Open CodeCyclone opened 2 years ago
Sample to reproduce the issue- https://github.com/CodeCyclone/centralPackageVersioningSample
Ran into the same issue. Support for CentralPackageVersions seems to be broken.
Added a simple reproduction repo: https://github.com/amaltinsky/dependabot-centralpackageversions that contains an old, vulnerable version of System.Net.Http (v4.3.0).
Unfortunately, the version isn't being detected correctly:
This is a showstopper for dependabot adoption.
After reading some dependabot documentation, it looks like the problem is not with Dependabot but with the separate dependency graph feature. Dependabot seems to work with CentralPackageVersions (see the reproduction repo from my previous message).
Yep, this is an issue with Dependency Graph, not with Dependabot version updates, and unfortunately they use separate codebases.
I see dependabot added support for central package versioning with Microsoft.Build.CentralPackageVersions MSBuild SDK for nuget provider but I haven't been able to get it to work against a project.
This is the PR that added the functionality - https://github.com/dependabot/dependabot-core/issues/4261
Package ecosystem nuget
Package manager version latest
Language version Issue occurs in both Github, Docker dependabot/dependabot-core:0.180.1, and Ruby 2.7 with gem "dependabot-omnibus", "~> 0.180.1"
Code of the sample repo is C#
Manifest location and content prior to update https://github.com/CodeCyclone/centralPackageVersioningSample/blob/main/.github/dependabot.yml
dependabot.yml content
Updated dependency https://github.com/CodeCyclone/centralPackageVersioningSample/network/dependencies
Notice all the versions are 0, as they are defined in Packages.props - https://github.com/CodeCyclone/centralPackageVersioningSample/blob/main/Packages.props
What you expected to see, versus what you actually saw Something closer to what renovate sees for updates - https://github.com/CodeCyclone/centralPackageVersioningSample/pull/1
I should have seen a security alert for Google.Protobuf on version 3.14.0, which is part of bulletin CVE-2021-22570.
Instead I see no alerts: https://github.com/CodeCyclone/centralPackageVersioningSample/security/dependabot
Native package manager behavior I tried pointing my dependabot.yml directly to the directory containing Packages.props and it failed to work, I get this error: https://github.com/CodeCyclone/centralPackageVersioningSample/network/updates/346736121
Dependabot couldn't find a .(cs|vb|fs)proj.
Dependabot requires a .(cs|vb|fs)proj to evaluate your .NET dependencies. It had expected to find one at the path: /.(cs|vb|fs)proj.
If this isn't a .NET project, you may wish to disable updates for it in the .github/dependabot.yml config file in this repo.
For the project I scanned which has references that inherit versions from Packages.props, this was the output: