dependabot-nuget 0.292.0 → 0.294.0

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/VersionFinder.cs

@@ -113,11 +113,22 @@ internal static class VersionFinder
             ? versionRange.MinVersion
             : null;
 
-        return version => (currentVersion is null || version > currentVersion)
-            && versionRange.Satisfies(version)
-            && (currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version)
-            && !dependencyInfo.IgnoredVersions.Any(r => r.IsSatisfiedBy(version))
-            && !dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
+        var safeVersions = dependencyInfo.Vulnerabilities.SelectMany(v => v.SafeVersions).ToList();
+        return version =>
+        {
+            var versionGreaterThanCurrent = currentVersion is null || version > currentVersion;
+            var rangeSatisfies = versionRange.Satisfies(version);
+            var prereleaseTypeMatches = currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version;
+            var isIgnoredVersion = dependencyInfo.IgnoredVersions.Any(i => i.IsSatisfiedBy(version));
+            var isVulnerableVersion = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
+            var isSafeVersion = !safeVersions.Any() || safeVersions.Any(s => s.IsSatisfiedBy(version));
+            return versionGreaterThanCurrent
+                && rangeSatisfies
+                && prereleaseTypeMatches
+                && !isIgnoredVersion
+                && !isVulnerableVersion
+                && isSafeVersion;
+        };
     }
 
     internal static Func<NuGetVersion, bool> CreateVersionFilter(NuGetVersion currentVersion)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Clone/CloneWorker.cs

@@ -70,11 +70,12 @@ public class CloneWorker
         catch (HttpRequestException ex)
         when (ex.StatusCode == HttpStatusCode.Unauthorized || ex.StatusCode == HttpStatusCode.Forbidden)
         {
+            // this is a _very_ specific case we want to handle before the common error handling kicks in
             error = new JobRepoNotFound(ex.Message);
         }
         catch (Exception ex)
         {
-            error = new UnknownError(ex, _jobId);
+            error = JobErrorBase.ErrorFromException(ex, _jobId, repoContentsPath);
         }
 
         if (error is not null)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/DependencyDiscovery.targets

@@ -1,9 +1,9 @@
 <Project>
   <Import Project="DependencyDiscovery.props" />
 
-  <Target Name="_DiscoverDependencies" DependsOnTargets="GenerateBuildDependencyFile;ResolvePackageAssets">
+  <Target Name="_DiscoverDependencies" DependsOnTargets="ResolveAssemblyReferences;GenerateBuildDependencyFile;ResolvePackageAssets">
     <!--
-    The target GenerateBuildDependencyFile is sufficient for projects targeting .NET Standard or .NET Core.
+    The targets ResolveAssemblyReferences and GenerateBuildDependencyFile are sufficient for projects targeting .NET Standard or .NET Core.
     The target ResolvePackageAssets is necessary for projects targeting .NET Framework.
     -->
   </Target>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs

@@ -1,5 +1,4 @@
 using System.Collections.Immutable;
-using System.Net;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 
@@ -10,7 +9,7 @@ using Microsoft.Build.Exceptions;
 
 using NuGet.Frameworks;
 
-using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Run.ApiModel;
 using NuGetUpdater.Core.Utilities;
 
 namespace NuGetUpdater.Core.Discover;
@@ -19,6 +18,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
 {
     public const string DiscoveryResultFileName = "./.dependabot/discovery.json";
 
+    private readonly string _jobId;
     private readonly ExperimentsManager _experimentsManager;
     private readonly ILogger _logger;
     private readonly HashSet<string> _processedProjectPaths = new(StringComparer.Ordinal); private readonly HashSet<string> _restoredMSBuildSdks = new(StringComparer.OrdinalIgnoreCase);
@@ -29,8 +29,9 @@ public partial class DiscoveryWorker : IDiscoveryWorker
         Converters = { new JsonStringEnumConverter() },
     };
 
-    public DiscoveryWorker(ExperimentsManager experimentsManager, ILogger logger)
+    public DiscoveryWorker(string jobId, ExperimentsManager experimentsManager, ILogger logger)
     {
+        _jobId = jobId;
         _experimentsManager = experimentsManager;
         _logger = logger;
     }
@@ -48,23 +49,11 @@ public partial class DiscoveryWorker : IDiscoveryWorker
         {
             result = await RunAsync(repoRootPath, workspacePath);
         }
-        catch (HttpRequestException ex)
-        when (ex.StatusCode == HttpStatusCode.Unauthorized || ex.StatusCode == HttpStatusCode.Forbidden)
-        {
-            result = new WorkspaceDiscoveryResult
-            {
-                ErrorType = ErrorType.AuthenticationFailure,
-                ErrorDetails = "(" + string.Join("|", NuGetContext.GetPackageSourceUrls(PathHelper.JoinPath(repoRootPath, workspacePath))) + ")",
-                Path = workspacePath,
-                Projects = [],
-            };
-        }
         catch (Exception ex)
         {
             result = new WorkspaceDiscoveryResult
             {
-                ErrorType = ErrorType.Unknown,
-                ErrorDetails = ex.ToString(),
+                Error = JobErrorBase.ErrorFromException(ex, _jobId, PathHelper.JoinPath(repoRootPath, workspacePath)),
                 Path = workspacePath,
                 Projects = [],
             };
@@ -123,8 +112,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
                 DotNetToolsJson = null,
                 GlobalJson = null,
                 Projects = projectResults.Where(p => p.IsSuccess).OrderBy(p => p.FilePath).ToImmutableArray(),
-                ErrorType = failedProjectResult.ErrorType,
-                ErrorDetails = failedProjectResult.FilePath,
+                Error = failedProjectResult.Error,
                 IsSuccess = false,
             };
 
@@ -192,8 +180,7 @@ public partial class DiscoveryWorker : IDiscoveryWorker
                 ImportedFiles = ImmutableArray<string>.Empty,
                 AdditionalFiles = ImmutableArray<string>.Empty,
                 IsSuccess = false,
-                ErrorType = ErrorType.DependencyFileNotParseable,
-                ErrorDetails = "Failed to parse project file found at " + invalidProjectFile,
+                Error = new DependencyFileNotParseable(invalidProjectFile),
             }];
         }
         if (projects.IsEmpty)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/ProjectDiscoveryResult.cs

@@ -1,5 +1,6 @@
 using System.Collections.Immutable;
-using System.Text.Json.Serialization;
+
+using NuGetUpdater.Core.Run.ApiModel;
 
 namespace NuGetUpdater.Core.Discover;
 
@@ -8,8 +9,7 @@ public record ProjectDiscoveryResult : IDiscoveryResultWithDependencies
     public required string FilePath { get; init; }
     public required ImmutableArray<Dependency> Dependencies { get; init; }
     public bool IsSuccess { get; init; } = true;
-    public string? ErrorDetails { get; init; }
-    public ErrorType? ErrorType { get; init; }
+    public JobErrorBase? Error { get; init; } = null;
     public ImmutableArray<Property> Properties { get; init; } = [];
     public ImmutableArray<string> TargetFrameworks { get; init; } = [];
     public ImmutableArray<string> ReferencedProjectPaths { get; init; } = [];

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs

@@ -9,6 +9,8 @@ using NuGet.Versioning;
 
 using NuGetUpdater.Core.Utilities;
 
+using Semver;
+
 using LoggerProperty = Microsoft.Build.Logging.StructuredLogger.Property;
 
 namespace NuGetUpdater.Core.Discover;
@@ -72,6 +74,9 @@ internal static class SdkProjectDiscovery
         Dictionary<string, HashSet<string>> topLevelPackagesPerProject = new(PathComparer.Instance);
         //         projectPath, packageNames
 
+        Dictionary<string, Dictionary<string, Dictionary<string, string>>> packagesReplacedBySdkPerProject = new(PathComparer.Instance);
+        //         projectPath        tfm           packageName, packageVersion
+
         Dictionary<string, Dictionary<string, string>> resolvedProperties = new(PathComparer.Instance);
         //         projectPath        propertyName, propertyValue
 
@@ -164,7 +169,7 @@ internal static class SdkProjectDiscovery
                             }
                             break;
                         case NamedNode namedNode when namedNode is AddItem or RemoveItem:
-                            ProcessResolvedPackageReference(namedNode, packagesPerProject, topLevelPackagesPerProject);
+                            ProcessResolvedPackageReference(namedNode, packagesPerProject, topLevelPackagesPerProject, experimentsManager);
 
                             if (namedNode is AddItem addItem)
                             {
@@ -203,6 +208,70 @@ internal static class SdkProjectDiscovery
                                 }
                             }
                             break;
+                        case Target target when target.Name == "_HandlePackageFileConflicts":
+                            // this only works if we've installed the exact SDK required
+                            if (experimentsManager.InstallDotnetSdks)
+                            {
+                                var projectEvaluation = GetNearestProjectEvaluation(target);
+                                if (projectEvaluation is null)
+                                {
+                                    break;
+                                }
+
+                                var removedReferences = target.Children.OfType<RemoveItem>().FirstOrDefault(r => r.Name == "Reference");
+                                var addedReferences = target.Children.OfType<AddItem>().FirstOrDefault(r => r.Name == "Reference");
+                                if (removedReferences is null || addedReferences is null)
+                                {
+                                    break;
+                                }
+
+                                foreach (var removedAssembly in removedReferences.Children.OfType<Item>())
+                                {
+                                    var removedPackageName = GetChildMetadataValue(removedAssembly, "NuGetPackageId");
+                                    var removedFileName = Path.GetFileName(removedAssembly.Name);
+                                    if (removedPackageName is null || removedFileName is null)
+                                    {
+                                        continue;
+                                    }
+
+                                    var existingProjectPackagesByTfm = packagesPerProject.GetOrAdd(projectEvaluation.ProjectFile, () => new(PathComparer.Instance));
+                                    var existingProjectPackages = existingProjectPackagesByTfm.GetOrAdd(tfm, () => new(StringComparer.OrdinalIgnoreCase));
+                                    if (!existingProjectPackages.ContainsKey(removedPackageName))
+                                    {
+                                        continue;
+                                    }
+
+                                    var correspondingAddedFile = addedReferences.Children.OfType<Item>()
+                                        .FirstOrDefault(i => removedFileName.Equals(Path.GetFileName(i.Name), StringComparison.OrdinalIgnoreCase));
+                                    if (correspondingAddedFile is null)
+                                    {
+                                        continue;
+                                    }
+
+                                    var runtimePackageName = GetChildMetadataValue(correspondingAddedFile, "NuGetPackageId");
+                                    var runtimePackageVersion = GetChildMetadataValue(correspondingAddedFile, "NuGetPackageVersion");
+                                    if (runtimePackageName is null ||
+                                        runtimePackageVersion is null ||
+                                        !SemVersion.TryParse(runtimePackageVersion, out var parsedRuntimePackageVersion))
+                                    {
+                                        continue;
+                                    }
+
+                                    var packageMapper = DotNetPackageCorrelationManager.GetPackageMapper();
+                                    var replacementPackageVersion = packageMapper.GetPackageVersionThatShippedWithOtherPackage(runtimePackageName, parsedRuntimePackageVersion, removedPackageName);
+                                    if (replacementPackageVersion is null)
+                                    {
+                                        continue;
+                                    }
+
+                                    var packagesPerThisProject = packagesReplacedBySdkPerProject.GetOrAdd(projectEvaluation.ProjectFile, () => new(PathComparer.Instance));
+                                    var packagesPerTfm = packagesPerThisProject.GetOrAdd(tfm, () => new(StringComparer.OrdinalIgnoreCase));
+                                    packagesPerTfm[removedPackageName] = replacementPackageVersion.ToString();
+                                    var relativeProjectPath = Path.GetRelativePath(repoRootPath, projectEvaluation.ProjectFile).NormalizePathToUnix();
+                                    logger.Info($"Re-added SDK managed package [{removedPackageName}/{replacementPackageVersion}] to project [{relativeProjectPath}]");
+                                }
+                            }
+                            break;
                     }
                 }, takeChildrenSnapshot: true);
             }
@@ -228,6 +297,33 @@ internal static class SdkProjectDiscovery
         {
             // gather some project-level information
             var packagesByTfm = packagesPerProject[projectPath];
+            if (packagesReplacedBySdkPerProject.TryGetValue(projectPath, out var packagesReplacedBySdk))
+            {
+                var consolidatedPackagesByTfm = new Dictionary<string, Dictionary<string, string>>(StringComparer.OrdinalIgnoreCase);
+
+                // copy the first dictionary
+                foreach (var kvp in packagesByTfm)
+                {
+                    var tfm = kvp.Key;
+                    var packages = kvp.Value;
+                    consolidatedPackagesByTfm[tfm] = packages;
+                }
+
+                // merge in the second
+                foreach (var kvp in packagesReplacedBySdk)
+                {
+                    var tfm = kvp.Key;
+                    var packages = kvp.Value;
+                    var replacedPackages = consolidatedPackagesByTfm.GetOrAdd(tfm, () => new(StringComparer.OrdinalIgnoreCase));
+                    foreach (var packagePair in packages)
+                    {
+                        replacedPackages[packagePair.Key] = packagePair.Value;
+                    }
+                }
+
+                packagesByTfm = consolidatedPackagesByTfm;
+            }
+
             var projectFullDirectory = Path.GetDirectoryName(projectPath)!;
             var doc = XDocument.Load(projectPath);
             var localPropertyDefinitionElements = doc.Root!.XPathSelectElements("/Project/PropertyGroup/*");
@@ -288,7 +384,8 @@ internal static class SdkProjectDiscovery
     private static void ProcessResolvedPackageReference(
         NamedNode node,
         Dictionary<string, Dictionary<string, Dictionary<string, string>>> packagesPerProject, // projectPath -> tfm -> (packageName, packageVersion)
-        Dictionary<string, HashSet<string>> topLevelPackagesPerProject
+        Dictionary<string, HashSet<string>> topLevelPackagesPerProject,
+        ExperimentsManager experimentsManager
     )
     {
         var doRemoveOperation = node is RemoveItem;

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/EnsureDotNetPackageCorrelation.targets

@@ -0,0 +1,25 @@
+<Project>
+
+  <PropertyGroup>
+    <PackageCorrelationCliDirectory>$(MSBuildThisFileDirectory)..\DotNetPackageCorrelation.Cli</PackageCorrelationCliDirectory>
+    <DotNetCoreDirectory>$(MSBuildThisFileDirectory)..\..\dotnet-core</DotNetCoreDirectory>
+    <PackageCorrelationFile>$(MSBuildThisFileDirectory)dotnet-package-correlation.json</PackageCorrelationFile>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="$(PackageCorrelationFile)" CopyToOutputDirectory="PreserveNewest" />
+    <_DotNetCoreFiles Include="$(DotNetCoreDirectory)\**\*" />
+  </ItemGroup>
+
+  <Target Name="BuildDotNetPackageCorrelationFile" Inputs="@(_DotNetCoreFiles)" Outputs="$(PackageCorrelationFile)" BeforeTargets="GetCopyToOutputDirectoryItems">
+    <Exec Command="dotnet run --core-location &quot;$(DotNetCoreDirectory)&quot; --output &quot;$(PackageCorrelationFile)&quot;" WorkingDirectory="$(PackageCorrelationCliDirectory)" />
+  </Target>
+
+  <Target Name="CleanDotNetPackageCorrelationFile" BeforeTargets="Clean">
+    <Delete Files="$(PackageCorrelationFile)" Condition="Exists('$(PackageCorrelationFile)')" />
+  </Target>
+
+  <Target Name="RebuildDotNetPackageCorrelationFile" BeforeTargets="Rebuild" DependsOnTargets="CleanDotNetPackageCorrelationFile">
+  </Target>
+
+</Project>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/ExperimentsManager.cs

@@ -1,6 +1,7 @@
 using System.Text.Json;
 
 using NuGetUpdater.Core.Run;
+using NuGetUpdater.Core.Run.ApiModel;
 
 namespace NuGetUpdater.Core;
 
@@ -30,42 +31,28 @@ public record ExperimentsManager
         };
     }
 
-    public static async Task<(ExperimentsManager ExperimentsManager, NativeResult? ErrorResult)> FromJobFileAsync(string jobFilePath)
+    public static async Task<(ExperimentsManager ExperimentsManager, JobErrorBase? Error)> FromJobFileAsync(string jobId, string jobFilePath)
     {
         var experimentsManager = new ExperimentsManager();
-        NativeResult? errorResult = null;
+        JobErrorBase? error = null;
+        var jobFileContent = string.Empty;
         try
         {
-            var jobFileContent = await File.ReadAllTextAsync(jobFilePath);
+            jobFileContent = await File.ReadAllTextAsync(jobFilePath);
             var jobWrapper = RunWorker.Deserialize(jobFileContent);
             experimentsManager = GetExperimentsManager(jobWrapper.Job.Experiments);
         }
-        catch (BadRequirementException ex)
-        {
-            errorResult = new NativeResult
-            {
-                ErrorType = ErrorType.BadRequirement,
-                ErrorDetails = ex.Message,
-            };
-        }
         catch (JsonException ex)
         {
-            errorResult = new NativeResult
-            {
-                ErrorType = ErrorType.Unknown,
-                ErrorDetails = $"Error deserializing job file: {ex}: {File.ReadAllText(jobFilePath)}",
-            };
+            // this is a very specific case where we want to log the JSON contents for easier debugging
+            error = JobErrorBase.ErrorFromException(new NotSupportedException($"Error deserializing job file contents: {jobFileContent}", ex), jobId, Environment.CurrentDirectory); // TODO
         }
         catch (Exception ex)
         {
-            errorResult = new NativeResult
-            {
-                ErrorType = ErrorType.Unknown,
-                ErrorDetails = ex.ToString(),
-            };
+            error = JobErrorBase.ErrorFromException(ex, jobId, Environment.CurrentDirectory); // TODO
         }
 
-        return (experimentsManager, errorResult);
+        return (experimentsManager, error);
     }
 
     private static bool IsEnabled(Dictionary<string, object>? experiments, string experimentName)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/PackagesConfigBuildFile.cs

@@ -13,12 +13,16 @@ internal sealed class PackagesConfigBuildFile : XmlBuildFile
     public PackagesConfigBuildFile(string basePath, string path, XmlDocumentSyntax contents)
         : base(basePath, path, contents)
     {
+        var invalidPackageElements = Packages.Where(p => p.GetAttribute("id") is null || p.GetAttribute("version") is null).ToList();
+        if (invalidPackageElements.Any())
+        {
+            throw new UnparseableFileException("`package` element missing `id` or `version` attributes", path);
+        }
     }
 
     public IEnumerable<IXmlElementSyntax> Packages => Contents.RootSyntax.GetElements("package", StringComparison.OrdinalIgnoreCase);
 
     public IEnumerable<Dependency> GetDependencies() => Packages
-        .Where(p => p.GetAttribute("id") is not null && p.GetAttribute("version") is not null)
         .Select(p => new Dependency(
             p.GetAttributeValue("id", StringComparison.OrdinalIgnoreCase),
             p.GetAttributeValue("version", StringComparison.OrdinalIgnoreCase),

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/MissingFileException.cs

@@ -4,7 +4,8 @@ internal class MissingFileException : Exception
 {
     public string FilePath { get; }
 
-    public MissingFileException(string filePath)
+    public MissingFileException(string filePath, string? message = null)
+        : base(message)
     {
         FilePath = filePath;
     }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/NativeResult.cs

@@ -1,8 +1,8 @@
+using NuGetUpdater.Core.Run.ApiModel;
+
 namespace NuGetUpdater.Core;
 
 public record NativeResult
 {
-    // TODO: nullable not required, `ErrorType.None` is the default anyway
-    public ErrorType? ErrorType { get; init; }
-    public object? ErrorDetails { get; init; }
+    public JobErrorBase? Error { get; init; } = null;
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/NuGetUpdater.Core.csproj

@@ -14,6 +14,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <ProjectReference Include="..\DotNetPackageCorrelation\DotNetPackageCorrelation.csproj" />
     <ProjectReference Include="..\NuGetProjects\NuGet.CommandLine\NuGet.CommandLine.csproj" />
   </ItemGroup>
 
@@ -31,4 +32,6 @@
     <InternalsVisibleTo Include="NuGetUpdater.Core.Test" />
   </ItemGroup>
 
+  <Import Project="EnsureDotNetPackageCorrelation.targets" />
+
 </Project>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Advisory.cs

@@ -10,4 +10,6 @@ public record Advisory
     public ImmutableArray<Requirement>? AffectedVersions { get; init; } = null;
     public ImmutableArray<Requirement>? PatchedVersions { get; init; } = null;
     public ImmutableArray<Requirement>? UnaffectedVersions { get; init; } = null;
+
+    public IEnumerable<Requirement> SafeVersions => (PatchedVersions ?? []).Concat(UnaffectedVersions ?? []);
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/DependencyFileNotFound.cs

@@ -2,10 +2,14 @@ namespace NuGetUpdater.Core.Run.ApiModel;
 
 public record DependencyFileNotFound : JobErrorBase
 {
-    public DependencyFileNotFound(string message, string filePath)
+    public DependencyFileNotFound(string filePath, string? message = null)
         : base("dependency_file_not_found")
     {
-        Details["message"] = message;
-        Details["file-path"] = filePath;
+        if (message is not null)
+        {
+            Details["message"] = message;
+        }
+
+        Details["file-path"] = filePath.NormalizePathToUnix();
     }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/DependencyFileNotParseable.cs

@@ -0,0 +1,15 @@
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record DependencyFileNotParseable : JobErrorBase
+{
+    public DependencyFileNotParseable(string filePath, string? message = null)
+        : base("dependency_file_not_parseable")
+    {
+        if (message is not null)
+        {
+            Details["message"] = message;
+        }
+
+        Details["file-path"] = filePath.NormalizePathToUnix();
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/JobErrorBase.cs

@@ -1,5 +1,10 @@
+using System.Net;
 using System.Text.Json.Serialization;
 
+using Microsoft.Build.Exceptions;
+
+using NuGetUpdater.Core.Analyze;
+
 namespace NuGetUpdater.Core.Run.ApiModel;
 
 public abstract record JobErrorBase
@@ -14,4 +19,23 @@ public abstract record JobErrorBase
 
     [JsonPropertyName("error-details")]
     public Dictionary<string, object> Details { get; init; } = new();
+
+    public static JobErrorBase ErrorFromException(Exception ex, string jobId, string currentDirectory)
+    {
+        return ex switch
+        {
+            BadRequirementException badRequirement => new BadRequirement(badRequirement.Message),
+            HttpRequestException httpRequest => httpRequest.StatusCode switch
+            {
+                HttpStatusCode.Unauthorized or
+                HttpStatusCode.Forbidden => new PrivateSourceAuthenticationFailure(NuGetContext.GetPackageSourceUrls(currentDirectory)),
+                _ => new UnknownError(ex, jobId),
+            },
+            InvalidProjectFileException invalidProjectFile => new DependencyFileNotParseable(invalidProjectFile.ProjectFile),
+            MissingFileException missingFile => new DependencyFileNotFound(missingFile.FilePath, missingFile.Message),
+            UnparseableFileException unparseableFile => new DependencyFileNotParseable(unparseableFile.FilePath, unparseableFile.Message),
+            UpdateNotPossibleException updateNotPossible => new UpdateNotPossible(updateNotPossible.Dependencies),
+            _ => new UnknownError(ex, jobId),
+        };
+    }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/RunWorker.cs

@@ -4,6 +4,8 @@ using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 
+using NuGet.Versioning;
+
 using NuGetUpdater.Core.Analyze;
 using NuGetUpdater.Core.Discover;
 using NuGetUpdater.Core.Run.ApiModel;
@@ -53,7 +55,7 @@ public class RunWorker
     private async Task<RunResult> RunWithErrorHandlingAsync(Job job, DirectoryInfo repoContentsPath, string baseCommitSha)
     {
         JobErrorBase? error = null;
-        string[] lastUsedPackageSourceUrls = []; // used for error reporting below
+        var currentDirectory = repoContentsPath.FullName; // used for error reporting below
         var runResult = new RunResult()
         {
             Base64DependencyFiles = [],
@@ -69,7 +71,7 @@ public class RunWorker
             foreach (var directory in job.GetAllDirectories())
             {
                 var localPath = PathHelper.JoinPath(repoContentsPath.FullName, directory);
-                lastUsedPackageSourceUrls = NuGetContext.GetPackageSourceUrls(localPath);
+                currentDirectory = localPath;
                 var result = await RunForDirectory(job, repoContentsPath, directory, baseCommitSha, experimentsManager);
                 foreach (var dependencyFile in result.Base64DependencyFiles)
                 {
@@ -84,26 +86,9 @@ public class RunWorker
                 BaseCommitSha = baseCommitSha,
             };
         }
-        catch (HttpRequestException ex)
-        when (ex.StatusCode == HttpStatusCode.Unauthorized || ex.StatusCode == HttpStatusCode.Forbidden)
-        {
-            error = new PrivateSourceAuthenticationFailure(lastUsedPackageSourceUrls);
-        }
-        catch (BadRequirementException ex)
-        {
-            error = new BadRequirement(ex.Message);
-        }
-        catch (MissingFileException ex)
-        {
-            error = new DependencyFileNotFound("file not found", ex.FilePath);
-        }
-        catch (UpdateNotPossibleException ex)
-        {
-            error = new UpdateNotPossible(ex.Dependencies);
-        }
         catch (Exception ex)
         {
-            error = new UnknownError(ex, _jobId);
+            error = JobErrorBase.ErrorFromException(ex, _jobId, currentDirectory);
         }
 
         if (error is not null)
@@ -123,6 +108,8 @@ public class RunWorker
         _logger.Info("Discovery JSON content:");
         _logger.Info(JsonSerializer.Serialize(discoveryResult, DiscoveryWorker.SerializerOptions));
 
+        // TODO: report errors
+
         // report dependencies
         var discoveredUpdatedDependencies = GetUpdatedDependencyListFromDiscovery(discoveryResult, repoContentsPath.FullName);
         await _apiHandler.UpdateDependencyList(discoveredUpdatedDependencies);
@@ -179,15 +166,7 @@ public class RunWorker
                         continue;
                     }
 
-                    var ignoredVersions = GetIgnoredRequirementsForDependency(job, dependency.Name);
-                    var dependencyInfo = new DependencyInfo()
-                    {
-                        Name = dependency.Name,
-                        Version = dependency.Version!,
-                        IsVulnerable = false,
-                        IgnoredVersions = ignoredVersions,
-                        Vulnerabilities = [],
-                    };
+                    var dependencyInfo = GetDependencyInfo(job, dependency);
                     var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
                     // TODO: log analysisResult
                     if (analysisResult.CanUpdate)
@@ -221,7 +200,7 @@ public class RunWorker
                         var dependencyFilePath = Path.Join(discoveryResult.Path, project.FilePath).FullyNormalizedRootedPath();
                         var updateResult = await _updaterWorker.RunAsync(repoContentsPath.FullName, dependencyFilePath, dependency.Name, dependency.Version!, analysisResult.UpdatedVersion, isTransitive: false);
                         // TODO: need to report if anything was actually updated
-                        if (updateResult.ErrorType is null || updateResult.ErrorType == ErrorType.None)
+                        if (updateResult.Error is null)
                         {
                             if (dependencyLocation != dependencyFilePath)
                             {
@@ -329,6 +308,30 @@ public class RunWorker
         return ignoredVersions;
     }
 
+    internal static DependencyInfo GetDependencyInfo(Job job, Dependency dependency)
+    {
+        var dependencyVersion = NuGetVersion.Parse(dependency.Version!);
+        var securityAdvisories = job.SecurityAdvisories.Where(s => s.DependencyName.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase)).ToArray();
+        var isVulnerable = securityAdvisories.Any(s => (s.AffectedVersions ?? []).Any(v => v.IsSatisfiedBy(dependencyVersion)));
+        var ignoredVersions = GetIgnoredRequirementsForDependency(job, dependency.Name);
+        var vulnerabilities = securityAdvisories.Select(s => new SecurityVulnerability()
+        {
+            DependencyName = dependency.Name,
+            PackageManager = "nuget",
+            VulnerableVersions = s.AffectedVersions ?? [],
+            SafeVersions = s.SafeVersions.ToImmutableArray(),
+        }).ToImmutableArray();
+        var dependencyInfo = new DependencyInfo()
+        {
+            Name = dependency.Name,
+            Version = dependencyVersion.ToString(),
+            IsVulnerable = isVulnerable,
+            IgnoredVersions = ignoredVersions,
+            Vulnerabilities = vulnerabilities,
+        };
+        return dependencyInfo;
+    }
+
     internal static UpdatedDependencyList GetUpdatedDependencyListFromDiscovery(WorkspaceDiscoveryResult discoveryResult, string pathToContents)
     {
         string GetFullRepoPath(string path)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/UnparseableFileException.cs

@@ -0,0 +1,12 @@
+namespace NuGetUpdater.Core;
+
+internal class UnparseableFileException : Exception
+{
+    public string FilePath { get; }
+
+    public UnparseableFileException(string message, string filePath)
+        : base(message)
+    {
+        FilePath = filePath;
+    }
+}