;
-            if (packageSourcesList is null)
-            {
-                throw new InvalidOperationException();
-            }
-
             bool hasAnyHiddenPropertyChanged = false;
 
             try
@@ -91,6 +104,7 @@ public override async Task<ExternalSettingOperationResult> SetValueAsync<T>(stri
                 switch (moniker)
                 {
                     case MonikerPackageSources:
+                        var packageSourcesList = (IReadOnlyList<IDictionary<string, object>>)value;
                         return await Task.Run(
                             () =>
                             {
@@ -99,10 +113,20 @@ public override async Task<ExternalSettingOperationResult> SetValueAsync<T>(stri
                                 return savePackageSourcesResult.result;
                             },
                             cancellationToken);
-
+                    case MonikerAuditSources:
+                        var auditSourceList = (IReadOnlyList<IDictionary<string, object>>)value;
+                        return await Task.Run(
+                            () =>
+                            {
+                                (ExternalSettingOperationResult result, bool hasAnyHiddenPropertyChanged) saveAuditSourcesResult = SaveAuditSources(auditSourceList, cancellationToken);
+                                hasAnyHiddenPropertyChanged = saveAuditSourcesResult.hasAnyHiddenPropertyChanged;
+                                return saveAuditSourcesResult.result;
+                            },
+                            cancellationToken);
                     case MonikerMachineWideSources:
+                        var machineWidePackageSourcesList = (IReadOnlyList<IDictionary<string, object>>)value;
                         return await Task.Run(
-                            () => SetIsEnabledOnMachineWidePackageSources(packageSourcesList, cancellationToken),
+                            () => SetIsEnabledOnMachineWidePackageSources(machineWidePackageSourcesList, cancellationToken),
                             cancellationToken);
 
                     default:
@@ -178,7 +202,7 @@ private ExternalSettingOperationResult SetIsEnabledOnMachineWidePackageSources(
             try
             {
                 List<PackageSource> packageSources = new List<PackageSource>(capacity: packageSourceDictionaryList.Count);
-                List<PackageSource> existingPackageSources = LoadPackageSources(isMachineWide: false);
+                IReadOnlyList<PackageSource> existingPackageSources = LoadPackageSources(isMachineWide: false);
                 bool hasAnyPackageSourceNameChanged = false;
 
                 foreach (Dictionary<string, object> packageSourceDictionary in packageSourceDictionaryList)
@@ -188,7 +212,7 @@ private ExternalSettingOperationResult SetIsEnabledOnMachineWidePackageSources(
                     string name = packageSourceDictionary[MonikerSourceName].ToString();
                     string lookupName;
 
-                    // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have a Package ID.
+                    // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have an ID.
                     if (packageSourceDictionary.TryGetValue(MonikerPackageSourceId, out object packageSourceIdObj))
                     {
                         lookupName = packageSourceIdObj.ToString();
@@ -199,7 +223,7 @@ private ExternalSettingOperationResult SetIsEnabledOnMachineWidePackageSources(
                             hasAnyPackageSourceNameChanged = true;
                         }
                     }
-                    else // Newly added Package Sources will not have a Package ID yet.
+                    else // Newly added Package Sources will not have an ID yet.
                     {
                         lookupName = name;
                     }
@@ -237,17 +261,85 @@ private ExternalSettingOperationResult SetIsEnabledOnMachineWidePackageSources(
             return (result, hasAnyHiddenPropertyChanged);
         }
 
+        private (ExternalSettingOperationResult result, bool hasAnyHiddenPropertyChanged) SaveAuditSources(
+            IReadOnlyList<IDictionary<string, object>> auditSourceDictionaryList,
+            CancellationToken cancellationToken)
+        {
+            bool hasAnyHiddenPropertyChanged = false;
+            ExternalSettingOperationResult result;
+
+            try
+            {
+                List<PackageSource> auditSources = new List<PackageSource>(capacity: auditSourceDictionaryList.Count);
+                IReadOnlyList<PackageSource> existingAuditSources = LoadAuditSources();
+                bool hasAnyPackageSourceNameChanged = false;
+
+                foreach (Dictionary<string, object> packageSourceDictionary in auditSourceDictionaryList)
+                {
+                    cancellationToken.ThrowIfCancellationRequested();
+
+                    string name = packageSourceDictionary[MonikerSourceName].ToString();
+                    string lookupName;
+
+                    // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have an ID.
+                    if (packageSourceDictionary.TryGetValue(MonikerPackageSourceId, out object packageSourceIdObj))
+                    {
+                        lookupName = packageSourceIdObj.ToString();
+
+                        if (!string.Equals(lookupName, name, StringComparison.CurrentCultureIgnoreCase))
+                        {
+                            // Changing the ID needs to refresh Unified Settings since the ID is a hidden property.
+                            hasAnyPackageSourceNameChanged = true;
+                        }
+                    }
+                    else // Newly added Package Sources will not have an ID yet.
+                    {
+                        lookupName = name;
+                    }
+
+                    string source = packageSourceDictionary[MonikerSourceUrl].ToString();
+
+                    PackageSource packageSource =
+                        PackageSourceValidator.FindExistingOrCreate(
+                            lookupName,
+                            source,
+                            name,
+                            isEnabled: true,
+                            allowInsecureConnections: false,
+                            existingAuditSources);
+
+                    auditSources.Add(packageSource);
+                }
+
+                _packageSourceProvider.SaveAuditSources(auditSources);
+
+                hasAnyHiddenPropertyChanged = hasAnyPackageSourceNameChanged;
+
+                result = ExternalSettingOperationResult.Success.Instance;
+            }
+#pragma warning disable CA1031 // Do not catch general exception types
+            catch (Exception ex) when (!(ex is OperationCanceledException && cancellationToken.IsCancellationRequested))
+#pragma warning restore CA1031 // Do not catch general exception types
+            {
+                result = CreateSettingErrorResult(ex.Message, isTransient: true);
+                ActivityLog.LogError(ExceptionHelper.LogEntrySource, ex.ToString());
+            }
+
+            return (result, hasAnyHiddenPropertyChanged);
+        }
+
+
         private static PackageSource ParsePackageSource(IReadOnlyDictionary<string, object> packageSourceDictionary)
         {
             string name = packageSourceDictionary[MonikerSourceName].ToString().Trim();
             string? lookupName;
 
-            // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have a Package ID.
+            // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have an ID.
             if (packageSourceDictionary.TryGetValue(MonikerPackageSourceId, out object packageSourceIdObj))
             {
                 lookupName = packageSourceIdObj.ToString().Trim();
             }
-            else // Newly added Package Sources will not have a Package ID yet.
+            else // Newly added Package Sources will not have an ID yet.
             {
                 lookupName = name;
             }
@@ -264,7 +356,29 @@ private static PackageSource ParsePackageSource(IReadOnlyDictionary<string, obje
             return packageSource;
         }
 
-        private static ExternalSettingOperationResult<T> GetValuePackageSources<T>(List<PackageSource> packageSources)
+        private static PackageSource ParseAuditSource(IReadOnlyDictionary<string, object> auditSourceDictionary)
+        {
+            string name = auditSourceDictionary[MonikerSourceName].ToString().Trim();
+            string? lookupName;
+
+            // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have an ID.
+            if (auditSourceDictionary.TryGetValue(MonikerPackageSourceId, out object packageSourceIdObj))
+            {
+                lookupName = packageSourceIdObj.ToString().Trim();
+            }
+            else // Newly added Package Sources will not have an ID yet.
+            {
+                lookupName = name;
+            }
+
+            string source = auditSourceDictionary[MonikerSourceUrl].ToString().Trim();
+
+            var packageSource = new PackageSource(source, lookupName, isEnabled: true);
+
+            return packageSource;
+        }
+
+        private static ExternalSettingOperationResult<T> GetValuePackageSources<T>(IReadOnlyList<PackageSource> packageSources)
         {
             ExternalSettingOperationResult<T> result;
 
@@ -317,7 +431,9 @@ public OneOrMany<SettingMessage> ValidateArrayItemProperty(
         {
             var settingMessages = new OneOrMany<SettingMessage>();
 
-            if (arraySettingMoniker != MonikerPackageSources)
+            bool isAuditSources = arraySettingMoniker == MonikerAuditSources;
+            bool isPackageSources = arraySettingMoniker == MonikerPackageSources;
+            if (!isPackageSources && !isAuditSources)
             {
                 return settingMessages;
             }
@@ -336,7 +452,9 @@ public OneOrMany<SettingMessage> ValidateArrayItemProperty(
                     case MonikerSourceUrl:
                         {
                             var packageSourceDictionary = arraySettingContent[arrayItemIndex];
-                            var result = ParsePackageSource(packageSourceDictionary);
+                            PackageSource result = isPackageSources
+                                ? ParsePackageSource(packageSourceDictionary)
+                                : ParseAuditSource(packageSourceDictionary);
 
                             var isValidSource = PackageSourceValidator.IsValidSource(result);
                             if (!isValidSource)

src/NuGet.Clients/NuGet.Tools/Resources.Designer.cs

@@ -249,4 +249,16 @@
   <data name="Text_AllowInsecureConnections_Header" xml:space="preserve">
     <value>Allow Insecure Connections</value>
   </data>
+  <data name="Text_PackageSources_Description" xml:space="preserve">
+    <value>Package sources define where NuGet retrieves packages for install, restore, audit, and update operations. [Learn more about package sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#packagesources)</value>
+  </data>
+  <data name="Text_AuditSources_HowToRemove" xml:space="preserve">
+    <value>Remove all audit sources to revert to using package sources for vulnerability data.</value>
+  </data>
+  <data name="Text_AuditSources_Description" xml:space="preserve">
+    <value>Audit sources provide vulnerability data during restore without acting as package sources. If no audit sources are configured, NuGet Audit uses package sources and suppresses warning NU1905. [Learn more about audit sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#auditsources)</value>
+  </data>
+  <data name="Text_AuditSources_Title" xml:space="preserve">
+    <value>Audit sources</value>
+  </data>
 </root>