C#: Do not allow any NuGet feed connection request failures.

michaelnebel · michaelnebel · commit 0b9f57f8b838 · 2026-04-08T14:53:46.000+02:00
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetCliInvoker.cs
@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Collections.ObjectModel;
 using System.Diagnostics;
 using Semmle.Util;
 using Semmle.Util.Logging;
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs
@@ -214,7 +214,7 @@ private List<string> GetReachableFallbackNugetFeeds(HashSet<string>? feedsFromNu
 
             logger.LogInfo($"Checking fallback NuGet feed reachability on feeds: {string.Join(", ", fallbackFeeds.OrderBy(f => f))}");
             var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: true);
-            var reachableFallbackFeeds = fallbackFeeds.Where(feed => IsFeedReachable(feed, initialTimeout, tryCount, allowExceptions: false)).ToList();
+            var reachableFallbackFeeds = fallbackFeeds.Where(feed => IsFeedReachable(feed, initialTimeout, tryCount)).ToList();
             if (reachableFallbackFeeds.Count == 0)
             {
                 logger.LogWarning("No fallback NuGet feeds are reachable.");
@@ -280,14 +280,18 @@ private void RestoreProjects(IEnumerable<string> projects, HashSet<string>? conf
             // `nuget.config` files instead of the command-line arguments.
             string? extraArgs = null;
 
-            if (this.dependabotProxy is not null)
+            if (dependabotProxy is not null)
             {
                 // If the Dependabot proxy is configured, then our main goal is to make `dotnet` aware
                 // of the private registry feeds. However, since providing them as command-line arguments
                 // to `dotnet` ignores other feeds that may be configured, we also need to add the feeds
                 // we have discovered from analysing `nuget.config` files.
                 var sources = configuredSources ?? new();
-                this.dependabotProxy.RegistryURLs.ForEach(url => sources.Add(url));
+                dependabotProxy.RegistryURLs.ForEach(url =>
+                {
+                    logger.LogDebug($"Adding feed from Dependabot proxy configuration: {url}");
+                    sources.Add(url);
+                });
 
                 // Add package sources. If any are present, they override all sources specified in
                 // the configuration file(s).
@@ -628,7 +632,7 @@ private static async Task<HttpResponseMessage> ExecuteGetRequest(string address,
             return await httpClient.GetAsync(address, cancellationToken);
         }
 
-        private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, bool allowExceptions = true)
+        private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount)
         {
             logger.LogInfo($"Checking if NuGet feed '{feed}' is reachable...");
 
@@ -682,18 +686,10 @@ private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount,
                         timeoutMilliSeconds *= 2;
                         continue;
                     }
-                    if (exc is HttpRequestException hre &&
-                        hre.StatusCode == HttpStatusCode.Unauthorized)
-                    {
-
-                        logger.LogInfo($"Received 401 Unauthorized error from NuGet feed '{feed}'.");
-                        return false;
-                    }
 
-                    // We're only interested in timeouts.
-                    var start = allowExceptions ? "Considering" : "Not considering";
-                    logger.LogInfo($"Querying NuGet feed '{feed}' failed in a timely manner. {start} the feed for use. The reason for the failure: {exc.Message}");
-                    return allowExceptions;
+                    // The feed is not reachable.
+                    logger.LogInfo($"Querying NuGet feed '{feed}' failed. Not considering the feed for use. The reason for the failure: {exc.Message}");
+                    return false;
                 }
             }
 
@@ -734,9 +730,9 @@ private bool CheckFeeds(out HashSet<string> explicitFeeds, out HashSet<string> a
 
             // If private package registries are configured for C#, then check those
             // in addition to the ones that are configured in `nuget.config` files.
-            this.dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));
+            dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));
 
-            var allFeedsReachable = this.CheckSpecifiedFeeds(feedsToCheck);
+            var allFeedsReachable = CheckSpecifiedFeeds(feedsToCheck);
 
             var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
             if (inheritedFeeds.Count > 0)
