LockFile.LogMessages silently drops messages with codes introduced in later versions of NuGet

[nguerrera]

From @mishra14 on July 18, 2018 1:19

Issue

I am seeing that sdk is not picking up/displaying all the errors from the assets file for a .NET core project in VS.

Steps -

1. Download the following zip and change the extension to .nupkg -
   SignedPackage.1.0.0.zip
2. Install the package in VS to a .NET Core console app.
3. The error list displays 2 warnings -
   
4. The assets file actually lists 3 warnings -

  "logs": [
    {
      "code": "NU3027",
      "level": "Warning",
      "warningLevel": 1,
      "message": "The signature should be timestamped to enable long-term signature validity after the certificate has expired."
    },
    {
      "code": "NU3018",
      "level": "Warning",
      "warningLevel": 1,
      "message": "The author primary signature found a chain building issue: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."
    },
    {
      "code": "NU3037",
      "level": "Warning",
      "warningLevel": 1,
      "message": "The author primary signature validity period has expired."
    }

Info -

VS - 15.8 Preview 5 [27912.0.d15.8]

Copied from original issue: dotnet/sdk#2409

[nguerrera]

I had a repro of this and then after another restore, all the messages went away from the assets file. Is there some sort of caching of the signature checking?

[nguerrera]

From @mishra14 on July 18, 2018 23:14

@nguerrera once the package is extracted the warnings will not appear in the next restore.
Before each restore, clear the global packages folder (dotnet nuget locals --clear all) or delete the package folder from there (rm -r <global_packages_folder>\signedpackage).

[nguerrera]

OK, this one was fun to debug...

We are actually getting back only two messages from NuGet.ProjectModel.LockFile.LogMessages!

The third one is deemed invalid here:
https://github.com/NuGet/NuGet.Client/blob/b82a7274e5f58c8af2eb052b8ff98d3d29fed66e/src/NuGet.Core/NuGet.ProjectModel/LockFile/LockFileFormat.cs#L393-L395

This will happen if the version of nuget in your sdk is older than the version of nuget that emitted a warning because the older nuget version in the sdk doesn't have the warning code in the enum. So Enum.TryParse fails.

Right now, VS 15.8 P5 is ahead of the SDK carried by VS 15.8 P5, so this happens. When the insertions catch up, you won't hit it this out of the box. However, if you ever pin the SDK to an older version via global.json, then you can see the same thing: Newer nuget in VS restores, older nuget in SDK rejects the messages.

I'm going to move this back to nuget to consider changing the API or implementation to be more version resilient.

[mishra14]

@nguerrera Thanks for the root cause analysis.

We should work a long term solution for this, because any mismatch between nuget versions in sdk and vs can hide errors and warnings. I will tag the bug accordingly.