Tweak vulnerability checks (fix broken builds) (#1684)

bart-vmware · web-flow · commit af26973c8738 · 2026-04-29T15:38:40.000+02:00
* Turn off vulnerability checks (we have `scan-vulnerable-dependencies.yml` for that)

* Use `dotnet list package --vulnerable --include-transitive` to detect vulnerable packages

* Make Sonar aware of vulnerable packages
diff --git a/.github/workflows/Steeltoe.All.yml b/.github/workflows/Steeltoe.All.yml
@@ -84,7 +84,7 @@ jobs:
         persist-credentials: false
 
     - name: Restore packages
-      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal
+      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal
 
     - name: Build solution
       run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal
diff --git a/.github/workflows/component-shared-workflow.yml b/.github/workflows/component-shared-workflow.yml
@@ -75,7 +75,7 @@ jobs:
         persist-credentials: false
 
     - name: Restore packages
-      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal
+      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal
 
     - name: Build solution
       run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -45,7 +45,7 @@ jobs:
         persist-credentials: false
 
     - name: Restore packages
-      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal
+      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal
 
     - name: Calculate package version (for release)
       if: ${{ github.event_name == 'release' }}
diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml
@@ -41,4 +41,19 @@ jobs:
         persist-credentials: false
 
     - name: Report vulnerable dependencies
-      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low /p:TreatWarningsAsErrors=True
+      shell: pwsh
+      run: |
+        $ErrorActionPreference = 'Stop'
+        $PSNativeCommandUseErrorActionPreference = $true
+
+        $output = dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive --format json --output-version 1 2>&1
+        $text = ($output | Out-String).TrimEnd()
+        $json = $text | ConvertFrom-Json
+
+        foreach ($project in $json.projects) {
+          if ($project.frameworks) {
+            Write-Host 'Vulnerable package references were found.'
+            dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive
+            exit 1
+          }
+        }
diff --git a/.github/workflows/sonarcube.yml b/.github/workflows/sonarcube.yml
@@ -22,6 +22,7 @@ env:
   DOTNET_CLI_TELEMETRY_OPTOUT: 1
   DOTNET_NOLOGO: true
   SOLUTION_FILE: 'src/Steeltoe.All.slnx'
+  NUGET_VULNERABLE_PACKAGE_WARNINGS: '"NU1901;NU1902;NU1903;NU1904"'
   SONAR_TEST_ARGS: >-
     --no-build --configuration Release --collect "XPlat Code Coverage" --logger trx --results-directory ${{ github.workspace }}/TestOutput
     --settings coverlet.runsettings -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.UseSourceLink=false
@@ -66,9 +67,6 @@ jobs:
         # Sonar: Shallow clones should be disabled for a better relevancy of analysis.
         fetch-depth: 0
 
-    - name: Restore packages
-      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal
-
     - name: Begin Sonar .NET scanner
       id: sonar_begin
       env:
@@ -77,8 +75,11 @@ jobs:
         dotnet sonarscanner begin /k:"SteeltoeOSS_steeltoe" /o:"steeltoeoss" /d:sonar.token="${{ secrets.SONAR_TOKEN }}"
         /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.opencover.reportsPaths=**/coverage.opencover.xml
 
+    - name: Restore packages
+      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:Configuration=Release /p:NuGetAuditLevel=low /p:WarningsNotAsErrors='${{ env.NUGET_VULNERABLE_PACKAGE_WARNINGS }}'
+
     - name: Build solution
-      run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal
+      run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal /p:NuGetAuditLevel=low /p:WarningsNotAsErrors='${{ env.NUGET_VULNERABLE_PACKAGE_WARNINGS }}'
 
     - name: Test
       run: dotnet test ${{ env.SOLUTION_FILE }} --filter "Category!=MemoryDumps" ${{ env.SONAR_TEST_ARGS }}
