Hide transitive vulnerabilities in tests 3.x (#1693)

bart-vmware · web-flow · commit 081a0907a729 · 2026-05-11T15:17:25.000+02:00
* Don't report transitive vulnerabilities in tests during local builds

* Hide transitive vulnerabilities in tests during cibuild
diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml
@@ -47,11 +47,36 @@ jobs:
         $output = dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive --format json --output-version 1 2>&1
         $text = ($output | Out-String).TrimEnd()
         $json = $text | ConvertFrom-Json
+        $hasVulnerabilities = $false
 
         foreach ($project in $json.projects) {
-          if ($project.frameworks) {
-            Write-Host 'Vulnerable package references were found.'
-            dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive
-            exit 1
+          if (-not $project.frameworks) {
+            continue
           }
+
+          $isTestProject = $project.path -like '*/test/*'
+
+          foreach ($framework in $project.frameworks) {
+            foreach ($package in $framework.topLevelPackages) {
+              $hasVulnerabilities = $true
+
+              foreach ($vulnerability in $package.vulnerabilities) {
+                Write-Host "$($project.path) ($($framework.framework)): top-level $($package.id) $($package.resolvedVersion) – $($vulnerability.severity): $($vulnerability.advisoryurl)"
+              }
+            }
+
+            if (-not $isTestProject) {
+              foreach ($package in $framework.transitivePackages) {
+                $hasVulnerabilities = $true
+
+                foreach ($vulnerability in $package.vulnerabilities) {
+                  Write-Host "$($project.path) ($($framework.framework)): transitive $($package.id) $($package.resolvedVersion) – $($vulnerability.severity): $($vulnerability.advisoryurl)"
+                }
+              }
+            }
+          }
+        }
+
+        if ($hasVulnerabilities) {
+          exit 1
         }
diff --git a/sharedtest.props b/sharedtest.props
@@ -1,6 +1,7 @@
 <Project>
   <PropertyGroup>
     <NoWarn>$(NoWarn);SA0001;SA1101;SA1124;SA1200;SA1201;SA1208;SA1309;SA1310;SA1314;SA1401;SA1402;SA1413;SA1600;SA1629;SA1652;1591;CS8002;CA1018;CA1031;CA1063;CA1041;CA1802;CA1822;CA2211;CA2213;CA2235;CA2237;IDE1006;IDE0052;IDE0059;IDE0060;IDE0090;IDE0130;IDE0150;S4792;ASP0016;ASP0019</NoWarn>
+    <NuGetAuditMode>direct</NuGetAuditMode>
   </PropertyGroup>
 
   <PropertyGroup>
