Skip to content

C#: Make NuGet feed reachability more conservative, #20836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
michaelnebel wants to merge 2 commits into
base: main
Choose a base branch
from
+23 −15
Draft

C#: Make NuGet feed reachability more conservative, #20836

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
89ee9cf
C#: Do not use NuGet feeds that returns a 401 unathorized message.
michaelnebel Nov 14, 2025
556aa7c
C#: Consider 401/403 status codes as unacceptable in feed checks.
michaelnebel Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
using System;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Diagnostics;
using Semmle.Util;
using Semmle.Util.Logging;
Expand Down
37 changes: 23 additions & 14 deletions csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,14 +280,18 @@ private void RestoreProjects(IEnumerable<string> projects, HashSet<string>? conf
// `nuget.config` files instead of the command-line arguments.
string? extraArgs = null;

if (this.dependabotProxy is not null)
if (dependabotProxy is not null)
{
// If the Dependabot proxy is configured, then our main goal is to make `dotnet` aware
// of the private registry feeds. However, since providing them as command-line arguments
// to `dotnet` ignores other feeds that may be configured, we also need to add the feeds
// we have discovered from analysing `nuget.config` files.
var sources = configuredSources ?? new();
this.dependabotProxy.RegistryURLs.ForEach(url => sources.Add(url));
dependabotProxy.RegistryURLs.ForEach(url =>
{
logger.LogDebug($"Adding feed from Dependabot proxy configuration: {url}");
sources.Add(url);
});

// Add package sources. If any are present, they override all sources specified in
// the configuration file(s).
Expand Down Expand Up @@ -623,17 +627,13 @@ private void TryChangeProjectFile(DirectoryInfo projectDir, Regex pattern, strin
}
}

private static async Task ExecuteGetRequest(string address, HttpClient httpClient, CancellationToken cancellationToken)
private static async Task<HttpResponseMessage> ExecuteGetRequest(string address, HttpClient httpClient, CancellationToken cancellationToken)
{
using var stream = await httpClient.GetStreamAsync(address, cancellationToken);
var buffer = new byte[1024];
int bytesRead;
while ((bytesRead = stream.Read(buffer, 0, buffer.Length)) > 0)
{
// do nothing
}
return await httpClient.GetAsync(address, cancellationToken);
}

private HashSet<HttpStatusCode> UnacceptableStatusCodesForFeedReachabilityCheck { get; } = new() { HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden };

private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, bool allowExceptions = true)
{
logger.LogInfo($"Checking if NuGet feed '{feed}' is reachable...");
Expand Down Expand Up @@ -673,7 +673,8 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount,
cts.CancelAfter(timeoutMilliSeconds);
try
{
ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult();
var response = ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult();
response.EnsureSuccessStatusCode();
logger.LogInfo($"Querying NuGet feed '{feed}' succeeded.");
return true;
}
Expand All @@ -688,7 +689,15 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount,
continue;
}

// We're only interested in timeouts.
if (exc is HttpRequestException hre &&
hre.StatusCode is HttpStatusCode statusCode &&
UnacceptableStatusCodesForFeedReachabilityCheck.Contains(statusCode))
{
logger.LogInfo($"Querying NuGet feed '{feed}' failed due to a critical issue. Not considering the feed for use. The reason for the failure: {exc.Message}");
return false;
}

// We might allow certain exceptions for feed reachability checks.
var start = allowExceptions ? "Considering" : "Not considering";
logger.LogInfo($"Querying NuGet feed '{feed}' failed in a timely manner. {start} the feed for use. The reason for the failure: {exc.Message}");
return allowExceptions;
Expand Down Expand Up @@ -732,9 +741,9 @@ private bool CheckFeeds(out HashSet<string> explicitFeeds, out HashSet<string> a

// If private package registries are configured for C#, then check those
// in addition to the ones that are configured in `nuget.config` files.
this.dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));
dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));

var allFeedsReachable = this.CheckSpecifiedFeeds(feedsToCheck);
var allFeedsReachable = CheckSpecifiedFeeds(feedsToCheck);

var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
if (inheritedFeeds.Count > 0)
Expand Down
Loading