Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493

Closed
TheCodeTraveler opened this issue Jul 14, 2022 · 1 comment · Fixed by #497 or CommunityToolkit/Maui.Markup#87
Closed

[Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493

TheCodeTraveler opened this issue Jul 14, 2022 · 1 comment · Fixed by #497 or CommunityToolkit/Maui.Markup#87
Assignees
@VladislavAntonyuk
Labels
bug Something isn't working

Comments

@TheCodeTraveler
Copy link
Collaborator

TheCodeTraveler commented Jul 14, 2022
edited
Loading

Description

Our Azure DevOps CI Pipeline current checks for security vulnerabilities in our dependencies:

Maui/azure-pipelines.yml

Lines 103 to 109 in 38ec66f

- task: DotNetCoreCLI@2
displayName: 'Check Dependencies'
inputs:
command: 'custom'
custom: 'list'
arguments: 'package --vulnerable --include-transitive'
projects: $(PathToSolution)

This step is currently reporting 3 vulnerable packages, however, the Check Dependencies step continues to pass (green):
https://dev.azure.com/dotnet/CommunityToolkit/_build/results?buildId=74857&view=logs&j=792604ca-8f43-5a41-d895-10758edbd758&t=9cdee477-4d1a-5acd-94fa-d5e164beb4af&l=18

Stack Trace

N/A

Link to Reproduction Sample

N/A

Expected Behavior

The Check Dependencies step should fail when it detects any vulnerable dependency

Actual Behavior

The Check Dependencies step passes despite detecting any vulnerable dependency
@TheCodeTraveler TheCodeTraveler added bug Something isn't working unverified labels Jul 14, 2022
@VladislavAntonyuk
Copy link
Collaborator

There is an open issue for it: NuGet/Home#11315

VladislavAntonyuk added a commit that referenced this issue Jul 15, 2022
@VladislavAntonyuk
[Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493
a633bc0
VladislavAntonyuk added a commit that referenced this issue Jul 15, 2022
@VladislavAntonyuk
[Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493
44cf351
@VladislavAntonyuk VladislavAntonyuk mentioned this issue Jul 15, 2022
Merged
6 tasks
VladislavAntonyuk added a commit that referenced this issue Jul 15, 2022
@VladislavAntonyuk
[Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493
42f1fa3
TheCodeTraveler pushed a commit that referenced this issue Jul 17, 2022
@VladislavAntonyuk
[Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493
5ade8c2 
… (#497)
@TheCodeTraveler TheCodeTraveler mentioned this issue Jul 17, 2022
Merged
6 tasks
@github-actions github-actions bot locked and limited conversation to collaborators Nov 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@VladislavAntonyuk VladislavAntonyuk

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@TheCodeTraveler @VladislavAntonyuk