Only use reachable feeds when private registries are configured

2026-05-14 11:19:27 +02:00 · 2026-02-27 14:38:01 +00:00
parent 17c45fcd75
commit cce5f06086
1 changed files with 13 additions and 6 deletions
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
@@ -116,6 +116,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching

            HashSet<string>? explicitFeeds = null;
            HashSet<string>? allFeeds = null;
+            HashSet<string>? reachableFeeds = [];

            try
            {
@@ -131,8 +132,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                    // in addition to the ones that are configured in `nuget.config` files.
                    this.dependabotProxy?.RegistryURLs.ForEach(url => explicitFeeds.Add(url));

-                    var explicitFeedsReachable = this.CheckSpecifiedFeeds(explicitFeeds);
-                    this.GetReachableNuGetFeeds(inheritedFeeds, isFallback: false);
+                    var (explicitFeedsReachable, reachableExplicitFeeds) =
+                        this.CheckSpecifiedFeeds(explicitFeeds);
+                    reachableFeeds.UnionWith(reachableExplicitFeeds);
+
+                    reachableFeeds.UnionWith(this.GetReachableNuGetFeeds(inheritedFeeds, isFallback: false));

                    if (inheritedFeeds.Count > 0)
                    {
@@ -191,7 +195,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            // Restore project dependencies with `dotnet restore`.
            var restoredProjects = RestoreSolutions(out var container);
            var projects = fileProvider.Projects.Except(restoredProjects);
-            RestoreProjects(projects, allFeeds, out var containers);
+            RestoreProjects(projects, reachableFeeds, out var containers);

            var dependencies = containers.Flatten(container);

@@ -774,8 +778,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        /// Checks that we can connect to the specified NuGet feeds.
        /// </summary>
        /// <param name="feeds">The set of package feeds to check.</param>
-        /// <returns>True if all feeds are reachable or false otherwise.</returns>
-        private bool CheckSpecifiedFeeds(HashSet<string> feeds)
+        /// <returns>
+        /// True if all feeds are reachable or false otherwise.
+        /// Also returns the list of reachable feeds.
+        /// </returns>
+        private (bool, List<string>) CheckSpecifiedFeeds(HashSet<string> feeds)
        {
            // Exclude any feeds that are configured by the corresponding environment variable.
            var excludedFeeds = GetExcludedFeeds();
@@ -786,7 +793,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching

            this.EmitUnreachableFeedsDiagnostics(allFeedsReachable);

-            return allFeedsReachable;
+            return (allFeedsReachable, reachableFeeds);
        }

        /// <summary>