8000 Resolve NuGet Audit errors in VMR builds by ViktorHofer · Pull Request #546 · dotnet/dotnet · GitHub
[go: up one dir, main page]
Skip to content

Resolve NuGet Audit errors in VMR builds #546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
May 15, 2025
Merged

Resolve NuGet Audit errors in VMR builds #546

merged 20 commits into from
May 15, 2025

Conversation

ViktorHofer
Copy link
Member
@ViktorHofer ViktorHofer commented May 14, 2025
edited
Loading

@ViktorHofer ViktorHofer changed the title Resolve NuGet Audit errors in VMR orchestrator Resolve NuGet Audit errors in VMR builds May 14, 2025
@ViktorHofer ViktorHofer force-pushed the ResolveNuGetAuditErrorsInVMR branch from fc13430 to 6e30ad3 Compare May 14, 2025 13:48
@ViktorHofer
Copy link
Member Author 
/__w/1/s/eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj : error NU1103: Unable to find a stable package Microsoft.Build.Tasks.Core with version (>= 17.14.7)
/__w/1/s/eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj : error NU1103:   - Found 5 version(s) in /__w/1/s/prereqs/packages/previously-source-built/ [ Nearest version: 17.15.0-preview-25225-08 ]
/__w/1/s/eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver/Microsoft.DotNet.UnifiedBuild.MSBuildSdkResolver.csproj : error NU1103:   - Found 0 version(s) in /__w/1/s/prereqs/packages/prebuilt/

I think this means that

dotnet/eng/Versions.props

Lines 48 to 50 in b60c10b

<!-- For source only builds, override the version props with previously built artifacts.
If a version should be pinned, declare it after this import. -->
<Import Project="$(PreviouslySourceBuiltPackageVersionsPropsFile)" Condition="Exists('$(PreviouslySourceBuiltPackageVersionsPropsFile)') and '$(DotNetBuildSourceOnly)' == 'true'" />
doesn't work for the sdk resolver project which is part of the init-source-build phase. @MichaelSimons any ideas?

@MichaelSimons
Copy link
Member

@MichaelSimons any ideas?

The imports happen in the init-source-build phase before the PSB tarball is extracted therefore the PSB.versions.props doesn't get applied. Possible solutions:

  1. Is it feasible/possible to do re-import the sdk.props after the PSB initialization before BuildMSBuildSdkResolver?
  2. Define the MSBuildSdkResolver proj to explicitly depend on the version from psb for SB.
  3. Add the new version to SBRP and rebootstrap.

@MichaelSimons MichaelSimons mentioned this pull request May 14, 2025
Merged
@ViktorHofer
Copy link
Member Author

Thanks. I just pushed a commit that fixes that. The sequence was already correct (the msbuildsdkresolver evaluates, restores and builds after the PSB archive is extracted) but there was an import mistake. The PreviouslySourceBuiltPackageVersionsPropsFile pointed to the wrong location because VmrLayout.props was imported too late.

rainersigwald
rainersigwald reviewed May 14, 2025
View reviewed changes
MichaelSimons
MichaelSimons reviewed May 14, 2025
View reviewed changes
This was referenced May 14, 2025
Merged
Merged
@ViktorHofer ViktorHofer marked this pull request as ready for review May 14, 2025 19:27
@ViktorHofer ViktorHofer requested review from a team as code owners May 14, 2025 19:27
@ViktorHofer
Copy link
Member Author

The non-source-build jobs should be unblocked now but source-build ones need an update to use PSB to avoid prebuilts.

@ViktorHofer ViktorHofer enabled auto-merge (squash) May 14, 2025 19:53
rainersigwald
rainersigwald reviewed May 14, 2025
View reviewed changes
@ViktorHofer
Copy link
Member Author

@dotnet/source-build can you please help with the SB test failures? TIA

@MichaelSimons
Copy link
Member

@dotnet/source-build can you please help with the SB test failures? TIA

Yes - @mthalman is already investigating.

@mthalman
Copy link
Member

The SB leg is getting failures in the test step like the following:

/__w/1/s/eng/tools/tasks/Microsoft.DotNet.UnifiedBuild.Tasks/Microsoft.DotNet.UnifiedBuild.Tasks.csproj error NU1102: Unable to find package Microsoft.Build.Tasks.Core with version (>= 17.15.0-preview-25230-108)
  - Found 67 version(s) in dotnet-public [ Nearest version: 17.14.8 ]
  - Found 1 version(s) in dotnet-eng [ Nearest version: 16.5.0-preview-19606-01 ]
  - Found 0 version(s) in dotnet-libraries [/__w/1/s/.dotnet/sdk/10.0.100-preview.5.25230.108/NuGet.targets]

This is because it's picking up the PSB version but there's no PSB feed defined.

MichaelSimons
MichaelSimons reviewed May 14, 2025
View reviewed changes
@ViktorHofer
Copy link
Member Author

Just to summarize, this change also discovered two regression that are getting fixed:

  • The path to the PSB versions file was incorrect due to recent publishing refactoring of properties
  • The PSB versions import wasn't conditioned out when running tests while the PSB feed was.

@ViktorHofer ViktorHofer disabled auto-merge May 15, 2025 07:02
@ViktorHofer ViktorHofer merged commit 9afe45d into main May 15, 2025
11 checks passed
@ViktorHofer ViktorHofer deleted the ResolveNuGetAuditErrorsInVMR branch May 15, 2025 07:35
@NikolaMilosavljevic NikolaMilosavljevic mentioned this pull request May 15, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nkolev92 nkolev92 nkolev92 left review comments

@rainersigwald rainersigwald rainersigwald left review comments

@MichaelSimons MichaelSimons MichaelSimons left review comments

@mthalman mthalman mthalman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

VMR Build Failure: Known Vulnerability in Microsoft.Build.Tasks.Core Package (NU1901)
5 participants
@ViktorHofer @MichaelSimons @mthalman @nkolev92 @rainersigwald
0