From 5ade8c29f906e08235fe5996b6d8d173ff74ac36 Mon Sep 17 00:00:00 2001
From: Vladislav Antonyuk <33021114+VladislavAntonyuk@users.noreply.github.com>
Date: Sun, 17 Jul 2022 20:05:45 +0300
Subject: [PATCH] [Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies
 Found #493 (#497)

---
 .github/dependabot.yml                        |  6 +++
 azure-pipelines.yml                           | 54 +++++++++++++++----
 .../CommunityToolkit.Maui.Sample.csproj       |  2 +-
 ...ityToolkit.Maui.Analyzers.UnitTests.csproj |  7 +++
 .../CommunityToolkit.Maui.UnitTests.csproj    |  7 +++
 5 files changed, 66 insertions(+), 10 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..ef665e9d4f
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+- package-ecosystem: nuget
+  directory: "/samples"
+  schedule:
+    interval: daily
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 1c13508027..d623a361b8 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -15,7 +15,8 @@ variables:
   PathToCommunityToolkitAnalyzersCodeFixCsproj: 'src/CommunityToolkit.Maui.Analyzers.CodeFixes/CommunityToolkit.Maui.Analyzers.CodeFixes.csproj'
   PathToCommunityToolkitAnalyzersUnitTestCsproj: 'src/CommunityToolkit.Maui.Analyzers.UnitTests/CommunityToolkit.Maui.Analyzers.UnitTests.csproj'
   XcodeVersion: '13.3.1'
-  RollbackFile: '6.0.312.json'
+  DotNetMauiRollbackFile: '6.0.312.json'
+  ShouldCheckDependencies: true
 
 trigger:
   branches:
@@ -50,8 +51,10 @@ jobs:
         inputs:
           packageType: 'sdk'
           version: '$(TOOLKIT_NET6_VERSION)'
-      - powershell: dotnet workload install maui --from-rollback-file $(RollbackFile) --source https://api.nuget.org/v3/index.json
+
+      - powershell: dotnet workload install maui --from-rollback-file $(DotNetMauiRollbackFile) --source https://api.nuget.org/v3/index.json
         displayName: Install .NET MAUI $(TOOLKIT_NET6_VERSION)
+
       # if this is a tagged build, then update the version number
       - powershell: |
           $buildSourceBranch = "$(Build.SourceBranch)"
@@ -60,6 +63,7 @@ jobs:
           Write-Host ("##vso[task.setvariable variable=NugetPackageVersion;]$tagVersion")
         displayName: Set NuGet Version to Tag Number
         condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/')
+
       # if this is a PR build, then update the version number
       - powershell: |
           $prNumber = $env:System_PullRequest_PullRequestNumber
@@ -70,6 +74,7 @@ jobs:
           Write-Host "##vso[build.updatebuildnumber]$fullVersionString"
         displayName: Set NuGet Version to PR Version
         condition: and(succeeded(), eq(variables['build.reason'], 'PullRequest'))
+
       # build analyzers
       - task: VSBuild@1
         displayName: 'Build CommunityToolkit.Maui.Analyzers'
@@ -77,18 +82,21 @@ jobs:
           solution: '$(PathToCommunityToolkitAnalyzersCsproj)'
           configuration: 'Release'
           msbuildArgs: '/restore'
+
       - task: VSBuild@1
         displayName: 'Build CommunityToolkit.Maui.Analyzers.CodeFixes'
         inputs:
           solution: '$(PathToCommunityToolkitAnalyzersCodeFixCsproj)'
           configuration: 'Release'
           msbuildArgs: '/restore'
+
       - task: VSBuild@1
         displayName: 'Build CommunityToolkit.Maui.SourceGenerators'
         inputs:
           solution: '$(PathToCommunityToolkitSourceGeneratorsCsproj)'
           configuration: 'Release'
           msbuildArgs: '/restore'
+
       # test
       - task: DotNetCoreCLI@2
         displayName: 'Run CommunityToolkit.Maui Unit Tests'
@@ -97,6 +105,7 @@ jobs:
           projects: '$(PathToCommunityToolkitUnitTestCsproj)'
           arguments: '--configuration Release --settings ".runsettings" --collect "XPlat code coverage" --logger trx --results-directory $(Agent.TempDirectory)'
           publishTestResults: false    
+
       - task: DotNetCoreCLI@2
         displayName: 'Run CommunityToolkit.Maui.Analyzers Unit Tests'
         inputs:
@@ -104,18 +113,21 @@ jobs:
           projects: '$(PathToCommunityToolkitAnalyzersUnitTestCsproj)'
           arguments: '--configuration Release'
           publishTestResults: false  
+
       - task: PublishTestResults@2
         displayName: 'Publish Test Results'
         inputs:
           testResultsFormat: VSTest
           testResultsFiles: '**/*.trx'
           searchFolder: $(Agent.TempDirectory)
+
       - task: PublishCodeCoverageResults@1
         displayName: 'Publish Code Coverage Results'
         inputs:
           codeCoverageTool: 'Cobertura'
           summaryFileLocation: '$(Agent.TempDirectory)/**/coverage.cobertura.xml'
           failIfCoverageEmpty: true
+
       # pack
       - task: VSBuild@1
         displayName: 'Build and Pack CommunityToolkit.Maui.Core'
@@ -123,20 +135,27 @@ jobs:
           solution: '$(PathToCommunityToolkitCoreCsproj)'
           configuration: 'Release'
           msbuildArgs: '/restore -t:pack -p:PackageVersion=$(NugetPackageVersion) -p:Version=$(NugetPackageVersion) -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg'     
+      
       - task: VSBuild@1
         displayName: 'Build and Pack CommunityToolkit.Maui'
         inputs:
           solution: '$(PathToCommunityToolkitCsproj)'
           configuration: 'Release'
           msbuildArgs: '/restore -t:pack -p:PackageVersion=$(NugetPackageVersion) -p:Version=$(NugetPackageVersion) -p:IncludeSymbols=true -p:SymbolPackageFormat=snupkg'
+      
       # check vulnerabilities
-      - task: DotNetCoreCLI@2
+      - powershell: |
+          dotnet list $(PathToSolution) package --vulnerable --include-transitive | findstr /S /c:"has the following vulnerable packages";
+          if ($LastExitCode -ne 1)
+          {
+            dotnet list $(PathToSolution) package --vulnerable --include-transitive;
+            exit 1;
+          }
+
+          exit 0;
         displayName: 'Check Dependencies'
-        inputs:
-          command: 'custom'
-          custom: 'list'
-          arguments: 'package --vulnerable --include-transitive'
-          projects: $(PathToSolution)
+        condition: eq(variables.ShouldCheckDependencies, true)
+      
       # publish
       - task: PowerShell@2
         displayName: 'Copy NuGet Packages to Staging Directory'
@@ -147,6 +166,7 @@ jobs:
             $filter = "nupkg"
             Get-ChildItem -Path $source -Recurse | Where-Object { $_.Extension -match $filter } | Copy-Item -Destination "$(Build.ArtifactStagingDirectory)"
           pwsh: true
+      
       # Sign NuGet Packages
       - task: PowerShell@2
         displayName: Authenticode Sign Packages
@@ -157,6 +177,7 @@ jobs:
           SignClientSecret: $(SignClientSecret)
           ArtifactDirectory: $(Build.ArtifactStagingDirectory)
         condition: and(succeeded(), not(eq(variables['build.reason'], 'PullRequest')), not(eq(variables['SignClientSecret'], '')), not(eq(variables['SignClientUser'], '')))
+      
       # publish the packages
       - task: PublishBuildArtifacts@1
         displayName: 'Publish NuGets'
@@ -174,8 +195,10 @@ jobs:
         inputs:
           packageType: 'sdk'
           version: '$(LATEST_NET6_VERSION)'
+
       - powershell: dotnet workload install maui
         displayName: Install Latest .NET MAUI Workload
+
       # build sample
       - task: VSBuild@1
         displayName: 'Build Community Toolkit Sample'
@@ -197,43 +220,53 @@ jobs:
           Write-Host ("##vso[task.setvariable variable=NugetPackageVersion;]$tagVersion")
         displayName: Set NuGet Version to Tag Number
         condition: startsWith(variables['Build.SourceBranch'], 'refs/tags/')
+
       - task: CmdLine@2
         displayName: 'Set Xcode Version'
         inputs:
           script: echo '##vso[task.setvariable variable=MD_APPLE_SDK_ROOT;]'/Applications/Xcode_$(XcodeVersion).app;sudo xcode-select --switch /Applications/Xcode_$(XcodeVersion).app/Contents/Developer
+     
       - task: UseDotNet@2
         displayName: Install .NET $(TOOLKIT_NET6_VERSION)
         inputs:
           packageType: 'sdk'
           version: '$(TOOLKIT_NET6_VERSION)'
+
       - task: CmdLine@2
         displayName: 'Install .NET MAUI Workload $(TOOLKIT_NET6_VERSION)'
         inputs:
-          script: dotnet workload install maui --from-rollback-file $(RollbackFile) --source https://api.nuget.org/v3/index.json
+          script: dotnet workload install maui --from-rollback-file $(DotNetMauiRollbackFile) --source https://api.nuget.org/v3/index.json
+
       - task: CmdLine@2
         displayName: 'Build CommunityToolkit.Maui.Analyzers'
         inputs:
           script: 'dotnet build -c Release $(PathToCommunityToolkitAnalyzersCsproj)'
+
       - task: CmdLine@2
         displayName: 'Build CommunityToolkit.Maui.Analyzers.CodeFixes'
         inputs:
           script: 'dotnet build -c Release $(PathToCommunityToolkitAnalyzersCodeFixCsproj)'
+
       - task: CmdLine@2
         displayName: 'Build CommunityToolkit.Maui.SourceGenerators'
         inputs:
           script: 'dotnet build -c Release $(PathToCommunityToolkitSourceGeneratorsCsproj)'
+
       - task: CmdLine@2
         displayName: 'Run CommunityToolkit.Maui.Analyzers.UnitTests'
         inputs:
           script: 'dotnet test $(PathToCommunityToolkitAnalyzersUnitTestCsproj) -c Release'
+
       - task: CmdLine@2
         displayName: 'Run CommunityToolkit.Maui.UnitTests'
         inputs:
           script: 'dotnet test $(PathToCommunityToolkitUnitTestCsproj) -c Release'
+
       - task: CmdLine@2
         displayName: 'Pack CommunityToolkit.Maui.Core NuGet'
         inputs:
           script: 'dotnet pack $(PathToCommunityToolkitCoreCsproj) -c Release -p:PackageVersion=$(NugetPackageVersion)'
+
       - task: CmdLine@2
         displayName: 'Pack CommunityToolkit.Maui NuGet'
         inputs:
@@ -248,15 +281,18 @@ jobs:
         displayName: 'Set Xcode Version'
         inputs:
           script: echo '##vso[task.setvariable variable=MD_APPLE_SDK_ROOT;]'/Applications/Xcode_$(XcodeVersion).app;sudo xcode-select --switch /Applications/Xcode_$(XcodeVersion).app/Contents/Developer
+      
       - task: UseDotNet@2
         displayName: Install Latest .NET SDK
         inputs:
           packageType: 'sdk'
           version: '$(LATEST_NET6_VERSION)'
+
       - task: CmdLine@2
         displayName: 'Install Latest .NET MAUI Workload'
         inputs:
           script: dotnet workload install maui
+
       - task: CmdLine@2
         displayName: 'Build Community Toolkit Sample'
         inputs:
diff --git a/samples/CommunityToolkit.Maui.Sample/CommunityToolkit.Maui.Sample.csproj b/samples/CommunityToolkit.Maui.Sample/CommunityToolkit.Maui.Sample.csproj
index cf2d5255ff..8f1955581d 100644
--- a/samples/CommunityToolkit.Maui.Sample/CommunityToolkit.Maui.Sample.csproj
+++ b/samples/CommunityToolkit.Maui.Sample/CommunityToolkit.Maui.Sample.csproj
@@ -40,7 +40,7 @@
     <MauiImage Include="Resources\Images\*" />
     <EmbeddedResource Include="Resources\Embedded\*" />
 
-    <PackageReference Include="CommunityToolkit.Maui.Markup" Version="1.0.0" />
+    <PackageReference Include="CommunityToolkit.Maui.Markup" Version="1.0.1" />
     <PackageReference Include="CommunityToolkit.Mvvm" Version="8.0.0-preview4" />
     <PackageReference Include="Microsoft.Extensions.Http" Version="6.0.2-mauipre.1.22102.15" />
   </ItemGroup>
diff --git a/src/CommunityToolkit.Maui.Analyzers.UnitTests/CommunityToolkit.Maui.Analyzers.UnitTests.csproj b/src/CommunityToolkit.Maui.Analyzers.UnitTests/CommunityToolkit.Maui.Analyzers.UnitTests.csproj
index 54545818ff..a7b0c513e0 100644
--- a/src/CommunityToolkit.Maui.Analyzers.UnitTests/CommunityToolkit.Maui.Analyzers.UnitTests.csproj
+++ b/src/CommunityToolkit.Maui.Analyzers.UnitTests/CommunityToolkit.Maui.Analyzers.UnitTests.csproj
@@ -23,6 +23,13 @@
     <PackageReference Include="Microsoft.CodeAnalysis" Version="4.2.0" />
   </ItemGroup>
 
+  <ItemGroup>
+    <!--Fix vulnerabilities-->
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\CommunityToolkit.Maui.Analyzers.CodeFixes\CommunityToolkit.Maui.Analyzers.CodeFixes.csproj" />
   </ItemGroup>
diff --git a/src/CommunityToolkit.Maui.UnitTests/CommunityToolkit.Maui.UnitTests.csproj b/src/CommunityToolkit.Maui.UnitTests/CommunityToolkit.Maui.UnitTests.csproj
index a3e6930048..b61c9a5f90 100644
--- a/src/CommunityToolkit.Maui.UnitTests/CommunityToolkit.Maui.UnitTests.csproj
+++ b/src/CommunityToolkit.Maui.UnitTests/CommunityToolkit.Maui.UnitTests.csproj
@@ -16,6 +16,13 @@
     <PackageReference Include="coverlet.collector" Version="3.1.2" PrivateAssets="All" />
   </ItemGroup>
 
+  <ItemGroup>
+    <!--Fix vulnerabilities-->
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+  </ItemGroup>
+
   <ItemGroup>
     <ProjectReference Include="..\CommunityToolkit.Maui\CommunityToolkit.Maui.csproj" />
     <ProjectReference Include="..\CommunityToolkit.Maui.Analyzers\CommunityToolkit.Maui.Analyzers.csproj" OutputItemType="Analyzer" ReferenceOutputAssembly="false" />