diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs index 0888cf9d158..bfd4abfa848 100644 --- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs +++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs @@ -352,7 +352,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching var feedArgs = new StringBuilder(); foreach (var feed in feeds) { - feedArgs.Append($" -s {feed}"); + feedArgs.Append($" -s \"{feed}\""); } return feedArgs.ToString(); @@ -692,7 +692,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching private static async Task ExecuteGetRequest(string address, HttpClient httpClient, CancellationToken cancellationToken) { - return await httpClient.GetAsync(address, cancellationToken); + return await httpClient.GetAsync(address, HttpCompletionOption.ResponseHeadersRead, cancellationToken); } private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, out bool isTimeout) @@ -737,7 +737,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching try { logger.LogInfo($"Attempt {i + 1}/{tryCount} to reach NuGet feed '{feed}'."); - var response = ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult(); + using var response = ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult(); response.EnsureSuccessStatusCode(); logger.LogInfo($"Querying NuGet feed '{feed}' succeeded."); return true; @@ -824,9 +824,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching }).ToHashSet(); reachableFeeds = GetReachableNuGetFeeds(feedsToCheck, isFallback: false, out var isTimeout).ToHashSet(); - var allReachable = reachableFeeds.Count == feedsToCheck.Count; EmitUnreachableFeedsDiagnostics(allReachable); + + // Always consider feeds excluded for the reachability check as reachable. + reachableFeeds.UnionWith(feeds.Where(feed => excludedFeeds.Contains(feed))); + return !isTimeout; } diff --git a/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md b/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md index 6247527b337..a4282d0468d 100644 --- a/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md +++ b/csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md @@ -1,4 +1,4 @@ --- category: majorAnalysis --- -* When resolving dependencies in `build-mode: none`, `dotnet restore` now always receives the NuGet feeds configured in `nuget.config` (if reachable) and any private registries directly, improving reliability when default feeds are unavailable or restricted. +* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.