[Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493

[VladislavAntonyuk]

Description of Change

Fail pipeline if has any vulnerability

Linked Issues

• Fixes [Bug] CI Pipeline Does Not Fail when Vulnerable Dependencies Found #493

PR Checklist

• Has a linked Issue, and the Issue has been approved(bug) or Championed (feature/proposal)
• Has tests (if omitted, state reason in description)
• Has samples (if omitted, state reason in description)
• Rebased on top of main at time of PR
• Changes adhere to coding standard
• Documentation created or updated: https://github.com/MicrosoftDocs/CommunityToolkit/pull/XYZ

Additional information

[VladislavAntonyuk]

As we have 3 vulnerabilities, how can we move forward with this PR? Some of them were fixed by .NET MAUI team

[jfversluis]

Oh good one! Why don't we get dependabot alerts on this repo? That should also catch these, right?

[VladislavAntonyuk]

Added dependabot. I added the flag CheckDependencies and enabled it. we can set it to false to skip checks on each build and set it to true to enable it during the release build.

[VladislavAntonyuk]

Question №2, should we check Transitive vulnerabilities? we cannot fix them.
Question №3. Should we check it in solution or only src projects? We have vulnerabilities in CommunityToolkit.Maui.UnitTests

[TheCodeTraveler]

Thanks Vlad!

As we have 3 vulnerabilities, how can we move forward with this PR? Some of them were fixed by .NET MAUI team

The 3 vulnerabilities are in the *.UnitTest projects. I agree with your approach of adding/updating the NuGet Packages in the UnitTest csprojs.

Question №2, should we check Transitive vulnerabilities? we cannot fix them.

We should! We can always add an updated version of the specific NuGet Package that has fixed the vulnerability, like you've done by adding a direct reference to Newtonsoft.Json

Question №3. Should we check it in solution or only src projects? We have vulnerabilities in CommunityToolkit.Maui.UnitTests

I vote to check the entire solution. It's good to ensure we avoid vulnerabilities in every csproj, even if it's a Sample App or a Unit Test.

[jfversluis]

I agree with everything Brandon said!

[VladislavAntonyuk]

awesome, it works: https://dev.azure.com/dotnet/CommunityToolkit/_build/results?buildId=74926&view=logs&jobId=792604ca-8f43-5a41-d895-10758edbd758&j=792604ca-8f43-5a41-d895-10758edbd758&t=5abd79d0-3f8c-531b-9955-a83131c96c54

[TheCodeTraveler]

Looking good! Thanks Vlad!

I had just a small bit of feedback around the new environment variable in the pipeline.

[TheCodeTraveler]

Thanks Vlad!!