Document SDK vulnerability and EOL build warnings#53870
Open
JamieMagee wants to merge 1 commit into
Open
Conversation
Add error pages for NETSDK1238, NETSDK1239, and NETSDK1240, plus cross-references from the SDK errors index, TOC, dotnet-sdk-check, versions/selection, releases-and-support, and the environment variables doc.
dotnet-policy-service
Bot
added
dotnet-fundamentals/svc
dotnet-cli/subsvc
community-contribution
Contributor
There was a problem hiding this comment.
Pull request overview
This PR documents new opt-in SDK build warnings that report vulnerable, end-of-life, or discontinued .NET SDK feature bands, and links them from related SDK, version-selection, support, and environment-variable docs.
Changes:
- Adds reference pages for NETSDK1238, NETSDK1239, and NETSDK1240.
- Updates SDK error indexes and navigation.
- Documents related MSBuild property and environment variables across supporting articles.
Show a summary per file
| File | Description |
|---|---|
docs/navigate/tools-diagnostics/toc.yml |
Adds the three new NETSDK warning pages to navigation. |
docs/core/versions/selection.md |
Cross-links build-time SDK status warnings from version selection guidance. |
docs/core/tools/sdk-errors/netsdk1240.md |
Adds NETSDK1240 reference content. |
docs/core/tools/sdk-errors/netsdk1239.md |
Adds NETSDK1239 reference content. |
docs/core/tools/sdk-errors/netsdk1238.md |
Adds NETSDK1238 reference content. |
docs/core/tools/sdk-errors/index.md |
Adds the new warning IDs to the SDK error list. |
docs/core/tools/dotnet-sdk-check.md |
Links dotnet sdk check guidance to the new build warnings. |
docs/core/tools/dotnet-environment-variables.md |
Documents SDK vulnerability-check environment variables. |
docs/core/releases-and-support.md |
Links unsupported SDK detection guidance to NETSDK1239. |
Copilot's findings
Comments suppressed due to low confidence (1)
docs/core/tools/dotnet-environment-variables.md:425
- This description omits the feature-band discontinuation check that also uses this cache. Include that status check so the interval variable's scope matches NETSDK1238, NETSDK1239, and NETSDK1240.
Specifies the minimum number of hours between background refreshes of the SDK release metadata cache used by the SDK vulnerability and end-of-life check. The default is `24`.
- Files reviewed: 9/9 changed files
- Comments generated: 9
|
|
||
| ## See also | ||
|
|
||
| To get the same information as a build warning, set the `CheckSdkVulnerabilities` MSBuild property to `true` in your project. See [NETSDK1238](sdk-errors/netsdk1238.md), [NETSDK1239](sdk-errors/netsdk1239.md), and [NETSDK1240](sdk-errors/netsdk1240.md). |
|
|
||
| It's important to update to the latest version of the SDK regularly to adopt the latest features, performance improvements, and bug fixes. To easily check for updates to the SDK, use the `dotnet sdk check` [command](../tools/dotnet-sdk-check.md). Additionally, if you select a specific version using *global.json*, consider a tool such as Dependabot to automatically update the pinned SDK version as new versions become available. | ||
|
|
||
| To get the same information at build time, set the `CheckSdkVulnerabilities` MSBuild property to `true`. The build then warns if the resolved .NET SDK has known vulnerabilities ([NETSDK1238](../tools/sdk-errors/netsdk1238.md)), is end of life ([NETSDK1239](../tools/sdk-errors/netsdk1239.md)), or is on a feature band that has no newer release ([NETSDK1240](../tools/sdk-errors/netsdk1240.md)). |
| --- | ||
| # NETSDK1238: The current .NET SDK has known vulnerabilities | ||
|
|
||
| This warning indicates that the .NET SDK used to build your project has one or more known Common Vulnerabilities and Exposures (CVEs). The full warning message is similar to the following example: |
| --- | ||
| # NETSDK1239: The current .NET SDK is end of life | ||
|
|
||
| This warning indicates that the .NET SDK used to build your project is end of life (EOL) and no longer receives security updates. The full warning message is similar to the following example: |
| --- | ||
| # NETSDK1240: The current .NET SDK feature band is discontinued | ||
|
|
||
| This warning indicates that the feature band of the .NET SDK used to build your project has no newer release, even though a newer SDK exists in a different feature band on the same major version. The full warning message is similar to the following example: |
|
|
||
| You can also pass `/p:CheckSdkVulnerabilities=true` to a .NET CLI command, such as `dotnet build`. | ||
|
|
||
| The .NET CLI refreshes a local cache of SDK release metadata in the background (at most once every 24 hours) under `~/.dotnet/sdk-vulnerability-cache/`. The MSBuild check reads only that cache; it does not make network calls during the build. On machines that have never had network access, no warning is emitted. |
|
|
||
| You can also pass `/p:CheckSdkVulnerabilities=true` to a .NET CLI command, such as `dotnet build`. | ||
|
|
||
| The .NET CLI refreshes a local cache of SDK release metadata in the background (at most once every 24 hours) under `~/.dotnet/sdk-vulnerability-cache/`. The MSBuild check reads only that cache; it does not make network calls during the build. |
|
|
||
| You can also pass `/p:CheckSdkVulnerabilities=true` to a .NET CLI command, such as `dotnet build`. | ||
|
|
||
| The .NET CLI refreshes a local cache of SDK release metadata in the background (at most once every 24 hours) under `~/.dotnet/sdk-vulnerability-cache/`. The MSBuild check reads only that cache; it does not make network calls during the build. |
Comment on lines
+421
to
+425
| Disables the opt-in SDK vulnerability and end-of-life check. When set to `true`, the .NET CLI doesn't refresh the local SDK release metadata cache in the background, and the MSBuild check doesn't emit [NETSDK1238](sdk-errors/netsdk1238.md), [NETSDK1239](sdk-errors/netsdk1239.md), or [NETSDK1240](sdk-errors/netsdk1240.md). The default is `false`. The check is also opt-in at the project level through the `CheckSdkVulnerabilities` MSBuild property. | ||
|
|
||
| ### `DOTNET_SDK_VULNERABILITY_CHECK_INTERVAL_HOURS` | ||
|
|
||
| Specifies the minimum number of hours between background refreshes of the SDK release metadata cache used by the SDK vulnerability and end-of-life check. The default is `24`. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds reference pages for the three new build warnings introduced by dotnet/sdk#53557:
The warnings are opt-in via the
CheckSdkVulnerabilitiesMSBuild property. Also documents the newDOTNET_SDK_VULNERABILITY_CHECK_DISABLEandDOTNET_SDK_VULNERABILITY_CHECK_INTERVAL_HOURSenvironment variables, adds entries to the SDK errors index and TOC, and cross-links fromdotnet sdk check, version selection, and releases-and-support.Pairs with dotnet/sdk#53557.
Internal previews