diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml index e2beadeebd..a65918fbed 100644 --- a/.github/workflows/scan-vulnerable-dependencies.yml +++ b/.github/workflows/scan-vulnerable-dependencies.yml @@ -47,11 +47,36 @@ jobs: $output = dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive --format json --output-version 1 2>&1 $text = ($output | Out-String).TrimEnd() $json = $text | ConvertFrom-Json + $hasVulnerabilities = $false foreach ($project in $json.projects) { - if ($project.frameworks) { - Write-Host 'Vulnerable package references were found.' - dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive - exit 1 + if (-not $project.frameworks) { + continue } + + $isTestProject = $project.path -like '*/test/*' + + foreach ($framework in $project.frameworks) { + foreach ($package in $framework.topLevelPackages) { + $hasVulnerabilities = $true + + foreach ($vulnerability in $package.vulnerabilities) { + Write-Host "$($project.path) ($($framework.framework)): top-level $($package.id) $($package.resolvedVersion) – $($vulnerability.severity): $($vulnerability.advisoryurl)" + } + } + + if (-not $isTestProject) { + foreach ($package in $framework.transitivePackages) { + $hasVulnerabilities = $true + + foreach ($vulnerability in $package.vulnerabilities) { + Write-Host "$($project.path) ($($framework.framework)): transitive $($package.id) $($package.resolvedVersion) – $($vulnerability.severity): $($vulnerability.advisoryurl)" + } + } + } + } + } + + if ($hasVulnerabilities) { + exit 1 } diff --git a/sharedtest.props b/sharedtest.props index 4204528eec..407fbabb65 100644 --- a/sharedtest.props +++ b/sharedtest.props @@ -1,6 +1,7 @@ $(NoWarn);SA0001;SA1101;SA1124;SA1200;SA1201;SA1208;SA1309;SA1310;SA1314;SA1401;SA1402;SA1413;SA1600;SA1629;SA1652;1591;CS8002;CA1018;CA1031;CA1063;CA1041;CA1802;CA1822;CA2211;CA2213;CA2235;CA2237;IDE1006;IDE0052;IDE0059;IDE0060;IDE0090;IDE0130;IDE0150;S4792;ASP0016;ASP0019 + direct