Set NuGetAuditMode to "all" to enable vulnerable transitive dependencies warnings

kevinchalet · kevinchalet · commit d9e44860f60e · 2025-03-20T16:41:40.000+01:00
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -7,9 +7,9 @@
     <EnableNETAnalyzers>true</EnableNETAnalyzers>
     <AnalysisLevel>preview</AnalysisLevel>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-    <NoWarn>$(NoWarn);CS1591;NETSDK1206;NU5118;NU5128;xUnit2002</NoWarn>
+    <NoWarn>$(NoWarn);CS1591;NU5128</NoWarn>
     <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
-    <NuGetAuditMode>direct</NuGetAuditMode>
+    <NuGetAuditMode>all</NuGetAuditMode>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <DebugSymbols>true</DebugSymbols>
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -45,6 +45,7 @@
     <PackageVersion Include="MongoDB.Driver"                                                  Version="3.2.1"           />
     <PackageVersion Include="Quartz.Extensions.DependencyInjection"                           Version="3.14.0"          />
     <PackageVersion Include="System.Collections.Immutable"                                    Version="8.0.0"           />
+    <PackageVersion Include="System.Interactive.Async"                                        Version="3.2.0"           />
     <PackageVersion Include="System.Net.Http.Json"                                            Version="8.0.1"           />
 
     <!--
@@ -76,6 +77,7 @@
     <PackageVersion Include="Microsoft.AspNet.WebApi.Owin"                                    Version="5.3.0"           />
     <PackageVersion Include="Microsoft.AspNetCore"                                            Version="2.3.0"           />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.Cookies"                     Version="2.3.0"           />
+    <PackageVersion Include="Microsoft.AspNetCore.Identity"                                   Version="2.3.1"           />
     <PackageVersion Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore"               Version="2.3.0"           />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc"                                        Version="2.3.0"           />
     <PackageVersion Include="Microsoft.AspNetCore.StaticFiles"                                Version="2.3.0"           />
@@ -239,6 +241,7 @@
     <PackageVersion Include="Quartz.Extensions.DependencyInjection"                           Version="3.14.0" />
     <PackageVersion Include="System.Collections.Immutable"                                    Version="8.0.0"  />
     <PackageVersion Include="System.ComponentModel.Annotations"                               Version="5.0.0"  />
+    <PackageVersion Include="System.Interactive.Async"                                        Version="3.2.0"  />
     <PackageVersion Include="System.Net.Http.Json"                                            Version="8.0.1"  />
 
     <!--
@@ -287,6 +290,7 @@
     <PackageVersion Include="Quartz.Extensions.DependencyInjection"                           Version="3.14.0" />
     <PackageVersion Include="System.Collections.Immutable"                                    Version="8.0.0"  />
     <PackageVersion Include="System.ComponentModel.Annotations"                               Version="5.0.0"  />
+    <PackageVersion Include="System.Interactive.Async"                                        Version="3.2.0"  />
     <PackageVersion Include="System.Net.Http.Json"                                            Version="8.0.1"  />
 
     <!--
diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/OpenIddict.Sandbox.AspNetCore.Server.csproj
@@ -20,7 +20,13 @@
   </ItemGroup>
 
   <ItemGroup Condition=" '$(TargetFrameworkIdentifier)' == '.NETFramework' ">
+    <!--
+      Note: Microsoft.AspNetCore.Identity is explicitly referenced to override the vulnerable
+      2.3.0 version referenced by the Microsoft.AspNetCore.Identity.EntityFrameworkCore package.
+    -->
+
     <PackageReference Include="Microsoft.AspNetCore" />
+    <PackageReference Include="Microsoft.AspNetCore.Identity" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc" />
     <PackageReference Include="Microsoft.AspNetCore.StaticFiles" />
   </ItemGroup>
diff --git a/src/OpenIddict.EntityFrameworkCore/OpenIddict.EntityFrameworkCore.csproj b/src/OpenIddict.EntityFrameworkCore/OpenIddict.EntityFrameworkCore.csproj
@@ -22,6 +22,21 @@
     <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" />
   </ItemGroup>
 
+  <!--
+    Note: Entity Framework Core 2.3 references an old System.Interactive.Async version
+    that doesn't include a .NET Standard 2.0 target framework moniker and depends on the
+    legacy NETStandard.Library 1.6.0 package that references vulnerable versions of the
+    System.Net.Http and System.Security.Cryptography.X509Certificates packages. While the
+    inbox implementation of these packages is always going to be preferred in practice,
+    OpenIddict explicitly references a newer version of System.Interactive.Async that is
+    natively compatible with .NET Standard 2.0 to avoid having to ignore NuGet warnings.
+  -->
+
+  <ItemGroup
+    Condition=" '$(TargetFrameworkIdentifier)' == '.NETFramework' Or '$(TargetFrameworkIdentifier)' == '.NETStandard' ">
+    <PackageReference Include="System.Interactive.Async" />
+  </ItemGroup>
+
   <ItemGroup>
     <Using Include="OpenIddict.Abstractions" />
     <Using Include="OpenIddict.Abstractions.OpenIddictConstants" Static="true" />
diff --git a/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictConverterTests.cs b/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictConverterTests.cs
@@ -150,8 +150,8 @@ public void Read_PreservesEmptyParameters()
         Assert.NotNull(message.GetParameter("array"));
         Assert.NotNull(message.GetParameter("object"));
         Assert.Empty(((string?) message.GetParameter("string"))!);
-        Assert.NotNull((JsonElement?) message.GetParameter("array"));
-        Assert.NotNull((JsonElement?) message.GetParameter("object"));
+        Assert.True(((JsonElement?) message.GetParameter("array")).HasValue);
+        Assert.True(((JsonElement?) message.GetParameter("object")).HasValue);
         Assert.NotNull((JsonNode?) message.GetParameter("array"));
         Assert.NotNull((JsonNode?) message.GetParameter("object"));
     }
diff --git a/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictMessageTests.cs b/test/OpenIddict.Abstractions.Tests/Primitives/OpenIddictMessageTests.cs
@@ -194,9 +194,9 @@ public void AddParameter_PreservesEmptyParameters()
 
         // Assert
         Assert.Empty(((string?) message.GetParameter("string"))!);
-        Assert.NotNull((JsonElement?) message.GetParameter("array"));
-        Assert.NotNull((JsonElement?) message.GetParameter("object"));
-        Assert.NotNull((JsonElement?) message.GetParameter("value"));
+        Assert.True(((JsonElement?) message.GetParameter("array")).HasValue);
+        Assert.True(((JsonElement?) message.GetParameter("object")).HasValue);
+        Assert.True(((JsonElement?) message.GetParameter("value")).HasValue);
         Assert.NotNull((JsonNode?) message.GetParameter("node_array"));
         Assert.NotNull((JsonNode?) message.GetParameter("node_object"));
         Assert.NotNull((JsonNode?) message.GetParameter("node_value"));
