Add vulnerable option to telemetry (#50739)

nkolev92 · web-flow · commit 73877a933316 · 2025-09-12T11:43:33.000+09:30
diff --git a/src/Cli/dotnet/Telemetry/TelemetryFilter.cs b/src/Cli/dotnet/Telemetry/TelemetryFilter.cs
@@ -62,6 +62,7 @@ public IEnumerable<ApplicationInsightsEntryFormat> Filter(object objectToFilter)
                 ));
 
                 LogVerbosityForAllTopLevelCommand(result, parseResult, topLevelCommandName, measurements);
+                LogVulnerableOptionForPackageUpdateCommand(result, parseResult, topLevelCommandName, measurements);
 
                 foreach (IParseResultLogRule rule in ParseResultLogRules)
                 {
@@ -138,6 +139,27 @@ TestCommandParser.ConfigurationOption ]
         new AllowListToSendVerbSecondVerbFirstArgument(["workload", "tool", "new"]),
     ];
 
+    private static void LogVulnerableOptionForPackageUpdateCommand(
+        ICollection<ApplicationInsightsEntryFormat> result,
+        ParseResult parseResult,
+        string topLevelCommandName,
+        Dictionary<string, double> measurements = null)
+    {
+        if (topLevelCommandName == "package" && parseResult.CommandResult.Command != null && parseResult.CommandResult.Command.Name == "update")
+        {
+            var hasVulnerableOption = parseResult.HasOption("--vulnerable");
+
+            result.Add(new ApplicationInsightsEntryFormat(
+                "sublevelparser/command",
+                new Dictionary<string, string>()
+                {
+                    { "verb", "package update" },
+                    { "vulnerable", hasVulnerableOption.ToString()}
+                },
+                measurements));
+        }
+    }
+
     private static void LogVerbosityForAllTopLevelCommand(
         ICollection<ApplicationInsightsEntryFormat> result,
         ParseResult parseResult,
diff --git a/test/dotnet.Tests/TelemetryCommandTest.cs b/test/dotnet.Tests/TelemetryCommandTest.cs
@@ -358,6 +358,20 @@ public void DotnetRunCleanTestCommandOpinionsShouldBeSentToTelemetryWhenThereIsM
                               e.Properties["verb"] == Sha256Hasher.Hash("CLEAN"));
         }
 
+        [Fact]
+        public void DotnetUpdatePackageVulnerableOptionShouldBeSentToTelemetry()
+        {
+            const string optionKey = "vulnerable";
+            string[] args = { "package", "update", "--vulnerable" };
+            Cli.Program.ProcessArgs(args);
+            _fakeTelemetry
+                .LogEntries.Should()
+                .Contain(e => e.EventName == "sublevelparser/command" &&
+                              e.Properties.ContainsKey(optionKey) &&
+                              e.Properties.ContainsKey("verb") &&
+                              e.Properties["verb"] == Sha256Hasher.Hash("PACKAGE UPDATE"));
+        }
+
         [WindowsOnlyFact]
         public void InternalreportinstallsuccessCommandCollectExeNameWithEventname()
         {
