Skip to content

C#: Automatically use configured private registry feeds #18850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 21 commits into from
Mar 27, 2025
Merged

C#: Automatically use configured private registry feeds #18850

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
6b2f348
C#: Add `CODEQL_PROXY_URLS` environment variable
mbg Jan 6, 2025
63d5517
C#: Add list of registries to `DependabotProxy`
mbg Jan 7, 2025
11efb55
C#: Parse environment variables to obtain list of registry URLs
mbg Jan 7, 2025
726123c
C#: Allow specifying package feeds for `dotnet restore` as command li…
mbg Jan 7, 2025
0db6a26
C#: Propagate explicit feeds to `RestoreProjects`
mbg Feb 24, 2025
6b15f77
C#: Fix test failures
mbg Mar 3, 2025
a8dde15
C#: Only provide feeds on command line if Dependabot proxy is enabled
mbg Mar 14, 2025
9560593
C#: Fix `.ToList()` being called on `null`
mbg Mar 14, 2025
b6c74fe
C#: Narrow `Exception` to `JsonException`
mbg Mar 14, 2025
284f612
C#: Use `StringBuilder` for feed arguments in `GetRestoreArgs`
mbg Mar 14, 2025
51874b8
Apply suggestions from code review
mbg Mar 17, 2025
7a92a72
C#: Change `RegistryConfig` to a record class
mbg Mar 18, 2025
d564529
C#: Change `RestoreSettings` to have general `extraArgs` parameter
mbg Mar 24, 2025
92eab47
C#: Refactor `CheckFeeds` to have an overloaded variant that accepts …
mbg Mar 24, 2025
4448369
C#: Check that private package registry feeds are reachable
mbg Mar 24, 2025
7cea2ad
Apply suggestions from code review
mbg Mar 25, 2025
d2b88ae
C#: Rename overloaded `CheckFeeds` method and fix comment
mbg Mar 25, 2025
4d3b024
C#: Do not manually add public feed when private registries are used
mbg Mar 25, 2025
73ca2eb
C#: Use `allFeeds` rather than `explicitFeeds` for `RestoreProjects`
mbg Mar 25, 2025
be95d33
C#: Obtain all feeds from source directory if there are no `nuget.con…
mbg Mar 25, 2025
fe1c098
C#: Accept changes to `.expected` files
mbg Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 47 additions & 1 deletion csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,22 @@
using System;
using System.Diagnostics;
using System.Collections.Generic;
using System.IO;
using System.Security.Cryptography.X509Certificates;
using Semmle.Util;
using Semmle.Util.Logging;
using Newtonsoft.Json;

namespace Semmle.Extraction.CSharp.DependencyFetching
{
public class DependabotProxy : IDisposable
{
/// <summary>
/// Represents configurations for package registries.
/// </summary>
/// <param name="Type">The type of package registry.</param>
/// <param name="URL">The URL of the package registry.</param>
public record class RegistryConfig(string Type, string URL);

private readonly string host;
private readonly string port;

Expand All @@ -17,6 +25,10 @@ public class DependabotProxy : IDisposable
/// </summary>
internal string Address { get; }
/// <summary>
/// The URLs of package registries that are configured for the proxy.
/// </summary>
internal HashSet<string> RegistryURLs { get; }
/// <summary>
/// The path to the temporary file where the certificate is stored.
/// </summary>
internal string? CertificatePath { get; private set; }
Expand Down Expand Up @@ -67,6 +79,39 @@ public class DependabotProxy : IDisposable
result.Certificate = X509Certificate2.CreateFromPem(cert);
}

// Try to obtain the list of private registry URLs.
var registryURLs = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyURLs);

if (!string.IsNullOrWhiteSpace(registryURLs))
{
try
{
// The value of the environment variable should be a JSON array of objects, such as:
// [ { "type": "nuget_feed", "url": "https://nuget.pkg.github.com/org/index.json" } ]
var array = JsonConvert.DeserializeObject<List<RegistryConfig>>(registryURLs);
if (array is not null)
{
foreach (RegistryConfig config in array)
{
// The array contains all configured private registries, not just ones for C#.
// We ignore the non-C# ones here.
if (!config.Type.Equals("nuget_feed"))
{
logger.LogDebug($"Ignoring registry at '{config.URL}' since it is not of type 'nuget_feed'.");
continue;
}

logger.LogInfo($"Found private registry at '{config.URL}'");
result.RegistryURLs.Add(config.URL);
}
}
}
catch (JsonException ex)
{
logger.LogError($"Unable to parse '{EnvironmentVariableNames.ProxyURLs}': {ex.Message}");
}
}

return result;
}

Expand All @@ -75,6 +120,7 @@ private DependabotProxy(string host, string port)
this.host = host;
this.port = port;
this.Address = $"http://{this.host}:{this.port}";
this.RegistryURLs = new HashSet<string>();
}

public void Dispose()
Expand Down
7 changes: 6 additions & 1 deletion csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
using System.Collections.Generic;
using System.IO;
using System.Linq;

using System.Text;
using Newtonsoft.Json.Linq;

using Semmle.Util;
Expand Down Expand Up @@ -77,6 +77,11 @@ private string GetRestoreArgs(RestoreSettings restoreSettings)
args += " /p:EnableWindowsTargeting=true";
}

if (restoreSettings.ExtraArgs != null)
{
args += $" {restoreSettings.ExtraArgs}";
}

return args;
}

Expand Down
5 changes: 5 additions & 0 deletions csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/EnvironmentVariableNames.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,5 +89,10 @@ internal static class EnvironmentVariableNames
/// Contains the certificate used by the Dependabot proxy.
/// </summary>
public const string ProxyCertificate = "CODEQL_PROXY_CA_CERTIFICATE";

/// <summary>
/// Contains the URLs of private nuget registries as a JSON array.
/// </summary>
public const string ProxyURLs = "CODEQL_PROXY_URLS";
}
}
2 changes: 1 addition & 1 deletion csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ public interface IDotNet
IList<string> GetNugetFeedsFromFolder(string folderPath);
}

public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);
public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? ExtraArgs = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);

public partial record class RestoreResult(bool Success, IList<string> Output)
{
Expand Down
74 changes: 61 additions & 13 deletions csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ public HashSet<AssemblyLookupLocation> Restore()

var restoredProjects = RestoreSolutions(out var container);
var projects = fileProvider.Projects.Except(restoredProjects);
RestoreProjects(projects, out var containers);
RestoreProjects(projects, explicitFeeds, out var containers);

var dependencies = containers.Flatten(container);

Expand Down Expand Up @@ -260,8 +260,34 @@ private IEnumerable<string> RestoreSolutions(out DependencyContainer dependencie
/// Populates dependencies with the relative paths to the assets files generated by the restore.
/// </summary>
/// <param name="projects">A list of paths to project files.</param>
private void RestoreProjects(IEnumerable<string> projects, out ConcurrentBag<DependencyContainer> dependencies)
private void RestoreProjects(IEnumerable<string> projects, HashSet<string>? configuredSources, out ConcurrentBag<DependencyContainer> dependencies)
{
// Conservatively, we only set this to a non-null value if a Dependabot proxy is enabled.
// This ensures that we continue to get the old behaviour where feeds are taken from
// `nuget.config` files instead of the command-line arguments.
string? extraArgs = null;

if (this.dependabotProxy is not null)
{
// If the Dependabot proxy is configured, then our main goal is to make `dotnet` aware
// of the private registry feeds. However, since providing them as command-line arguments
// to `dotnet` ignores other feeds that may be configured, we also need to add the feeds
// we have discovered from analysing `nuget.config` files.
var sources = configuredSources ?? new();
sources.Add(PublicNugetOrgFeed);
this.dependabotProxy.RegistryURLs.ForEach(url => sources.Add(url));

// Add package sources. If any are present, they override all sources specified in
// the configuration file(s).
var feedArgs = new StringBuilder();
foreach (string source in sources)
{
feedArgs.Append($" -s {source}");
}

extraArgs = feedArgs.ToString();
}

var successCount = 0;
var nugetSourceFailures = 0;
ConcurrentBag<DependencyContainer> collectedDependencies = [];
Expand All @@ -276,7 +302,7 @@ private void RestoreProjects(IEnumerable<string> projects, out ConcurrentBag<Dep
foreach (var project in projectGroup)
{
logger.LogInfo($"Restoring project {project}...");
var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, TargetWindows: isWindows));
var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, extraArgs, TargetWindows: isWindows));
assets.AddDependenciesRange(res.AssetsFilePaths);
lock (sync)
{
Expand Down Expand Up @@ -674,10 +700,40 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount,
return (timeoutMilliSeconds, tryCount);
}

/// <summary>
/// Checks that we can connect to all Nuget feeds that are explicitly configured in configuration files.
/// </summary>
/// <param name="explicitFeeds">Outputs the set of explicit feeds.</param>
/// <returns>True if all feeds are reachable or false otherwise.</returns>
private bool CheckFeeds(out HashSet<string> explicitFeeds)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe rename one of the CheckFeeds methods. The naming is a bit confusing when their type signatures are so similar.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in d2b88ae

{
logger.LogInfo("Checking Nuget feeds...");
(explicitFeeds, var allFeeds) = GetAllFeeds();
HashSet<string> feedsToCheck = explicitFeeds;

// If private package registries are configured for C#, then check those
// in addition to the ones that are configured in `nuget.config` files.
this.dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));

var allFeedsReachable = this.CheckFeeds(feedsToCheck);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the dependabot proxy is set, we also explicitly add the public nuget org feed as a source - so we should probably check whether that feed is reachable as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have changed this so that the public feed is not manually added when private registries are configured in 4d3b024, since explicitFeeds should already contain it. I checked and dotnet nuget list source does return it unless there is a <clear /> entry in the list of packageSources in nuget.config.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, there's more subtly to this. GetNugetFeeds doesn't include it, because dotnet nuget list source only includes the feeds that are explicitly configured in a given configuration file if it is given an --configfile argument. GetNugetFeedsFromFolder does include the public feed (unless there's a <clear /> element), but we don't check whether these "inherited" feeds are reachable already.

So, we didn't previously check that the public feed is reachable anyway. @tamasvajk left a comment saying that we could check that they are reachable, but don't because of authentication requirements(?).

I think the real lesson for my changes here is that I should really use allFeeds as argument for RestoreProjects rather than just explicitFeeds.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK that also still doesn't quite work with the current logic, because GetAllFeeds only invokes GetNugetFeedsFromFolder in folders that contain nuget.config files to begin with. In our case, we may not have a nuget.config file at all, so GetNugetFeedsFromFolder never gets called, even though it would give us the public feed as expected.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the reachability of the public nuget feed wasn't checked before, then maybe there is no need to check it now either.
However, I think its availability is checked when it is added as a fallback feed (not as an inherited feed).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the reachability of the public nuget feed wasn't checked before, then maybe there is no need to check it now either.

In any case, it's probably a separate discussion to the changes in this PR. I have also now removed that part of the code that manually added the public feed in be95d33.

However, I think its availability is checked when it is added as a fallback feed (not as an inherited feed).

That's true.


var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
if (inheritedFeeds.Count > 0)
{
logger.LogInfo($"Inherited Nuget feeds (not checked for reachability): {string.Join(", ", inheritedFeeds.OrderBy(f => f))}");
compilationInfoContainer.CompilationInfos.Add(("Inherited Nuget feed count", inheritedFeeds.Count.ToString()));
}

return allFeedsReachable;
}

/// <summary>
/// Checks that we can connect to the specified Nuget feeds.
/// </summary>
/// <param name="feeds">The set of package feeds to check.</param>
/// <returns>True if all feeds are reachable or false otherwise.</returns>
private bool CheckFeeds(HashSet<string> feeds)
{
logger.LogInfo("Checking that Nuget feeds are reachable...");

var excludedFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.ExcludedNugetFeedsFromResponsivenessCheck)
.ToHashSet();
Expand All @@ -689,7 +745,7 @@ private bool CheckFeeds(out HashSet<string> explicitFeeds)

var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: false);

var allFeedsReachable = explicitFeeds.All(feed => excludedFeeds.Contains(feed) || IsFeedReachable(feed, initialTimeout, tryCount));
var allFeedsReachable = feeds.All(feed => excludedFeeds.Contains(feed) || IsFeedReachable(feed, initialTimeout, tryCount));
if (!allFeedsReachable)
{
logger.LogWarning("Found unreachable Nuget feed in C# analysis with build-mode 'none'. This may cause missing dependencies in the analysis.");
Expand All @@ -704,14 +760,6 @@ private bool CheckFeeds(out HashSet<string> explicitFeeds)
}
compilationInfoContainer.CompilationInfos.Add(("All Nuget feeds reachable", allFeedsReachable ? "1" : "0"));


var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
if (inheritedFeeds.Count > 0)
{
logger.LogInfo($"Inherited Nuget feeds (not checked for reachability): {string.Join(", ", inheritedFeeds.OrderBy(f => f))}");
compilationInfoContainer.CompilationInfos.Add(("Inherited Nuget feed count", inheritedFeeds.Count.ToString()));
}

return allFeedsReachable;
}

Expand Down
4 changes: 2 additions & 2 deletions csharp/extractor/Semmle.Extraction.Tests/DotNet.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ public void TestDotnetRestoreProjectToDirectory2()
var dotnet = MakeDotnet(dotnetCliInvoker);

// Execute
var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, "myconfig.config"));
var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, null, "myconfig.config"));

// Verify
var lastArgs = dotnetCliInvoker.GetLastArgs();
Expand All @@ -141,7 +141,7 @@ public void TestDotnetRestoreProjectToDirectory3()
var dotnet = MakeDotnet(dotnetCliInvoker);

// Execute
var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, "myconfig.config", true));
var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, null, "myconfig.config", true));

// Verify
var lastArgs = dotnetCliInvoker.GetLastArgs();
Expand Down