NuGet
diff --git a/‎src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/Options/PackageSourcesPage.cs‎
Lines changed: 162 additions & 19 deletions b/‎src/NuGet.Clients/NuGet.PackageManagement.VisualStudio/Options/PackageSourcesPage.cs‎
Lines changed: 162 additions & 19 deletions
diff --git a/‎src/NuGet.Clients/NuGet.Tools/Resources.Designer.cs‎
Lines changed: 36 additions & 0 deletions b/‎src/NuGet.Clients/NuGet.Tools/Resources.Designer.cs‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎src/NuGet.Clients/NuGet.Tools/Resources.resx‎
Lines changed: 12 additions & 0 deletions b/‎src/NuGet.Clients/NuGet.Tools/Resources.resx‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/NuGet.Clients/NuGet.Tools/xlf/Resources.cs.xlf‎
Lines changed: 20 additions & 0 deletions b/‎src/NuGet.Clients/NuGet.Tools/xlf/Resources.cs.xlf‎
Lines changed: 20 additions & 0 deletions
@@ -17,7 +17,10 @@ namespace NuGet.PackageManagement.VisualStudio.Options
     [Guid("15C605EC-4FD7-446B-BA4A-75ECF0C0B2D0")]
     public class PackageSourcesPage : NuGetExternalSettingsProvider, IExternalSettingValidator
     {
+        internal const bool DefaultNuGetAudit = false;
         internal const string MonikerPackageSources = "packageSources";
+        internal const string MonikerAuditSources = "auditSources";
+        internal const string MonikerNuGetAudit = "nuGetAudit";
         internal const string MonikerMachineWideSources = "machineWidePackageSources";
         internal const string MonikerPackageSourceId = "packageSourceId"; // Unique identifier for the package source
         internal const string MonikerSourceName = "sourceName";
@@ -48,24 +51,51 @@ private List<PackageSource> LoadPackageSources(bool isMachineWide)
             return filteredPackageSources;
         }
 
+        private List<PackageSource> LoadAuditSources()
+        {
+            IEnumerable<PackageSource> auditSources = _packageSourceProvider.LoadAuditSources();
+            return auditSources.ToList();
+        }
+
         public override async Task<ExternalSettingOperationResult<T>> GetValueAsync<T>(string moniker, CancellationToken cancellationToken)
         {
             switch (moniker)
             {
                 case MonikerPackageSources:
-                    var packageSources = await Task.Run(
-                        () => LoadPackageSources(isMachineWide: false),
-                        cancellationToken);
+                    {
+                        var packageSources = await Task.Run(
+                            () => LoadPackageSources(isMachineWide: false),
+                            cancellationToken);
 
-                    return GetValuePackageSources<T>(packageSources);
+                        return GetValuePackageSources<T>(packageSources);
+                    }
+                case MonikerNuGetAudit:
+                    {
+                        var auditSources = await Task.Run(
+                            () => LoadAuditSources(),
+                            cancellationToken);
+                        if (auditSources.Count > 0)
+                        {
+                            return await ConvertValueOrThrow<T>(true);
+                        }
+                        return await ConvertValueOrThrow<T>(DefaultNuGetAudit);
+                    }
+                case MonikerAuditSources:
+                    {
+                        var auditSources = await Task.Run(
+                            () => LoadAuditSources(),
+                            cancellationToken);
 
+                        return GetValuePackageSources<T>(auditSources);
+                    }
                 case MonikerMachineWideSources:
-                    var machineWidePackageSources = await Task.Run(
-                        () => LoadPackageSources(isMachineWide: true),
-                        cancellationToken);
-
-                    return GetValuePackageSources<T>(machineWidePackageSources);
+                    {
+                        var machineWidePackageSources = await Task.Run(
+                            () => LoadPackageSources(isMachineWide: true),
+                            cancellationToken);
 
+                        return GetValuePackageSources<T>(machineWidePackageSources);
+                    }
                 default: break;
             }
 
@@ -75,12 +105,6 @@ public override async Task<ExternalSettingOperationResult<T>> GetValueAsync<T>(s
 
         public override async Task<ExternalSettingOperationResult> SetValueAsync<T>(string moniker, T value, CancellationToken cancellationToken)
         {
-            var packageSourcesList = value as IReadOnlyList<IDictionary<string, object>>;
-            if (packageSourcesList is null)
-            {
-                throw new InvalidOperationException();
-            }
-
             bool hasAnyHiddenPropertyChanged = false;
 
             try
@@ -90,7 +114,14 @@ public override async Task<ExternalSettingOperationResult> SetValueAsync<T>(stri
 
                 switch (moniker)
                 {
+                    case MonikerNuGetAudit:
+                        return (ExternalSettingOperationResult)ExternalSettingOperationResult.Success.Instance;
                     case MonikerPackageSources:
+                        var packageSourcesList = value as IReadOnlyList<IDictionary<string, object>>;
+                        if (packageSourcesList is null)
+                        {
+                            throw new InvalidOperationException();
+                        }
                         return await Task.Run(
                             () =>
                             {
@@ -99,10 +130,28 @@ public override async Task<ExternalSettingOperationResult> SetValueAsync<T>(stri
                                 return savePackageSourcesResult.result;
                             },
                             cancellationToken);
-
+                    case MonikerAuditSources:
+                        var auditSourceList = value as IReadOnlyList<IDictionary<string, object>>;
+                        if (auditSourceList is null)
+                        {
+                            throw new InvalidOperationException();
+                        }
+                        return await Task.Run(
+                            () =>
+                            {
+                                (ExternalSettingOperationResult result, bool hasAnyHiddenPropertyChanged) saveAuditSourcesResult = SaveAuditSources(auditSourceList, cancellationToken);
+                                hasAnyHiddenPropertyChanged = saveAuditSourcesResult.hasAnyHiddenPropertyChanged;
+                                return saveAuditSourcesResult.result;
+                            },
+                            cancellationToken);
                     case MonikerMachineWideSources:
+                        var machineWidePackageSourcesList = value as IReadOnlyList<IDictionary<string, object>>;
+                        if (machineWidePackageSourcesList is null)
+                        {
+                            throw new InvalidOperationException();
+                        }
                         return await Task.Run(
-                            () => SetIsEnabledOnMachineWidePackageSources(packageSourcesList, cancellationToken),
+                            () => SetIsEnabledOnMachineWidePackageSources(machineWidePackageSourcesList, cancellationToken),
                             cancellationToken);
 
                     default:
@@ -237,6 +286,74 @@ private ExternalSettingOperationResult SetIsEnabledOnMachineWidePackageSources(
             return (result, hasAnyHiddenPropertyChanged);
         }
 
+        private (ExternalSettingOperationResult result, bool hasAnyHiddenPropertyChanged) SaveAuditSources(
+            IReadOnlyList<IDictionary<string, object>> auditSourceDictionaryList,
+            CancellationToken cancellationToken)
+        {
+            bool hasAnyHiddenPropertyChanged = false;
+            ExternalSettingOperationResult result;
+
+            try
+            {
+                List<PackageSource> auditSources = new List<PackageSource>(capacity: auditSourceDictionaryList.Count);
+                List<PackageSource> existingAuditSources = LoadAuditSources();
+                bool hasAnyPackageSourceNameChanged = false;
+
+                foreach (Dictionary<string, object> packageSourceDictionary in auditSourceDictionaryList)
+                {
+                    cancellationToken.ThrowIfCancellationRequested();
+
+                    string name = packageSourceDictionary[MonikerSourceName].ToString();
+                    string lookupName;
+
+                    // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have a Package ID.
+                    if (packageSourceDictionary.TryGetValue(MonikerPackageSourceId, out object packageSourceIdObj))
+                    {
+                        lookupName = packageSourceIdObj.ToString();
+
+                        if (!string.Equals(lookupName, name, StringComparison.CurrentCultureIgnoreCase))
+                        {
+                            // Changing the ID needs to refresh Unified Settings since the ID is a hidden property.
+                            hasAnyPackageSourceNameChanged = true;
+                        }
+                    }
+                    else // Newly added Package Sources will not have a Package ID yet.
+                    {
+                        lookupName = name;
+                    }
+
+                    string source = packageSourceDictionary[MonikerSourceUrl].ToString();
+
+                    PackageSource packageSource =
+                        PackageSourceValidator.FindExistingOrCreate(
+                            lookupName,
+                            source,
+                            name,
+                            isEnabled: true,
+                            allowInsecureConnections: false,
+                            existingAuditSources);
+
+                    auditSources.Add(packageSource);
+                }
+
+                _packageSourceProvider.SaveAuditSources(auditSources);
+
+                hasAnyHiddenPropertyChanged = hasAnyPackageSourceNameChanged;
+
+                result = ExternalSettingOperationResult.Success.Instance;
+            }
+#pragma warning disable CA1031 // Do not catch general exception types
+            catch (Exception ex) when (!(ex is OperationCanceledException && cancellationToken.IsCancellationRequested))
+#pragma warning restore CA1031 // Do not catch general exception types
+            {
+                result = CreateSettingErrorResult(ex.Message, isTransient: true);
+                ActivityLog.LogError(ExceptionHelper.LogEntrySource, ex.ToString());
+            }
+
+            return (result, hasAnyHiddenPropertyChanged);
+        }
+
+
         private static PackageSource ParsePackageSource(IReadOnlyDictionary<string, object> packageSourceDictionary)
         {
             string name = packageSourceDictionary[MonikerSourceName].ToString().Trim();
@@ -264,6 +381,28 @@ private static PackageSource ParsePackageSource(IReadOnlyDictionary<string, obje
             return packageSource;
         }
 
+        private static PackageSource ParseAuditSource(IReadOnlyDictionary<string, object> auditSourceDictionary)
+        {
+            string name = auditSourceDictionary[MonikerSourceName].ToString().Trim();
+            string? lookupName;
+
+            // Package Sources that were pre-existing in the NuGet.Config when GetValueAsync was called will have a Package ID.
+            if (auditSourceDictionary.TryGetValue(MonikerPackageSourceId, out object packageSourceIdObj))
+            {
+                lookupName = packageSourceIdObj.ToString().Trim();
+            }
+            else // Newly added Package Sources will not have a Package ID yet.
+            {
+                lookupName = name;
+            }
+
+            string source = auditSourceDictionary[MonikerSourceUrl].ToString().Trim();
+
+            var packageSource = new PackageSource(source, lookupName, isEnabled: true);
+
+            return packageSource;
+        }
+
         private static ExternalSettingOperationResult<T> GetValuePackageSources<T>(List<PackageSource> packageSources)
         {
             ExternalSettingOperationResult<T> result;
@@ -317,7 +456,9 @@ public OneOrMany<SettingMessage> ValidateArrayItemProperty(
         {
             var settingMessages = new OneOrMany<SettingMessage>();
 
-            if (arraySettingMoniker != MonikerPackageSources)
+            bool isAuditSources = arraySettingMoniker == MonikerAuditSources;
+            bool isPackageSources = arraySettingMoniker == MonikerPackageSources;
+            if (!isPackageSources && !isAuditSources)
             {
                 return settingMessages;
             }
@@ -336,7 +477,9 @@ public OneOrMany<SettingMessage> ValidateArrayItemProperty(
                     case MonikerSourceUrl:
                         {
                             var packageSourceDictionary = arraySettingContent[arrayItemIndex];
-                            var result = ParsePackageSource(packageSourceDictionary);
+                            PackageSource result = isPackageSources
+                                ? ParsePackageSource(packageSourceDictionary)
+                                : ParseAuditSource(packageSourceDictionary);
 
                             var isValidSource = PackageSourceValidator.IsValidSource(result);
                             if (!isValidSource)
 
@@ -249,4 +249,16 @@
   <data name="Text_AllowInsecureConnections_Header" xml:space="preserve">
     <value>Allow Insecure Connections</value>
   </data>
+  <data name="Text_PackageSources_Description" xml:space="preserve">
+    <value>Package sources define where NuGet retrieves packages for install, restore, audit, and update operations. [Learn more about package sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#packagesources)</value>
+  </data>
+  <data name="Text_AuditSources_Checkbox" xml:space="preserve">
+    <value>Use separate sources for vulnerability audit</value>
+  </data>
+  <data name="Text_AuditSources_HowToRemove" xml:space="preserve">
+    <value>Remove all audit sources to revert to using package sources for vulnerability data.</value>
+  </data>
+  <data name="Text_AuditSources_Description" xml:space="preserve">
+    <value>Audit sources provide vulnerability data during restore without acting as package sources. If no audit sources are configured, NuGet Audit uses package sources and suppresses warning NU1905. [Learn more about audit sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#auditsources)</value>
+  </data>
 </root>
@@ -132,6 +132,21 @@
         <target state="translated">Povolit nezabezpečená připojení</target>
         <note />
       </trans-unit>
+      <trans-unit id="Text_AuditSources_Checkbox">
+        <source>Use separate sources for vulnerability audit</source>
+        <target state="new">Use separate sources for vulnerability audit</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="Text_AuditSources_Description">
+        <source>Audit sources provide vulnerability data during restore without acting as package sources. If no audit sources are configured, NuGet Audit uses package sources and suppresses warning NU1905. [Learn more about audit sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#auditsources)</source>
+        <target state="new">Audit sources provide vulnerability data during restore without acting as package sources. If no audit sources are configured, NuGet Audit uses package sources and suppresses warning NU1905. [Learn more about audit sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#auditsources)</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="Text_AuditSources_HowToRemove">
+        <source>Remove all audit sources to revert to using package sources for vulnerability data.</source>
+        <target state="new">Remove all audit sources to revert to using package sources for vulnerability data.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="Text_ConfigurationFiles_CommonLink">
         <source>Common NuGet configurations: [How settings are applied](https://aka.ms/nuget/how-settings-are-applied/)</source>
         <target state="translated">Běžné konfigurace NuGet: [Způsob použití nastavení](https://aka.ms/nuget/how-settings-are-applied/)</target>
@@ -177,6 +192,11 @@
         <target state="translated">Zdroj</target>
         <note />
       </trans-unit>
+      <trans-unit id="Text_PackageSources_Description">
+        <source>Package sources define where NuGet retrieves packages for install, restore, audit, and update operations. [Learn more about package sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#packagesources)</source>
+        <target state="new">Package sources define where NuGet retrieves packages for install, restore, audit, and update operations. [Learn more about package sources](https://learn.microsoft.com/nuget/reference/nuget-config-file#packagesources)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="Text_PackageSources_MachineWide">
         <source>Machine-wide package sources</source>
         <target state="translated">Zdroje balíčků v rámci celého počítače</target>