Merge pull request #21684 from michaelnebel/csharp/improve-reachability-checks

michaelnebel · web-flow · commit 4446f42846b0 · 2026-04-30T15:53:52.000+02:00
C#: Improve BMN feed checking &amp; handling.
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs
@@ -95,9 +95,9 @@ private string GetRestoreArgs(RestoreSettings restoreSettings)
                 args += " /p:EnableWindowsTargeting=true";
             }
 
-            if (restoreSettings.ExtraArgs is not null)
+            if (restoreSettings.NugetSources is not null)
             {
-                args += $" {restoreSettings.ExtraArgs}";
+                args += $" {restoreSettings.NugetSources}";
             }
 
             return args;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs
@@ -17,7 +17,7 @@ public interface IDotNet
         IList<string> GetNugetFeedsFromFolder(string folderPath);
     }
 
-    public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? ExtraArgs = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);
+    public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? NugetSources = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);
 
     public partial record class RestoreResult(bool Success, IList<string> Output)
     {
@@ -33,6 +33,9 @@ public partial record class RestoreResult(bool Success, IList<string> Output)
         private readonly Lazy<bool> hasNugetNoStablePackageVersionError = new(() => Output.Any(s => s.Contains("NU1103")));
         public bool HasNugetNoStablePackageVersionError => hasNugetNoStablePackageVersionError.Value;
 
+        private readonly Lazy<bool> hasNugetPackageMissingError = new(() => Output.Any(s => s.Contains("NU1101")));
+        public bool HasNugetPackageMissingError => hasNugetPackageMissingError.Value;
+
         private static IEnumerable<string> GetFirstGroupOnMatch(Regex regex, IEnumerable<string> lines) =>
             lines
                 .Select(line => regex.Match(line))
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs
@@ -33,7 +33,7 @@ internal class NugetExeWrapper : IDisposable
         /// <summary>
         /// Create the package manager for a specified source tree.
         /// </summary>
-        public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger)
+        public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger, Func<bool> useDefaultFeed)
         {
             this.fileProvider = fileProvider;
             this.packageDirectory = packageDirectory;
@@ -43,7 +43,7 @@ public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDir
             {
                 logger.LogInfo($"Found packages.config files, trying to use nuget.exe for package restore");
                 nugetExe = ResolveNugetExe();
-                if (HasNoPackageSource())
+                if (HasNoPackageSource() && useDefaultFeed())
                 {
                     // We only modify or add a top level nuget.config file
                     nugetConfigPath = Path.Combine(fileProvider.SourceDir.FullName, "nuget.config");
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
diff --git a/csharp/ql/integration-tests/all-platforms/standalone_resx/CompilationInfo.expected b/csharp/ql/integration-tests/all-platforms/standalone_resx/CompilationInfo.expected
@@ -1,5 +1,7 @@
 | All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
 | Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |
diff --git a/csharp/ql/integration-tests/all-platforms/standalone_slnx/CompilationInfo.expected b/csharp/ql/integration-tests/all-platforms/standalone_slnx/CompilationInfo.expected
@@ -1,5 +1,7 @@
 | All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
 | Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |
diff --git a/csharp/ql/integration-tests/all-platforms/standalone_winforms/CompilationInfo.expected b/csharp/ql/integration-tests/all-platforms/standalone_winforms/CompilationInfo.expected
@@ -1,5 +1,7 @@
 | All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
 | Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/Assemblies.expected b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/Assemblies.expected
@@ -0,0 +1 @@
+| test-db/working/packages/newtonsoft.json/13.0.4/lib/net6.0/Newtonsoft.Json.dll:0:0:0:0 | Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed |
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/Assemblies.ql b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/Assemblies.ql
@@ -0,0 +1,5 @@
+import csharp
+
+from Assembly a
+where exists(a.getFile().getAbsolutePath().indexOf("newtonsoft.json"))
+select a
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/CompilationInfo.expected b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/CompilationInfo.expected
@@ -0,0 +1,22 @@
+| All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
+| Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
+| Failed solution restore with package source error | 0.0 |
+| Inherited NuGet feed count | 1.0 |
+| NuGet feed responsiveness checked | 1.0 |
+| Project files on filesystem | 1.0 |
+| Reachable fallback NuGet feed count | 1.0 |
+| Resolved assembly conflicts | 0.0 |
+| Resource extraction enabled | 0.0 |
+| Restored .NET framework variants | 1.0 |
+| Restored projects through solution files | 0.0 |
+| Solution files on filesystem | 0.0 |
+| Source files generated | 0.0 |
+| Source files on filesystem | 1.0 |
+| Successfully restored project files | 1.0 |
+| Successfully restored solution files | 0.0 |
+| Unresolved references | 0.0 |
+| UseWPF set | 0.0 |
+| UseWindowsForms set | 0.0 |
+| WebView extraction enabled | 1.0 |
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/CompilationInfo.ql b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/CompilationInfo.ql
@@ -0,0 +1,15 @@
+import csharp
+import semmle.code.csharp.commons.Diagnostics
+
+query predicate compilationInfo(string key, float value) {
+  key != "Resolved references" and
+  not key.matches("Compiler diagnostic count for%") and
+  exists(Compilation c, string infoKey, string infoValue | infoValue = c.getInfo(infoKey) |
+    key = infoKey and
+    value = infoValue.toFloat()
+    or
+    not exists(infoValue.toFloat()) and
+    key = infoKey + ": " + infoValue and
+    value = 1
+  )
+}
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/clear/nuget.config b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/clear/nuget.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <clear />
+  </packageSources>
+</configuration>
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/global.json b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/global.json
@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "10.0.201"
+    }
+}
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/proj/Program.cs b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/proj/Program.cs
@@ -0,0 +1 @@
+class Program { }
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/proj/proj.csproj b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/proj/proj.csproj
@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFrameworks>net10.0</TargetFrameworks>
+  </PropertyGroup>
+
+  <Target Name="DeleteBinObjFolders" BeforeTargets="Clean">
+    <RemoveDir Directories=".\bin" />
+    <RemoveDir Directories=".\obj" />
+  </Target>
+
+  <ItemGroup>
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
+  </ItemGroup>
+</Project>
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/test.py b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/test.py
@@ -0,0 +1,12 @@
+import os
+import runs_on
+
+
+@runs_on.posix
+def test(codeql, csharp):
+    # Making sure the reachability test of `nuget.org` succeeds:
+    os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_TIMEOUT"] = "1000"
+    os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_LIMIT"] = "5"
+
+    # This test checks that the nuget.config file in the clear folder is not applied to the restore of the project.
+    codeql.database.create(build_mode="none")
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_error/CompilationInfo.expected b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_error/CompilationInfo.expected
@@ -1,7 +1,10 @@
-| All NuGet feeds reachable | 1.0 |
-| Failed project restore with package source error | 1.0 |
+| All NuGet feeds reachable | 0.0 |
+| Failed project restore with missing package error | 1.0 |
+| Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Fallback nuget restore | 1.0 |
+| Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |
 | Project files on filesystem | 1.0 |
 | Reachable fallback NuGet feed count | 1.0 |
diff --git a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_fallback/CompilationInfo.expected b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_fallback/CompilationInfo.expected
@@ -1,5 +1,6 @@
 | All NuGet feeds reachable | 0.0 |
 | Fallback nuget restore | 1.0 |
+| Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |
 | Project files on filesystem | 1.0 |
 | Reachable fallback NuGet feed count | 2.0 |
diff --git a/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md b/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.

Original file line number	Diff line number	Diff line change
`@@ -95,9 +95,9 @@ private string GetRestoreArgs(RestoreSettings restoreSettings)`
`95`	`95`	`args += " /p:EnableWindowsTargeting=true";`
`96`	`96`	`}`
`97`	`97`
`98`		`- if (restoreSettings.ExtraArgs is not null)`
	`98`	`+ if (restoreSettings.NugetSources is not null)`
`99`	`99`	`{`
`100`		`- args += $" {restoreSettings.ExtraArgs}";`
	`100`	`+ args += $" {restoreSettings.NugetSources}";`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`return args;`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ internal class NugetExeWrapper : IDisposable`
`33`	`33`	`/// <summary>`
`34`	`34`	`/// Create the package manager for a specified source tree.`
`35`	`35`	`/// </summary>`
`36`		`- public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger)`
	`36`	`+ public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger, Func<bool> useDefaultFeed)`
`37`	`37`	`{`
`38`	`38`	`this.fileProvider = fileProvider;`
`39`	`39`	`this.packageDirectory = packageDirectory;`
`@@ -43,7 +43,7 @@ public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDir`
`43`	`43`	`{`
`44`	`44`	`logger.LogInfo($"Found packages.config files, trying to use nuget.exe for package restore");`
`45`	`45`	`nugetExe = ResolveNugetExe();`
`46`		`- if (HasNoPackageSource())`
	`46`	`+ if (HasNoPackageSource() && useDefaultFeed())`
`47`	`47`	`{`
`48`	`48`	`// We only modify or add a top level nuget.config file`
`49`	`49`	`nugetConfigPath = Path.Combine(fileProvider.SourceDir.FullName, "nuget.config");`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| test-db/working/packages/newtonsoft.json/13.0.4/lib/net6.0/Newtonsoft.Json.dll:0:0:0:0 \| Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed \|`