docfx icon indicating copy to clipboard operation
docfx copied to clipboard
verified publisher icon dotnet

Question: Can NuGet vulnerability warnings be turned off?

Open bart-vmware opened this issue 6 months ago • 2 comments

I've tried to set the MSBuild property NuGetAudit (see below), but it doesn't suppress the warnings.

{
  "$schema": "https://raw.githubusercontent.com/dotnet/docfx/main/schemas/docfx.schema.json",
  "metadata": [
    {
      "src": [
        {
          "files": [
            "src/*/src/*/*.csproj"
          ],
          "src": "sources/v4"
        }
      ],
      "output": "../docs/api/v4",
      "filter": "api-filter-v4.yml",
      "properties": {
        "ProduceReferenceAssembly": "true",
        "RunAnalyzers": "false",
        "NuGetAudit": "false",
        "TargetFramework": "net8.0"
      }
    }
  ]
}

Example output when building metadata:

warning: [Failure] Msbuild failed when processing the file '/home/runner/work/Documentation/Documentation/build/sources/v2/src/Common/src/Common.Http/Steeltoe.Common.Http.csproj' with message: Package 'Newtonsoft.Json' 11.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr

bart-vmware avatar Jun 19 '25 15:06 bart-vmware

I've confirmed NuGet warning can be suppressed by following config/command combinations.

1. docfx.json
"properties": {
  "NuGetAudit": "false",
}

2. docfx metadata command**

It need manually call dotnet restore command.

dotnet restore /p:NuGetAudit=false docfx metadata --noRestore

Background By default, docfx metadata command explicitly call dotnet restore command before running code analysis. And NU1903 warning is occurred, because properties setting is not used for dotnet restore command.

https://github.com/dotnet/docfx/blob/4ebae91e3c14857b97a9a2a491f3e013436684bb/src/Docfx.Dotnet/DotnetApiCatalog.Compile.cs#L149-L153

And when running docfx metadata command with --noRestore argument. MSBuildWorkspace implicitly try to restore dependencirs. But it don't use properties setting also.

So, It need to use following commands to skip implicit restore.

dotnet restore /p:NuGetAudit=false docfx metadata --noRestore

filzrev avatar Jun 19 '25 20:06 filzrev

Thanks, makes sense. Unfortunately, this doesn't work for us.

We have versioned docfx JSON files that specify file masks, because the solution file in older versions doesn't actually build (due to dependency issues in test projects). So, a dotnet restore path/to/solution.sln fails.

However, I was able to work around it by adding a Directory.Build.props above the versioned sources with the following content:

<Project>
   <PropertyGroup>
      <NuGetAudit>false</NuGetAudit>
   </PropertyGroup>
</Project>

It would be nice if DocFX suppressed vulnerability warnings by default, as I don't believe they are helpful to anyone when building the documentation website.

bart-vmware avatar Jun 20 '25 10:06 bart-vmware