Dotnet list package --vulnerable uses AuditSources (#6237)

src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageArgs.cs

@@ -26,6 +26,7 @@ internal class ListPackageArgs
         public bool HighestPatch { get; }
         public bool HighestMinor { get; }
         public CancellationToken CancellationToken { get; }
+        public IReadOnlyList<PackageSource> AuditSources { get; }
 
         /// <summary>
         /// A constructor for the arguments of list package
@@ -41,6 +42,7 @@ internal class ListPackageArgs
         /// <param name="prerelease"> Bool for --include-prerelease present </param>
         /// <param name="highestPatch"> Bool for --highest-patch present </param>
         /// <param name="highestMinor"> Bool for --highest-minor present </param>
+        /// <param name="auditSources"> A list of sources for performing vulnerability auditing</param>
         /// <param name="logger"></param>
         /// <param name="cancellationToken"></param>
         public ListPackageArgs(
@@ -53,6 +55,7 @@ public ListPackageArgs(
             bool prerelease,
             bool highestPatch,
             bool highestMinor,
+            IReadOnlyList<PackageSource> auditSources,
             ILogger logger,
             CancellationToken cancellationToken)
         {
@@ -65,6 +68,7 @@ public ListPackageArgs(
             Prerelease = prerelease;
             HighestPatch = highestPatch;
             HighestMinor = highestMinor;
+            AuditSources = auditSources;
             Logger = logger ?? throw new ArgumentNullException(nameof(logger));
             CancellationToken = cancellationToken;
             ArgumentText = GetReportParameters();

src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommand.cs

@@ -129,7 +129,7 @@ public static void Register(
                         isVulnerable: vulnerableReport.HasValue());
 
                     IReportRenderer reportRenderer = GetOutputType(outputFormat.Value(), outputVersionOption: outputVersion.Value());
-
+                    var provider = new PackageSourceProvider(settings);
                     var packageRefArgs = new ListPackageArgs(
                         path.Value,
                         packageSources,
@@ -140,6 +140,7 @@ public static void Register(
                         prerelease.HasValue(),
                         highestPatch.HasValue(),
                         highestMinor.HasValue(),
+                        provider.LoadAuditSources(),
                         logger,
                         CancellationToken.None);
 

src/NuGet.Core/NuGet.CommandLine.XPlat/ListPackage/ListPackageConsoleRenderer.cs

@@ -55,7 +55,18 @@ private void WriteToConsole(ListPackageReportModel listPackageReportModel)
                 return;
             }
 
-            WriteSources(_consoleOut, listPackageReportModel.ListPackageArgs);
+            if (listPackageReportModel.ListPackageArgs.ReportType == ReportType.Vulnerable && listPackageReportModel.AuditSourcesUsed.Count > 0)
+            {
+                _consoleOut.WriteLine();
+                _consoleOut.WriteLine(Strings.ListPkg_SourcesUsedDescription);
+                PrintSources(_consoleOut, listPackageReportModel.AuditSourcesUsed);
+                _consoleOut.WriteLine();
+            }
+            else
+            {
+                WriteSources(_consoleOut, listPackageReportModel.ListPackageArgs);
+            }
+
             WriteProjects(_consoleOut, _consoleError, listPackageReportModel.Projects, listPackageReportModel.ListPackageArgs);
 
             // Print a legend message for auto-reference markers used

src/NuGet.Core/NuGet.CommandLine.XPlat/ListPackage/ListPackageJsonRenderer.cs

@@ -110,7 +110,7 @@ private void WriteJson(JsonWriter writer, ListPackageReportModel listPackageRepo
                 WriteProblems(writer, _problems);
             }
 
-            WriteSources(writer, listPackageReportModel.ListPackageArgs);
+            WriteSources(writer, listPackageReportModel);
             WriteProjects(writer, listPackageReportModel.Projects, listPackageReportModel.ListPackageArgs);
             writer.WriteEndObject();
         }
@@ -140,9 +140,9 @@ private static void WriteProblems(JsonWriter writer, IEnumerable<ReportProblem>
             writer.WriteEndArray();
         }
 
-        private static void WriteSources(JsonWriter writer, ListPackageArgs listPackageArgs)
+        private static void WriteSources(JsonWriter writer, ListPackageReportModel listPackageReportModel)
         {
-            if (listPackageArgs.ReportType == ReportType.Default)
+            if (listPackageReportModel.ListPackageArgs.ReportType == ReportType.Default)
             {
                 // generic list is offline.
                 return;
@@ -151,9 +151,19 @@ private static void WriteSources(JsonWriter writer, ListPackageArgs listPackageA
             writer.WritePropertyName(SourcesProperty);
             writer.WriteStartArray();
 
-            foreach (PackageSource packageSource in listPackageArgs.PackageSources)
+            if (listPackageReportModel.ListPackageArgs.ReportType == ReportType.Vulnerable && listPackageReportModel.AuditSourcesUsed.Count > 0)
             {
-                writer.WriteValue(PathUtility.GetPathWithForwardSlashes(packageSource.Source));
+                foreach (PackageSource packageSource in listPackageReportModel.AuditSourcesUsed)
+                {
+                    writer.WriteValue(PathUtility.GetPathWithForwardSlashes(packageSource.Source));
+                }
+            }
+            else
+            {
+                foreach (PackageSource packageSource in listPackageReportModel.ListPackageArgs.PackageSources)
+                {
+                    writer.WriteValue(PathUtility.GetPathWithForwardSlashes(packageSource.Source));
+                }
             }
 
             writer.WriteEndArray();

src/NuGet.Core/NuGet.CommandLine.XPlat/ListPackage/ListPackageReportModel.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Collections.Generic;
+using NuGet.Configuration;
 
 namespace NuGet.CommandLine.XPlat.ListPackage
 {
@@ -13,6 +14,7 @@ internal class ListPackageReportModel
         internal ListPackageArgs ListPackageArgs { get; }
         internal List<ListPackageProjectModel> Projects { get; } = new();
         internal MSBuildAPIUtility MSBuildAPIUtility { get; }
+        internal HashSet<PackageSource> AuditSourcesUsed { get; set; } = new HashSet<PackageSource>();
 
         private ListPackageReportModel()
         { }

src/NuGet.Core/NuGet.CommandLine.XPlat/ListPackage/ListReportPackage.cs

@@ -93,5 +93,14 @@ public ListReportPackage(string packageId, string requestedVersion, string resol
                   requestedVersion: requestedVersion,
                   autoReference: false)
         { }
+
+        public ListReportPackage(string packageId, string version, List<PackageVulnerabilityMetadata> vulnerabilities)
+            : this(
+                  packageId: packageId,
+                  requestedVersion: version,
+                  resolvedVersion: null,
+                  latestVersion: null,
+                  vulnerabilities: vulnerabilities.Count == 0 ? null : vulnerabilities)
+        { }
     }
 }

src/NuGet.Core/NuGet.CommandLine.XPlat/Strings.resx

@@ -978,4 +978,8 @@ Non-HTTPS access will be removed in a future version. Consider migrating to 'HTT
     <value>Project '{0}' does not have MSBuild property ProjectAssetsFile defined. This may indicate that this project does not support NuGet PackageReference, or that project customization has prevented the .NET SDK setting default values.</value>
     <comment>{0} - Path to the project with the error</comment>
   </data>
+  <data name="Warning_AuditSourceWithoutData" xml:space="preserve">
+    <value>Audit source '{0}' did not provide any vulnerability data.</value>
+    <comment>{0} is the source name</comment>
+  </data>
 </root>

src/NuGet.Core/NuGet.Protocol/Model/PackageVulnerabilityMetadata.cs

@@ -13,5 +13,15 @@ public class PackageVulnerabilityMetadata
 
         [JsonProperty(PropertyName = JsonProperties.Severity)]
         public int Severity { get; internal set; }
+
+        public PackageVulnerabilityMetadata(Uri advisoryUrl, int severity)
+        {
+            AdvisoryUrl = advisoryUrl;
+            Severity = severity;
+        }
+
+        public PackageVulnerabilityMetadata()
+        {
+        }
     }
 }

src/NuGet.Core/NuGet.Protocol/PublicAPI/net472/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 #nullable enable
+~NuGet.Protocol.PackageVulnerabilityMetadata.PackageVulnerabilityMetadata(System.Uri advisoryUrl, int severity) -> void
 ~NuGet.Protocol.Plugins.PluginFile.PluginFile(string filePath, System.Lazy<NuGet.Protocol.Plugins.PluginFileState> state) -> void

src/NuGet.Core/NuGet.Protocol/PublicAPI/net8.0/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 #nullable enable
+~NuGet.Protocol.PackageVulnerabilityMetadata.PackageVulnerabilityMetadata(System.Uri advisoryUrl, int severity) -> void
 ~NuGet.Protocol.Plugins.PluginFile.PluginFile(string filePath, System.Lazy<NuGet.Protocol.Plugins.PluginFileState> state) -> void

src/NuGet.Core/NuGet.Protocol/PublicAPI/netstandard2.0/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 #nullable enable
+~NuGet.Protocol.PackageVulnerabilityMetadata.PackageVulnerabilityMetadata(System.Uri advisoryUrl, int severity) -> void
 ~NuGet.Protocol.Plugins.PluginFile.PluginFile(string filePath, System.Lazy<NuGet.Protocol.Plugins.PluginFileState> state) -> void