Merge pull request #10358 from NuGet/main

[ReleasePrep][2025.03.05]FI of main into dev

Author: mariaghiondea

RemovedPackages.md

@@ -0,0 +1,24 @@
+# History of Packages Removed from NuGet.org
+
+Security of the package ecosystem is a top priority investment. 
+Every package entering is scanned upfront and regularly rescanned to prevent malware. 
+Scanning is not perfect. Community partnership is a very valuable part of the overall effort to keep developers safe. We take reports seriously, investigate carefully and prioritize speed of removal of positives to prevent adverse impact to the community. Thanks for your contribution!
+
+
+| Extension Identifier                  | Removal Date | Type                          |
+|---------------------------------------|--------------|-------------------------------|
+|      SeeDefender	 version 1.0.2    |       2/26/2025       |   Untrustworthy  |
+|      SharpDefender	 version 1.0.0    |       2/25/2025       |  Untrustworthy   |
+|      DemaConsulting.WeasyprintTool version  64.1.0   |      3/5/2025       |  Untrustworthy   |
+|      Microsofft.EntetyFrameworkCore  version  1.0.0   |      3/13/2025       |  Untrustworthy   |
+|      Mircоsoft.EntetyFrameworkCore  version  1.0.0   |      3/13/2025       |  Untrustworthy   |
+|      Micrоsoft.EntetyFrameworkCore  version  1.0.0   |      3/13/2025       |  Untrustworthy   |
+|      Мircosоft.ЕntitуFramеworkСоrе  version  9.0.0   |      3/13/2025       |  Untrustworthy   |
+
+Legend:
+- Copyright violation - Uses someone else's copyrighted or trademarked material without permission.
+- Potentially malicious - Highly suspicious code, often rendered to be difficult to analyze, resembles malicious software.
+- Malware - Designed to infiltrate your system for destructive purposes.
+- Spam - Designed to deceive, harass, or harm the recipients.
+- Typo-squatting - Attempts to masquerade as another, usually more popular, extension. Causes search confusion.
+- Untrustworthy - Publisher actions that could be damaging to the trustworthiness.

src/NuGetGallery.Core/Certificates/CertificateFile.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -65,6 +65,7 @@ private static MemoryStream CopyAsReadOnly(Stream source)
         private static string GetSha1Thumbprint(MemoryStream stream)
         {
 #pragma warning disable CA5350 // Do Not Use Weak Cryptographic Algorithms
+            // CodeQL [SM02196] Calculated for backwards compatibility, it is not used for anything
             using (var hashAlgorithm = SHA1.Create())
 #pragma warning restore CA5350 // Do Not Use Weak Cryptographic Algorithms
             {
@@ -95,4 +96,4 @@ private static string GetHexString(byte[] bytes)
             return BitConverter.ToString(bytes).Replace("-", "").ToLowerInvariant();
         }
     }
-}
+}

src/NuGetGallery/Controllers/ApiController.cs

@@ -329,8 +329,8 @@ public virtual ActionResult SimulateError(SimulatedErrorType type = SimulatedErr
         [ApiAuthorize]
         [ApiScopeRequired(NuGetScopes.PackagePush, NuGetScopes.PackagePushVersion)]
         [ActionName("CreatePackageVerificationKey")]
-        public virtual async Task<ActionResult> CreatePackageVerificationKeyAsync(string id, string version)
         // CodeQL [SM00433] This endpoint uses API Key authentication
+        public virtual async Task<ActionResult> CreatePackageVerificationKeyAsync(string id, string version)
         {
             // For backwards compatibility, we must preserve existing behavior where the client always pushes
             // symbols and the VerifyPackageKey callback returns the appropriate response. For this reason, we

tests/NuGetGallery.Core.Facts/Services/CloudBlobCoreFileStorageServiceIntegrationTests.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System;
@@ -171,14 +171,6 @@ public async Task OpenWriteAsyncReturnsWritableStream()
             var fileName = _prefixA;
             var expectedContent = "Hello, world.";
             var bytes = Encoding.UTF8.GetBytes(expectedContent);
-            string expectedContentMD5;
-#pragma warning disable CA5351  
-            using (var md5 = MD5.Create())
-            {
-                expectedContentMD5 = Convert.ToBase64String(md5.ComputeHash(bytes));
-            }
-#pragma warning disable CA5351 
-
             var container = _clientA.GetContainerReference(folderName);
             var file = container.GetBlobReference(fileName);