From 7dafc8d0895a7f4d35bbcefa46b3914e9bc8991b Mon Sep 17 00:00:00 2001 From: Bart Koelman <104792814+bart-vmware@users.noreply.github.com> Date: Fri, 24 Apr 2026 16:37:03 +0200 Subject: [PATCH 1/3] Turn off vulnerability checks (we have `scan-vulnerable-dependencies.yml` for that) --- .github/workflows/Steeltoe.All.yml | 2 +- .github/workflows/component-shared-workflow.yml | 2 +- .github/workflows/package.yml | 2 +- .github/workflows/scan-vulnerable-dependencies.yml | 2 +- .github/workflows/sonarcube.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/Steeltoe.All.yml b/.github/workflows/Steeltoe.All.yml index 0ba18080c8..cf8cd562a7 100644 --- a/.github/workflows/Steeltoe.All.yml +++ b/.github/workflows/Steeltoe.All.yml @@ -84,7 +84,7 @@ jobs: persist-credentials: false - name: Restore packages - run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal + run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal - name: Build solution run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal diff --git a/.github/workflows/component-shared-workflow.yml b/.github/workflows/component-shared-workflow.yml index f7c144a622..449d72af33 100644 --- a/.github/workflows/component-shared-workflow.yml +++ b/.github/workflows/component-shared-workflow.yml @@ -75,7 +75,7 @@ jobs: persist-credentials: false - name: Restore packages - run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal + run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal - name: Build solution run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 82af36ca0f..39dad17f94 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -45,7 +45,7 @@ jobs: persist-credentials: false - name: Restore packages - run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal + run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal - name: Calculate package version (for release) if: ${{ github.event_name == 'release' }} diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml index 5cfe3f066f..132d6fb8b3 100644 --- a/.github/workflows/scan-vulnerable-dependencies.yml +++ b/.github/workflows/scan-vulnerable-dependencies.yml @@ -41,4 +41,4 @@ jobs: persist-credentials: false - name: Report vulnerable dependencies - run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low /p:TreatWarningsAsErrors=True + run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low --verbosity minimal diff --git a/.github/workflows/sonarcube.yml b/.github/workflows/sonarcube.yml index 4e3222b613..62b6697ce0 100644 --- a/.github/workflows/sonarcube.yml +++ b/.github/workflows/sonarcube.yml @@ -67,7 +67,7 @@ jobs: fetch-depth: 0 - name: Restore packages - run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal + run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal - name: Begin Sonar .NET scanner id: sonar_begin From f34a76c5a31cc129e7c2e21c159244f483b3e207 Mon Sep 17 00:00:00 2001 From: Bart Koelman <104792814+bart-vmware@users.noreply.github.com> Date: Tue, 28 Apr 2026 15:31:10 +0200 Subject: [PATCH 2/3] Use `dotnet list package --vulnerable --include-transitive` to detect vulnerable packages --- .../workflows/scan-vulnerable-dependencies.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml index 132d6fb8b3..f8e3ee4bcd 100644 --- a/.github/workflows/scan-vulnerable-dependencies.yml +++ b/.github/workflows/scan-vulnerable-dependencies.yml @@ -41,4 +41,19 @@ jobs: persist-credentials: false - name: Report vulnerable dependencies - run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low --verbosity minimal + shell: pwsh + run: | + $ErrorActionPreference = 'Stop' + $PSNativeCommandUseErrorActionPreference = $true + + $output = dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive --format json --output-version 1 2>&1 + $text = ($output | Out-String).TrimEnd() + $json = $text | ConvertFrom-Json + + foreach ($project in $json.projects) { + if ($project.frameworks) { + Write-Host 'Vulnerable package references were found.' + dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive + exit 1 + } + } From abe19ddcca1ec75714f459428a7da2da8d63a756 Mon Sep 17 00:00:00 2001 From: Bart Koelman <104792814+bart-vmware@users.noreply.github.com> Date: Wed, 29 Apr 2026 11:35:59 +0200 Subject: [PATCH 3/3] Make Sonar aware of vulnerable packages --- .github/workflows/sonarcube.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sonarcube.yml b/.github/workflows/sonarcube.yml index 62b6697ce0..712dfe326c 100644 --- a/.github/workflows/sonarcube.yml +++ b/.github/workflows/sonarcube.yml @@ -22,6 +22,7 @@ env: DOTNET_CLI_TELEMETRY_OPTOUT: 1 DOTNET_NOLOGO: true SOLUTION_FILE: 'src/Steeltoe.All.slnx' + NUGET_VULNERABLE_PACKAGE_WARNINGS: '"NU1901;NU1902;NU1903;NU1904"' SONAR_TEST_ARGS: >- --no-build --configuration Release --collect "XPlat Code Coverage" --logger trx --results-directory ${{ github.workspace }}/TestOutput --settings coverlet.runsettings -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.UseSourceLink=false @@ -66,9 +67,6 @@ jobs: # Sonar: Shallow clones should be disabled for a better relevancy of analysis. fetch-depth: 0 - - name: Restore packages - run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal - - name: Begin Sonar .NET scanner id: sonar_begin env: @@ -77,8 +75,11 @@ jobs: dotnet sonarscanner begin /k:"SteeltoeOSS_steeltoe" /o:"steeltoeoss" /d:sonar.token="${{ secrets.SONAR_TOKEN }}" /d:sonar.host.url="https://sonarcloud.io" /d:sonar.cs.opencover.reportsPaths=**/coverage.opencover.xml + - name: Restore packages + run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:Configuration=Release /p:NuGetAuditLevel=low /p:WarningsNotAsErrors='${{ env.NUGET_VULNERABLE_PACKAGE_WARNINGS }}' + - name: Build solution - run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal + run: dotnet build ${{ env.SOLUTION_FILE }} --no-restore --configuration Release --verbosity minimal /p:NuGetAuditLevel=low /p:WarningsNotAsErrors='${{ env.NUGET_VULNERABLE_PACKAGE_WARNINGS }}' - name: Test run: dotnet test ${{ env.SOLUTION_FILE }} --filter "Category!=MemoryDumps" ${{ env.SONAR_TEST_ARGS }}