Update Packages.props when Microsoft.Build.CentralPackageVersions is used in a project

[CodeCyclone]

I see dependabot added support for central package versioning with Microsoft.Build.CentralPackageVersions MSBuild SDK for nuget provider but I haven't been able to get it to work against a project.

This is the PR that added the functionality - https://github.com/dependabot/dependabot-core/issues/4261

Package ecosystem nuget

Package manager version latest

Language version Issue occurs in both Github, Docker dependabot/dependabot-core:0.180.1, and Ruby 2.7 with gem "dependabot-omnibus", "~> 0.180.1"

Code of the sample repo is C#

Manifest location and content prior to update https://github.com/CodeCyclone/centralPackageVersioningSample/blob/main/.github/dependabot.yml

dependabot.yml content

version: 2
updates:

  - package-ecosystem: "nuget"
    directory: "/src/GrpcClient" #GrpcClient.csproj
    open-pull-requests-limit: 5
    target-branch: "main"
    schedule:
      interval: "daily"

  - package-ecosystem: "nuget"
    directory: "/" #Packages.props
    open-pull-requests-limit: 5
    target-branch: "main"
    schedule:
      interval: "daily"

Updated dependency https://github.com/CodeCyclone/centralPackageVersioningSample/network/dependencies

Notice all the versions are 0, as they are defined in Packages.props - https://github.com/CodeCyclone/centralPackageVersioningSample/blob/main/Packages.props

What you expected to see, versus what you actually saw Something closer to what renovate sees for updates - https://github.com/CodeCyclone/centralPackageVersioningSample/pull/1

I should have seen a security alert for Google.Protobuf on version 3.14.0, which is part of bulletin CVE-2021-22570.

Instead I see no alerts: https://github.com/CodeCyclone/centralPackageVersioningSample/security/dependabot

Native package manager behavior I tried pointing my dependabot.yml directly to the directory containing Packages.props and it failed to work, I get this error: https://github.com/CodeCyclone/centralPackageVersioningSample/network/updates/346736121

Dependabot couldn't find a .(cs|vb|fs)proj.

Dependabot requires a .(cs|vb|fs)proj to evaluate your .NET dependencies. It had expected to find one at the path: /.(cs|vb|fs)proj.

If this isn't a .NET project, you may wish to disable updates for it in the .github/dependabot.yml config file in this repo.

For the project I scanned which has references that inherit versions from Packages.props, this was the output:

 proxy | time="2022-04-14T21:37:37Z" level=info msg="proxy starting" commit=0cfe6fc8a85a641097e4d9faf5c8349b892b1e40
  proxy | 2022/04/14 21:37:37 Listening (:1080)
updater | 2022-04-14T21:37:38.175118842 [anonymous-instance:main:WARN:src/firecracker/src/main.rs:370] You are using a deprecated parameter: --seccomp-level 2, that will be removed in a future version.
updater | 2022-04-14T21:37:38.246941322 [346736116:main:WARN:src/devices/src/legacy/serial.rs:432] Detached the serial input due to peer close/error.
updater | time="2022-04-14T21:37:41Z" level=info msg="guest starting" commit=284b5dacb1face4d3c6d1a0b48f574503fb7ea54
updater | time="2022-04-14T21:37:41Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=346736116 updater_timeout=45m0s updater_version=0.180.5-37b50b4de2f41235068408ea3df6a13ffa4de506
updater | I, [2022-04-14T21:37:45.010837 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_346736116> Starting job processing
  proxy | 2022/04/14 21:37:50 [002] GET https://api.github.com:443/repos/CodeCyclone/centralPackageVersioningSample/git/refs/heads/main
  proxy | 2022/04/14 21:37:50 [002] * authenticating github api request
  proxy | 2022/04/14 21:37:50 [002] 200 https://api.github.com:443/repos/CodeCyclone/centralPackageVersioningSample/git/refs/heads/main
  proxy | 2022/04/14 21:37:50 [004] GET https://api.github.com:443/repos/CodeCyclone/centralPackageVersioningSample/contents/src/GrpcClient?ref=0ba38e1cf99389609bce124048643eabb9972d58
  proxy | 2022/04/14 21:37:50 [004] * authenticating github api request
  proxy | 2022/04/14 21:37:51 [004] 200 https://api.github.com:443/repos/CodeCyclone/centralPackageVersioningSample/contents/src/GrpcClient?ref=0ba38e1cf99389609bce124048643eabb9972d58
  proxy | 2022/04/14 21:37:51 [006] GET https://api.github.com:443/repos/CodeCyclone/centralPackageVersioningSample/contents/src/GrpcClient/GrpcClient.csproj?ref=0ba38e1cf99389609bce124048643eabb9972d58
  proxy | 2022/04/14 21:37:51 [006] * authenticating github api request
  proxy | 2022/04/14 21:37:51 [006] 200 https://api.github.com:443/repos/CodeCyclone/centralPackageVersioningSample/contents/src/GrpcClient/GrpcClient.csproj?ref=0ba38e1cf99389609bce124048643eabb9972d58
updater | INFO <job_346736116> Finished job processing
updater | time="2022-04-14T21:37:51Z" level=info msg="task complete" container_id=job-346736116-file-fetcher exit_code=0 job_id=346736116 step=fetcher
updater | I, [2022-04-14T21:37:52.955823 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | INFO <job_346736116> Starting job processing
updater | INFO <job_346736116> Starting update job for CodeCyclone/centralPackageVersioningSample
updater | INFO <job_346736116> Checking if Grpc.Net.Client  needs updating
  proxy | 2022/04/14 21:37:55 [010] GET https://azuresearch-usnc.nuget.org:443/query?q=grpc.net.client&prerelease=true&semVerLevel=2.0.0
  proxy | 2022/04/14 21:37:56 [010] 200 https://azuresearch-usnc.nuget.org:443/query?q=grpc.net.client&prerelease=true&semVerLevel=2.0.0
updater | INFO <job_346736116> Latest version is 2.44.0
updater | INFO <job_346736116> No update needed for Grpc.Net.Client 
updater | INFO <job_346736116> Checking if Google.Protobuf  needs updating
  proxy | 2022/04/14 21:37:56 [012] GET https://azuresearch-usnc.nuget.org:443/query?q=google.protobuf&prerelease=true&semVerLevel=2.0.0
  proxy | 2022/04/14 21:37:56 [012] 200 https://azuresearch-usnc.nuget.org:443/query?q=google.protobuf&prerelease=true&semVerLevel=2.0.0
updater | INFO <job_346736116> Latest version is 3.20.0
updater | INFO <job_346736116> No update needed for Google.Protobuf 
updater | INFO <job_346736116> Checking if Serilog  needs updating
  proxy | 2022/04/14 21:37:56 [014] GET https://azuresearch-usnc.nuget.org:443/query?q=serilog&prerelease=true&semVerLevel=2.0.0
  proxy | 2022/04/14 21:37:56 [014] 200 https://azuresearch-usnc.nuget.org:443/query?q=serilog&prerelease=true&semVerLevel=2.0.0
updater | INFO <job_346736116> Latest version is 2.10.0
updater | INFO <job_346736116> No update needed for Serilog 
updater | INFO <job_346736116> Checking if Grpc.Net.Client.Web  needs updating
  proxy | 2022/04/14 21:37:56 [016] GET https://azuresearch-usnc.nuget.org:443/query?q=grpc.net.client.web&prerelease=true&semVerLevel=2.0.0
  proxy | 2022/04/14 21:37:56 [016] 200 https://azuresearch-usnc.nuget.org:443/query?q=grpc.net.client.web&prerelease=true&semVerLevel=2.0.0
updater | INFO <job_346736116> Latest version is 2.44.0
updater | INFO <job_346736116> No update needed for Grpc.Net.Client.Web 
updater | INFO <job_346736116> Checking if Grpc.Tools  needs updating
  proxy | 2022/04/14 21:37:56 [018] GET https://azuresearch-usnc.nuget.org:443/query?q=grpc.tools&prerelease=true&semVerLevel=2.0.0
  proxy | 2022/04/14 21:37:56 [018] 200 https://azuresearch-usnc.nuget.org:443/query?q=grpc.tools&prerelease=true&semVerLevel=2.0.0
updater | INFO <job_346736116> Latest version is 2.45.0
updater | INFO <job_346736116> No update needed for Grpc.Tools 
updater | INFO <job_346736116> Finished job processing
updater | time="2022-04-14T21:37:57Z" level=info msg="task complete" container_id=job-346736116-updater exit_code=0 job_id=346736116 step=updater

[CodeCyclone]

Sample to reproduce the issue- https://github.com/CodeCyclone/centralPackageVersioningSample

[amaltinsky]

Ran into the same issue. Support for CentralPackageVersions seems to be broken.

[amaltinsky]

Added a simple reproduction repo: https://github.com/amaltinsky/dependabot-centralpackageversions that contains an old, vulnerable version of System.Net.Http (v4.3.0).

Unfortunately, the version isn't being detected correctly:

This is a showstopper for dependabot adoption.

[amaltinsky]

After reading some dependabot documentation, it looks like the problem is not with Dependabot but with the separate dependency graph feature. Dependabot seems to work with CentralPackageVersions (see the reproduction repo from my previous message).

[jeffwidman]

Yep, this is an issue with Dependency Graph, not with Dependabot version updates, and unfortunately they use separate codebases.