dependabot-nuget 0.292.0 → 0.294.0

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackageReferenceUpdater.cs

@@ -4,6 +4,8 @@ using Microsoft.Language.Xml;
 
 using NuGet.Versioning;
 
+using NuGetUpdater.Core.Utilities;
+
 namespace NuGetUpdater.Core;
 
 /// <summary>
@@ -36,6 +38,25 @@ internal static class PackageReferenceUpdater
 
         // Get the set of all top-level dependencies in the current project
         var topLevelDependencies = MSBuildHelper.GetTopLevelPackageDependencyInfos(buildFiles).ToArray();
+        var isDependencyTopLevel = topLevelDependencies.Any(d => d.Name.Equals(dependencyName, StringComparison.OrdinalIgnoreCase));
+        if (isDependencyTopLevel)
+        {
+            var packageMapper = DotNetPackageCorrelationManager.GetPackageMapper();
+            // TODO: this is slow
+            var isSdkReplacementPackage = packageMapper.RuntimePackages.Runtimes.Any(r =>
+            {
+                return r.Value.Packages.Any(p => dependencyName.Equals(p.Key, StringComparison.Ordinal));
+            });
+            if (isSdkReplacementPackage)
+            {
+                // If we're updating a top level SDK replacement package, the version listed in the project file won't
+                // necessarily match the resolved version that caused the update because the SDK might have replaced
+                // the package.  To handle this scenario, we pretend the version we're searching for is the actual
+                // version in the file, not the resolved version.  This allows us to keep a strict equality check when
+                // finding the file to update.
+                previousDependencyVersion = topLevelDependencies.First(d => d.Name.Equals(dependencyName, StringComparison.OrdinalIgnoreCase)).Version!;
+            }
+        }
 
         if (!await DoesDependencyRequireUpdateAsync(repoRootPath, projectPath, tfms, topLevelDependencies, dependencyName, newDependencyVersion, experimentsManager, logger))
         {

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/UpdaterWorker.cs

@@ -3,6 +3,7 @@ using System.Text.Json;
 using System.Text.Json.Serialization;
 
 using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Run.ApiModel;
 using NuGetUpdater.Core.Updater;
 using NuGetUpdater.Core.Utilities;
 
@@ -10,6 +11,7 @@ namespace NuGetUpdater.Core;
 
 public class UpdaterWorker : IUpdaterWorker
 {
+    private readonly string _jobId;
     private readonly ExperimentsManager _experimentsManager;
     private readonly ILogger _logger;
     private readonly HashSet<string> _processedProjectPaths = new(StringComparer.OrdinalIgnoreCase);
@@ -20,8 +22,9 @@ public class UpdaterWorker : IUpdaterWorker
         Converters = { new JsonStringEnumConverter() },
     };
 
-    public UpdaterWorker(ExperimentsManager experimentsManager, ILogger logger)
+    public UpdaterWorker(string jobId, ExperimentsManager experimentsManager, ILogger logger)
     {
+        _jobId = jobId;
         _experimentsManager = experimentsManager;
         _logger = logger;
     }
@@ -43,42 +46,15 @@ public class UpdaterWorker : IUpdaterWorker
         {
             result = await RunAsync(repoRootPath, workspacePath, dependencyName, previousDependencyVersion, newDependencyVersion, isTransitive);
         }
-        catch (HttpRequestException ex)
-        when (ex.StatusCode == HttpStatusCode.Unauthorized || ex.StatusCode == HttpStatusCode.Forbidden)
+        catch (Exception ex)
         {
             if (!Path.IsPathRooted(workspacePath) || !File.Exists(workspacePath))
             {
                 workspacePath = Path.GetFullPath(Path.Join(repoRootPath, workspacePath));
             }
-
-            result = new()
-            {
-                ErrorType = ErrorType.AuthenticationFailure,
-                ErrorDetails = "(" + string.Join("|", NuGetContext.GetPackageSourceUrls(workspacePath)) + ")",
-            };
-        }
-        catch (MissingFileException ex)
-        {
-            result = new()
-            {
-                ErrorType = ErrorType.MissingFile,
-                ErrorDetails = ex.FilePath,
-            };
-        }
-        catch (UpdateNotPossibleException ex)
-        {
-            result = new()
-            {
-                ErrorType = ErrorType.UpdateNotPossible,
-                ErrorDetails = ex.Dependencies,
-            };
-        }
-        catch (Exception ex)
-        {
             result = new()
             {
-                ErrorType = ErrorType.Unknown,
-                ErrorDetails = ex.ToString(),
+                Error = JobErrorBase.ErrorFromException(ex, _jobId, workspacePath),
             };
         }
 

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/DotNetPackageCorrelationManager.cs

@@ -0,0 +1,46 @@
+using System.Text.Json;
+
+using DotNetPackageCorrelation;
+
+using NuGetUpdater.Core.Discover;
+
+namespace NuGetUpdater.Core.Utilities;
+
+internal static class DotNetPackageCorrelationManager
+{
+    private static readonly PackageMapper _packageMapper;
+    private static readonly Dictionary<string, PackageMapper> _packageMapperByOverrideFile = new();
+
+    static DotNetPackageCorrelationManager()
+    {
+        var packageCorrelationPath = Path.Combine(Path.GetDirectoryName(typeof(SdkProjectDiscovery).Assembly.Location)!, "dotnet-package-correlation.json");
+        var runtimePackages = LoadRuntimePackagesFromFile(packageCorrelationPath);
+        _packageMapper = PackageMapper.Load(runtimePackages);
+    }
+
+    public static PackageMapper GetPackageMapper()
+    {
+        var packageCorrelationFileOverride = Environment.GetEnvironmentVariable("DOTNET_PACKAGE_CORRELATION_FILE_PATH");
+        if (packageCorrelationFileOverride is not null)
+        {
+            // this is used as a test hook to allow unit tests to be SDK agnostic
+            if (_packageMapperByOverrideFile.TryGetValue(packageCorrelationFileOverride, out var packageMapper))
+            {
+                return packageMapper;
+            }
+
+            var runtimePackages = LoadRuntimePackagesFromFile(packageCorrelationFileOverride);
+            packageMapper = PackageMapper.Load(runtimePackages);
+            _packageMapperByOverrideFile[packageCorrelationFileOverride] = packageMapper;
+            return packageMapper;
+        }
+
+        return _packageMapper;
+    }
+
+    private static RuntimePackages LoadRuntimePackagesFromFile(string filePath)
+    {
+        var packageCorrelationJson = File.ReadAllText(filePath);
+        return JsonSerializer.Deserialize<RuntimePackages>(packageCorrelationJson, Correlator.SerializerOptions)!;
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs

@@ -19,6 +19,7 @@ using NuGet.Frameworks;
 using NuGet.Versioning;
 
 using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Discover;
 using NuGetUpdater.Core.Utilities;
 
 namespace NuGetUpdater.Core;
@@ -342,7 +343,7 @@ internal static partial class MSBuildHelper
         var tempDirectory = Directory.CreateTempSubdirectory("package-dependency-coherence_");
         try
         {
-            var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, logger);
+            var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, experimentsManager, logger);
             var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["restore", tempProjectPath], tempDirectory.FullName, experimentsManager);
 
             // NU1608: Detected package version outside of dependency constraint
@@ -362,7 +363,7 @@ internal static partial class MSBuildHelper
 
         try
         {
-            string tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, logger);
+            string tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, experimentsManager, logger);
             var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["restore", tempProjectPath], tempDirectory.FullName, experimentsManager);
 
             // Add Dependency[] packages to List<PackageToUpdate> existingPackages
@@ -518,7 +519,7 @@ internal static partial class MSBuildHelper
         var tempDirectory = Directory.CreateTempSubdirectory("package-dependency-coherence_");
         try
         {
-            var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, logger);
+            var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, experimentsManager, logger);
             var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["restore", tempProjectPath], tempDirectory.FullName, experimentsManager);
             ThrowOnUnauthenticatedFeed(stdOut);
 
@@ -668,12 +669,22 @@ internal static partial class MSBuildHelper
         string projectPath,
         string targetFramework,
         IReadOnlyCollection<Dependency> packages,
+        ExperimentsManager experimentsManager,
         ILogger logger,
         bool usePackageDownload = false)
     {
         var projectDirectory = Path.GetDirectoryName(projectPath);
         projectDirectory ??= repoRoot;
-        var topLevelFiles = Directory.GetFiles(repoRoot);
+
+        if (experimentsManager.InstallDotnetSdks)
+        {
+            var globalJsonPath = PathHelper.GetFileInDirectoryOrParent(projectPath, repoRoot, "global.json", caseSensitive: true);
+            if (globalJsonPath is not null)
+            {
+                File.Copy(globalJsonPath, Path.Combine(tempDir.FullName, "global.json"));
+            }
+        }
+
         var nugetConfigPath = PathHelper.GetFileInDirectoryOrParent(projectPath, repoRoot, "NuGet.Config", caseSensitive: false);
         if (nugetConfigPath is not null)
         {
@@ -832,40 +843,53 @@ internal static partial class MSBuildHelper
         string targetFramework,
         IReadOnlyCollection<Dependency> packages,
         ExperimentsManager experimentsManager,
-        ILogger logger)
+        ILogger logger
+    )
     {
         var tempDirectory = Directory.CreateTempSubdirectory("package-dependency-resolution_");
         try
         {
             var topLevelPackagesNames = packages.Select(p => p.Name).ToHashSet(StringComparer.OrdinalIgnoreCase);
-            var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, logger);
+            var tempProjectPath = await CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, targetFramework, packages, experimentsManager, logger);
 
-            var (exitCode, stdout, stderr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["build", tempProjectPath, "/t:_ReportDependencies"], tempDirectory.FullName, experimentsManager);
-            ThrowOnUnauthenticatedFeed(stdout);
-
-            if (exitCode == 0)
+            Dependency[] allDependencies;
+            if (experimentsManager.UseDirectDiscovery)
             {
-                ImmutableArray<string> tfms = [targetFramework];
-                var lines = stdout.Split('\n').Select(line => line.Trim());
-                var pattern = PackagePattern();
-                var allDependencies = lines
-                    .Select(line => pattern.Match(line))
-                    .Where(match => match.Success)
-                    .Select(match =>
-                    {
-                        var PackageName = match.Groups["PackageName"].Value;
-                        var isTransitive = !topLevelPackagesNames.Contains(PackageName);
-                        return new Dependency(PackageName, match.Groups["PackageVersion"].Value, DependencyType.Unknown, TargetFrameworks: tfms, IsTransitive: isTransitive);
-                    })
-                    .ToArray();
-
-                return allDependencies;
+                var projectDiscovery = await SdkProjectDiscovery.DiscoverAsync(repoRoot, tempDirectory.FullName, tempProjectPath, experimentsManager, logger);
+                allDependencies = projectDiscovery
+                    .Where(p => p.FilePath == Path.GetFileName(tempProjectPath))
+                    .FirstOrDefault()
+                    ?.Dependencies.ToArray() ?? [];
             }
             else
             {
-                logger?.Warn($"dotnet build in {nameof(GetAllPackageDependenciesAsync)} failed. STDOUT: {stdout} STDERR: {stderr}");
-                return [];
+                var (exitCode, stdout, stderr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["build", tempProjectPath, "/t:_ReportDependencies"], tempDirectory.FullName, experimentsManager);
+                ThrowOnUnauthenticatedFeed(stdout);
+
+                if (exitCode == 0)
+                {
+                    ImmutableArray<string> tfms = [targetFramework];
+                    var lines = stdout.Split('\n').Select(line => line.Trim());
+                    var pattern = PackagePattern();
+                    allDependencies = lines
+                        .Select(line => pattern.Match(line))
+                        .Where(match => match.Success)
+                        .Select(match =>
+                        {
+                            var PackageName = match.Groups["PackageName"].Value;
+                            var isTransitive = !topLevelPackagesNames.Contains(PackageName);
+                            return new Dependency(PackageName, match.Groups["PackageVersion"].Value, DependencyType.Unknown, TargetFrameworks: tfms, IsTransitive: isTransitive);
+                        })
+                        .ToArray();
+                }
+                else
+                {
+                    logger?.Warn($"dotnet build in {nameof(GetAllPackageDependenciesAsync)} failed. STDOUT: {stdout} STDERR: {stderr}");
+                    allDependencies = [];
+                }
             }
+
+            return allDependencies;
         }
         finally
         {

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/NuGetHelper.cs

@@ -9,7 +9,7 @@ internal static class NuGetHelper
         var tempDirectory = Directory.CreateTempSubdirectory("msbuild_sdk_restore_");
         try
         {
-            var tempProjectPath = await MSBuildHelper.CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, "netstandard2.0", packages, logger, usePackageDownload: true);
+            var tempProjectPath = await MSBuildHelper.CreateTempProjectAsync(tempDirectory, repoRoot, projectPath, "netstandard2.0", packages, experimentsManager, logger, usePackageDownload: true);
             var (exitCode, stdOut, stdErr) = await ProcessEx.RunDotnetWithoutMSBuildEnvironmentVariablesAsync(["restore", tempProjectPath], tempDirectory.FullName, experimentsManager);
 
             return exitCode == 0;

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTestBase.cs

@@ -12,7 +12,7 @@ namespace NuGetUpdater.Core.Test.Analyze;
 
 using TestFile = (string Path, string Content);
 
-public class AnalyzeWorkerTestBase
+public class AnalyzeWorkerTestBase : TestBase
 {
     protected static async Task TestAnalyzeAsync(
         WorkspaceDiscoveryResult discovery,
@@ -39,7 +39,7 @@ public class AnalyzeWorkerTestBase
             var discoveryPath = Path.GetFullPath(DiscoveryWorker.DiscoveryResultFileName, directoryPath);
             var dependencyPath = Path.GetFullPath(relativeDependencyPath, directoryPath);
 
-            var worker = new AnalyzeWorker(experimentsManager, new TestLogger());
+            var worker = new AnalyzeWorker("TEST-JOB-ID", experimentsManager, new TestLogger());
             var result = await worker.RunWithErrorHandlingAsync(directoryPath, discoveryPath, dependencyPath);
             return result;
         });
@@ -55,8 +55,7 @@ public class AnalyzeWorkerTestBase
         Assert.Equal(expectedResult.VersionComesFromMultiDependencyProperty, actualResult.VersionComesFromMultiDependencyProperty);
         ValidateDependencies(expectedResult.UpdatedDependencies, actualResult.UpdatedDependencies);
         Assert.Equal(expectedResult.ExpectedUpdatedDependenciesCount ?? expectedResult.UpdatedDependencies.Length, actualResult.UpdatedDependencies.Length);
-        Assert.Equal(expectedResult.ErrorType, actualResult.ErrorType);
-        Assert.Equal(expectedResult.ErrorDetails, actualResult.ErrorDetails);
+        ValidateResult(expectedResult, actualResult);
 
         return;
 
@@ -81,6 +80,18 @@ public class AnalyzeWorkerTestBase
         }
     }
 
+    protected static void ValidateResult(ExpectedAnalysisResult? expectedResult, AnalysisResult actualResult)
+    {
+        if (expectedResult?.Error is not null)
+        {
+            ValidateError(expectedResult.Error, actualResult.Error);
+        }
+        else
+        {
+            Assert.Null(actualResult.Error);
+        }
+    }
+
     protected static async Task<AnalysisResult> RunAnalyzerAsync(string dependencyName, TestFile[] files, Func<string, Task<AnalysisResult>> action)
     {
         // write initial files

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs

@@ -4,6 +4,7 @@ using System.Text.Json;
 using NuGet;
 
 using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Run.ApiModel;
 
 using Xunit;
 
@@ -477,6 +478,61 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
         );
     }
 
+    [Fact]
+    public async Task SafeVersionsPropertyIsHonored()
+    {
+        await TestAnalyzeAsync(
+            packages:
+            [
+                MockNuGetPackage.CreateSimplePackage("Some.Package", "1.0.0", "net8.0"), // initially this
+                MockNuGetPackage.CreateSimplePackage("Some.Package", "1.1.0", "net8.0"), // should update to this due to `SafeVersions`
+                MockNuGetPackage.CreateSimplePackage("Some.Package", "1.2.0", "net8.0"), // this should not be considered
+            ],
+            discovery: new()
+            {
+                Path = "/",
+                Projects = [
+                    new()
+                    {
+                        FilePath = "./project.csproj",
+                        TargetFrameworks = ["net8.0"],
+                        Dependencies = [
+                            new("Some.Package", "1.0.0", DependencyType.PackageReference),
+                        ],
+                        ReferencedProjectPaths = [],
+                        ImportedFiles = [],
+                        AdditionalFiles = [],
+                    },
+                ],
+            },
+            dependencyInfo: new()
+            {
+                Name = "Some.Package",
+                Version = "1.0.0",
+                IgnoredVersions = [],
+                IsVulnerable = false,
+                Vulnerabilities = [
+                    new()
+                    {
+                        DependencyName = "Some.Package",
+                        PackageManager = "nuget",
+                        VulnerableVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
+                        SafeVersions = [Requirement.Parse("= 1.1.0")]
+                    }
+                ],
+            },
+            expectedResult: new()
+            {
+                UpdatedVersion = "1.1.0",
+                CanUpdate = true,
+                VersionComesFromMultiDependencyProperty = false,
+                UpdatedDependencies = [
+                    new("Some.Package", "1.1.0", DependencyType.Unknown, TargetFrameworks: ["net8.0"]),
+                ],
+            }
+        );
+    }
+
     [Fact]
     public async Task VersionFinderCanHandle404FromPackageSource_V2()
     {
@@ -1015,8 +1071,7 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
         using var temporaryDirectory = await TemporaryDirectory.CreateWithContentsAsync([]);
         await AnalyzeWorker.WriteResultsAsync(temporaryDirectory.DirectoryPath, "Some.Dependency", new()
         {
-            ErrorType = ErrorType.AuthenticationFailure,
-            ErrorDetails = "<some package feed>",
+            Error = new PrivateSourceAuthenticationFailure(["<some package feed>"]),
             UpdatedVersion = "",
             UpdatedDependencies = [],
         }, new TestLogger());
@@ -1025,16 +1080,23 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
         // raw result file should look like this:
         // {
         //   ...
-        //   "ErrorType": "AuthenticationFailure",
+        //   "Error": {
+        //     "error-type": "private_source_authentication_failure",
+        //     "error-details": {
+        //       "source": "(<some package feed>)"
+        //     }
+        //   }
         //   "ErrorDetails": "<some package feed>",
         //   ...
         // }
         var jsonDocument = JsonDocument.Parse(discoveryContents);
-        var errorType = jsonDocument.RootElement.GetProperty("ErrorType");
-        var errorDetails = jsonDocument.RootElement.GetProperty("ErrorDetails");
+        var error = jsonDocument.RootElement.GetProperty("Error");
+        var errorType = error.GetProperty("error-type");
+        var errorDetails = error.GetProperty("error-details");
+        var errorSource = errorDetails.GetProperty("source");
 
-        Assert.Equal("AuthenticationFailure", errorType.GetString());
-        Assert.Equal("<some package feed>", errorDetails.GetString());
+        Assert.Equal("private_source_authentication_failure", errorType.GetString());
+        Assert.Equal("(<some package feed>)", errorSource.GetString());
     }
 
     [Fact]
@@ -1110,8 +1172,7 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
             },
             expectedResult: new()
             {
-                ErrorType = ErrorType.AuthenticationFailure,
-                ErrorDetails = $"({http.BaseUrl.TrimEnd('/')}/index.json)",
+                Error = new PrivateSourceAuthenticationFailure([$"{http.BaseUrl.TrimEnd('/')}/index.json"]),
                 UpdatedVersion = string.Empty,
                 CanUpdate = false,
                 UpdatedDependencies = [],

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Discover/DiscoveryWorkerTestBase.cs

@@ -5,7 +5,9 @@ using System.Text.Json;
 
 using NuGetUpdater.Core.Discover;
 using NuGetUpdater.Core.Test.Update;
+using NuGetUpdater.Core.Test.Updater;
 using NuGetUpdater.Core.Test.Utilities;
+using NuGetUpdater.Core.Updater;
 using NuGetUpdater.Core.Utilities;
 
 using Xunit;
@@ -28,7 +30,7 @@ public class DiscoveryWorkerTestBase : TestBase
         {
             await UpdateWorkerTestBase.MockNuGetPackagesInDirectory(packages, directoryPath);
 
-            var worker = new DiscoveryWorker(experimentsManager, new TestLogger());
+            var worker = new DiscoveryWorker("TEST-JOB-ID", experimentsManager, new TestLogger());
             var result = await worker.RunWithErrorHandlingAsync(directoryPath, workspacePath);
             return result;
         });
@@ -44,17 +46,7 @@ public class DiscoveryWorkerTestBase : TestBase
         ValidateResultWithDependencies(expectedResult.DotNetToolsJson, actualResult.DotNetToolsJson);
         ValidateProjectResults(expectedResult.Projects, actualResult.Projects, experimentsManager);
         Assert.Equal(expectedResult.ExpectedProjectCount ?? expectedResult.Projects.Length, actualResult.Projects.Length);
-        Assert.Equal(expectedResult.ErrorType, actualResult.ErrorType);
-        if (expectedResult.ErrorDetailsPattern is not null)
-        {
-            var errorDetails = actualResult.ErrorDetails?.ToString();
-            Assert.NotNull(errorDetails);
-            Assert.Matches(expectedResult.ErrorDetailsPattern, errorDetails);
-        }
-        else
-        {
-            Assert.Equal(expectedResult.ErrorDetails, actualResult.ErrorDetails);
-        }
+        ValidateDiscoveryOperationResult(expectedResult, actualResult);
 
         return;
 
@@ -76,6 +68,22 @@ public class DiscoveryWorkerTestBase : TestBase
         }
     }
 
+    protected static void ValidateDiscoveryOperationResult(ExpectedWorkspaceDiscoveryResult? expectedResult, WorkspaceDiscoveryResult actualResult)
+    {
+        if (expectedResult?.Error is not null)
+        {
+            ValidateError(expectedResult.Error, actualResult.Error);
+        }
+        else if (expectedResult?.ErrorRegex is not null)
+        {
+            ValidateErrorRegex(expectedResult.ErrorRegex, actualResult.Error);
+        }
+        else
+        {
+            Assert.Null(actualResult.Error);
+        }
+    }
+
     internal static void ValidateProjectResults(ImmutableArray<ExpectedSdkProjectDiscoveryResult> expectedProjects, ImmutableArray<ProjectDiscoveryResult> actualProjects, ExperimentsManager experimentsManager)
     {
         if (expectedProjects.IsDefaultOrEmpty)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Discover/DiscoveryWorkerTests.Project.cs

@@ -1263,5 +1263,113 @@ public partial class DiscoveryWorkerTests
                 }
             );
         }
+
+        [Fact]
+        public async Task PackagesManagedAndRemovedByTheSdkAreReported()
+        {
+            // To avoid a unit test that's tightly coupled to the installed SDK, some files are faked.
+            // First up, the `dotnet-package-correlation.json` is faked to have the appropriate shape to report a
+            // package replacement.  Doing this requires a temporary file and environment variable override.
+            using var tempDirectory = new TemporaryDirectory();
+            var packageCorrelationFile = Path.Combine(tempDirectory.DirectoryPath, "dotnet-package-correlation.json");
+            await File.WriteAllTextAsync(packageCorrelationFile, """
+                {
+                    "Runtimes": {
+                        "1.0.0": {
+                            "Packages": {
+                                "Dependabot.App.Core.Ref": "1.0.0",
+                                "Test.Only.Package": "1.0.0"
+                            }
+                        },
+                        "1.0.1": {
+                            "Packages": {
+                                "Dependabot.App.Core.Ref": "1.0.1",
+                                "Test.Only.Package": "1.0.99"
+                            }
+                        }
+                    }
+                }
+                """);
+            using var tempEnvironment = new TemporaryEnvironment([("DOTNET_PACKAGE_CORRELATION_FILE_PATH", packageCorrelationFile)]);
+
+            // The SDK package handling is detected in a very specific circumstance; an assembly being removed from the
+            // `@(References)` item group in the `_HandlePackageFileConflicts` target.  Since we don't want to involve
+            // the real SDK, we fake some required targets.
+            await TestDiscoveryAsync(
+                experimentsManager: new ExperimentsManager() { InstallDotnetSdks = true, UseDirectDiscovery = true },
+                packages: [],
+                workspacePath: "",
+                files:
+                [
+                    ("project.csproj", """
+                        <Project>
+                          <!-- note that the attribute `Sdk="Microsoft.NET.Sdk"` is missing because we don't want the real SDK interfering -->
+
+                          <!-- this allows custom targets to be injected for dependency detection -->
+                          <Import Project="$(CustomAfterMicrosoftCommonTargets)" Condition="Exists('$(CustomAfterMicrosoftCommonTargets)')" />
+
+                          <PropertyGroup>
+                            <TargetFramework>net8.0</TargetFramework>
+                          </PropertyGroup>
+
+                          <ItemGroup>
+                            <!-- we need a value in this item group with the appropriate metadata to simulate it having been added by NuGet -->
+                            <RuntimeCopyLocalItems Include="TestOnlyAssembly.dll" NuGetPackageId="Test.Only.Package" NuGetPackageVersion="1.0.0" />
+
+                            <!-- this represents the assemblies being extracted from the package -->
+                            <Reference Include="@(RuntimeCopyLocalItems)" />
+                          </ItemGroup>
+
+                          <Target Name="_HandlePackageFileConflicts">
+                            <!-- this target needs to exist for discovery to work -->
+                            <ItemGroup>
+                              <!-- this removal is what triggers the package lookup in the correlation file -->
+                              <Reference Remove="TestOnlyAssembly.dll" />
+
+                              <!-- this addition is what's used for the lookup -->
+                              <Reference Include="TestOnlyAssembly.dll" NuGetPackageId="Dependabot.App.Core.Ref" NuGetPackageVersion="1.0.1" />
+                            </ItemGroup>
+                          </Target>
+
+                          <Target Name="ResolveAssemblyReferences" DependsOnTargets="_HandlePackageFileConflicts">
+                            <!-- this target needs to exist for discovery to work -->
+                          </Target>
+
+                          <Target Name="GenerateBuildDependencyFile">
+                            <!-- this target needs to exist for discovery to work -->
+                            <ItemGroup>
+                              <!-- this removal is what removes the regular package reference from the project -->
+                              <RuntimeCopyLocalItems Remove="TestOnlyAssembly.dll" />
+                            </ItemGroup>
+                          </Target>
+
+                          <Target Name="ResolvePackageAssets">
+                            <!-- this target needs to exist for discovery to work -->
+                          </Target>
+                        </Project>
+                        """)
+                ],
+                expectedResult: new()
+                {
+                    Path = "",
+                    Projects = [
+                        new()
+                        {
+                            FilePath = "project.csproj",
+                            Dependencies = [
+                                new("Test.Only.Package", "1.0.99", DependencyType.Unknown, TargetFrameworks: ["net8.0"], IsTransitive: true)
+                            ],
+                            Properties = [
+                                new("TargetFramework", "net8.0", "project.csproj")
+                            ],
+                            TargetFrameworks = ["net8.0"],
+                            ReferencedProjectPaths = [],
+                            ImportedFiles = [],
+                            AdditionalFiles = [],
+                        }
+                    ]
+                }
+            );
+        }
     }
 }