Enable auditing of nuget packages (#414)

* Enable auditing of nuget packages. * Build fix. * Treat nuget audit warning as error. * Enable transitive pinning.
fintermobilityas · Jul 30, 2024 · dc887a2 · dc887a2
1 parent a1e1d51
commit dc887a2
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 20 deletions.
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
@@ -2,6 +2,15 @@
 
     <PropertyGroup>
         <LangVersion>12.0</LangVersion>
+        <EnableNETAnalyzers>true</EnableNETAnalyzers>
+        <AnalysisLevel>latest</AnalysisLevel>
+        <WarningsAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsAsErrors>
+    </PropertyGroup>
+
+    <PropertyGroup>
+        <NuGetAudit>true</NuGetAudit>
+        <NuGetAuditMode>all</NuGetAuditMode>
+        <NuGetAuditLevel>low</NuGetAuditLevel>
     </PropertyGroup>
 
     <PropertyGroup>

diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
@@ -1,6 +1,7 @@
 <Project>
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
     <AvaloniaVersion>11.1.1</AvaloniaVersion>
   </PropertyGroup>
   <ItemGroup>
@@ -24,9 +25,14 @@
     <PackageVersion Include="SharpCompress" Version="0.37.2" />
     <PackageVersion Include="System.CodeDom" Version="8.0.0" />
     <PackageVersion Include="System.Security.Permissions" Version="8.0.0" />
-    <PackageVersion Include="xunit" Version="2.8.0" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.0" />
-    <PackageVersion Include="XunitXml.TestLogger" Version="3.1.20" />
-    <PackageVersion Include="YamlDotNet" Version="15.3.0" />
+    <PackageVersion Include="xunit" Version="2.9.0" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
+    </PackageVersion>
+    <PackageVersion Include="XunitXml.TestLogger" Version="4.0.254" />
+    <PackageVersion Include="YamlDotNet" Version="16.0.0" />
+    <!-- Transitive dependencies -->
+    <PackageVersion Include="System.Formats.Asn1" Version="[8.0.1,)" />
   </ItemGroup>
-</Project>
+</Project>
diff --git a/src/Snap/Core/Yaml/TypeConverters/OsPlatformYamlTypeConverter.cs b/src/Snap/Core/Yaml/TypeConverters/OsPlatformYamlTypeConverter.cs
@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Runtime.InteropServices;
 using YamlDotNet.Core;
 using YamlDotNet.Core.Events;
@@ -8,24 +8,26 @@ namespace Snap.Core.Yaml.TypeConverters;
 
 internal sealed class OsPlatformYamlTypeConverter : IYamlTypeConverter
 {
-    public bool Accepts(Type type)
-    {
-        return type == typeof(OSPlatform);
-    }
+    public bool Accepts(Type type) => type == typeof(OSPlatform);
 
-    public object ReadYaml(IParser parser, Type type)
+    public object ReadYaml(IParser parser, Type type, ObjectDeserializer rootDeserializer)
     {
         var osPlatform = ((Scalar)parser.Current)?.Value;
         parser.MoveNext();
         return TryCreateOsPlatform(osPlatform);
     }
 
-    public void WriteYaml(IEmitter emitter, object value, Type type)
+    public void WriteYaml(IEmitter emitter, object value, Type type, ObjectSerializer serializer)
     {
-        var osPlatformStr = ((OSPlatform)value).ToString().ToLowerInvariant();
+        if (value is not OSPlatform osPlatform)
+        {
+            throw new ArgumentException("Value is not an OSPlatform", nameof(value));
+        }
+
+        var osPlatformStr = osPlatform.ToString().ToLowerInvariant();
         emitter.Emit(new Scalar(osPlatformStr));
     }
-
+    
     static OSPlatform TryCreateOsPlatform(string osPlatform)
     {
         if (string.IsNullOrWhiteSpace(osPlatform))

diff --git a/src/Snap/Core/Yaml/TypeConverters/SemanticVersionYamlTypeConverter.cs b/src/Snap/Core/Yaml/TypeConverters/SemanticVersionYamlTypeConverter.cs
@@ -1,4 +1,4 @@
-using System;
+using System;
 using NuGet.Versioning;
 using YamlDotNet.Core;
 using YamlDotNet.Core.Events;
@@ -13,15 +13,15 @@ public bool Accepts(Type type)
         return type == typeof(SemanticVersion);
     }
 
-    public object ReadYaml(IParser parser, Type type)
+    public object ReadYaml(IParser parser, Type type, ObjectDeserializer rootDeserializer)
     {
         var semanticVersionStr = ((Scalar)parser.Current)?.Value;
         parser.MoveNext();
         SemanticVersion.TryParse(semanticVersionStr, out var semanticVersion);
         return semanticVersion;
     }
 
-    public void WriteYaml(IEmitter emitter, object value, Type type)
+    public void WriteYaml(IEmitter emitter, object value, Type type, ObjectSerializer serializer)
     {
         var semanticVersionStr = ((SemanticVersion)value)?.ToNormalizedString() ?? string.Empty;
         emitter.Emit(new Scalar(semanticVersionStr));

diff --git a/src/Snap/Core/Yaml/TypeConverters/UriYamlTypeConverter.cs b/src/Snap/Core/Yaml/TypeConverters/UriYamlTypeConverter.cs
@@ -1,4 +1,4 @@
-using System;
+using System;
 using YamlDotNet.Core;
 using YamlDotNet.Core.Events;
 using YamlDotNet.Serialization;
@@ -12,15 +12,15 @@ public bool Accepts(Type type)
         return type == typeof(Uri);
     }
 
-    public object ReadYaml(IParser parser, Type type)
+    public object ReadYaml(IParser parser, Type type, ObjectDeserializer rootDeserializer)
     {
         var uriStr = ((Scalar)parser.Current)?.Value;
         parser.MoveNext();
         Uri.TryCreate(uriStr, UriKind.Absolute, out var uri);
         return uri;
     }
 
-    public void WriteYaml(IEmitter emitter, object value, Type type)
+    public void WriteYaml(IEmitter emitter, object value, Type type, ObjectSerializer serializer)
     {
         var uriStr = ((Uri)value)?.ToString() ?? string.Empty;
         emitter.Emit(new Scalar(uriStr));