Add tests for SDK vulnerability checker and cache

JamieMagee · JamieMagee · commit fc8aa270e69a · 2026-03-22T20:14:18.000-07:00
Tests for the checker cover: vulnerable SDK reports correct CVEs, latest
SDK reports none, EOL channel is detected, feature band matching works,
unknown/invalid versions return null.

Cache tests cover: sentinel timing, env var disable, read/write
roundtrip, corrupt file handling, custom interval hours.

Cache reader tests verify deserialization and the disable flag.

Test fixtures under VulnerabilityTestRelease/ have two channels: 9.0
(active, with CVEs across releases) and 7.0 (EOL since 2024-05-14).
diff --git a/test/TestAssets/TestReleases/VulnerabilityTestRelease/7.0/releases.json b/test/TestAssets/TestReleases/VulnerabilityTestRelease/7.0/releases.json
@@ -0,0 +1,66 @@
+{
+    "channel-version": "7.0",
+    "latest-release": "7.0.20",
+    "latest-release-date": "2024-05-28",
+    "latest-runtime": "7.0.20",
+    "latest-sdk": "7.0.410",
+    "support-phase": "eol",
+    "eol-date": "2024-05-14",
+    "lifecycle-policy": "https://www.microsoft.com/net/support/policy",
+    "releases": [
+        {
+            "release-date": "2024-05-28",
+            "release-version": "7.0.20",
+            "security": true,
+            "cve-list": [
+                {
+                    "cve-id": "CVE-2024-88888",
+                    "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-88888"
+                }
+            ],
+            "release-notes": "https://github.com/dotnet/core/blob/main/release-notes/7.0/7.0.20/7.0.20.md",
+            "runtime": {
+                "version": "7.0.20",
+                "version-display": "7.0.20",
+                "files": []
+            },
+            "sdks": [
+                {
+                    "version": "7.0.410",
+                    "version-display": "7.0.410",
+                    "runtime-version": "7.0.20",
+                    "vs-version": "",
+                    "vs-support": "",
+                    "csharp-version": "11.0",
+                    "fsharp-version": "7.0",
+                    "vb-version": "16.9",
+                    "files": []
+                }
+            ]
+        },
+        {
+            "release-date": "2024-04-09",
+            "release-version": "7.0.19",
+            "security": false,
+            "release-notes": "https://github.com/dotnet/core/blob/main/release-notes/7.0/7.0.19/7.0.19.md",
+            "runtime": {
+                "version": "7.0.19",
+                "version-display": "7.0.19",
+                "files": []
+            },
+            "sdks": [
+                {
+                    "version": "7.0.409",
+                    "version-display": "7.0.409",
+                    "runtime-version": "7.0.19",
+                    "vs-version": "",
+                    "vs-support": "",
+                    "csharp-version": "11.0",
+                    "fsharp-version": "7.0",
+                    "vb-version": "16.9",
+                    "files": []
+                }
+            ]
+        }
+    ]
+}
diff --git a/test/TestAssets/TestReleases/VulnerabilityTestRelease/9.0/releases.json b/test/TestAssets/TestReleases/VulnerabilityTestRelease/9.0/releases.json
@@ -0,0 +1,95 @@
+{
+    "channel-version": "9.0",
+    "latest-release": "9.0.2",
+    "latest-release-date": "2025-02-11",
+    "latest-runtime": "9.0.2",
+    "latest-sdk": "9.0.200",
+    "support-phase": "active",
+    "lifecycle-policy": "https://www.microsoft.com/net/support/policy",
+    "releases": [
+        {
+            "release-date": "2025-02-11",
+            "release-version": "9.0.2",
+            "security": true,
+            "cve-list": [
+                {
+                    "cve-id": "CVE-2025-99999",
+                    "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-99999"
+                }
+            ],
+            "release-notes": "https://github.com/dotnet/core/blob/main/release-notes/9.0/9.0.2/9.0.2.md",
+            "runtime": {
+                "version": "9.0.2",
+                "version-display": "9.0.2",
+                "files": []
+            },
+            "sdks": [
+                {
+                    "version": "9.0.200",
+                    "version-display": "9.0.200",
+                    "runtime-version": "9.0.2",
+                    "vs-version": "",
+                    "vs-support": "",
+                    "csharp-version": "13.0",
+                    "fsharp-version": "9.0",
+                    "vb-version": "16.9",
+                    "files": []
+                }
+            ]
+        },
+        {
+            "release-date": "2025-01-14",
+            "release-version": "9.0.1",
+            "security": true,
+            "cve-list": [
+                {
+                    "cve-id": "CVE-2025-12345",
+                    "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12345"
+                }
+            ],
+            "release-notes": "https://github.com/dotnet/core/blob/main/release-notes/9.0/9.0.1/9.0.1.md",
+            "runtime": {
+                "version": "9.0.1",
+                "version-display": "9.0.1",
+                "files": []
+            },
+            "sdks": [
+                {
+                    "version": "9.0.102",
+                    "version-display": "9.0.102",
+                    "runtime-version": "9.0.1",
+                    "vs-version": "",
+                    "vs-support": "",
+                    "csharp-version": "13.0",
+                    "fsharp-version": "9.0",
+                    "vb-version": "16.9",
+                    "files": []
+                }
+            ]
+        },
+        {
+            "release-date": "2024-11-12",
+            "release-version": "9.0.0",
+            "security": false,
+            "release-notes": "https://github.com/dotnet/core/blob/main/release-notes/9.0/9.0.0/9.0.0.md",
+            "runtime": {
+                "version": "9.0.0",
+                "version-display": "9.0.0",
+                "files": []
+            },
+            "sdks": [
+                {
+                    "version": "9.0.100",
+                    "version-display": "9.0.100",
+                    "runtime-version": "9.0.0",
+                    "vs-version": "",
+                    "vs-support": "",
+                    "csharp-version": "13.0",
+                    "fsharp-version": "9.0",
+                    "vb-version": "16.9",
+                    "files": []
+                }
+            ]
+        }
+    ]
+}
diff --git a/test/TestAssets/TestReleases/VulnerabilityTestRelease/releases-index.json b/test/TestAssets/TestReleases/VulnerabilityTestRelease/releases-index.json
@@ -0,0 +1,28 @@
+{
+    "releases-index": [
+        {
+            "channel-version": "9.0",
+            "latest-release": "9.0.2",
+            "latest-release-date": "2025-02-11",
+            "security": true,
+            "latest-runtime": "9.0.2",
+            "latest-sdk": "9.0.200",
+            "product": ".NET",
+            "support-phase": "active",
+            "eol-date": null,
+            "releases.json": "https://builds.dotnet.microsoft.com/dotnet/release-metadata/9.0/releases.json"
+        },
+        {
+            "channel-version": "7.0",
+            "latest-release": "7.0.20",
+            "latest-release-date": "2024-05-28",
+            "security": true,
+            "latest-runtime": "7.0.20",
+            "latest-sdk": "7.0.410",
+            "product": ".NET",
+            "support-phase": "eol",
+            "eol-date": "2024-05-14",
+            "releases.json": "https://builds.dotnet.microsoft.com/dotnet/release-metadata/7.0/releases.json"
+        }
+    ]
+}
diff --git a/test/dotnet.Tests/SdkVulnerabilityTests/GivenSdkReleaseMetadataCache.cs b/test/dotnet.Tests/SdkVulnerabilityTests/GivenSdkReleaseMetadataCache.cs
@@ -0,0 +1,147 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Text.Json;
+using Microsoft.DotNet.Cli.SdkVulnerability;
+
+namespace Microsoft.DotNet.Cli.Tests;
+
+public class GivenSdkReleaseMetadataCache : SdkTest
+{
+    public GivenSdkReleaseMetadataCache(ITestOutputHelper log) : base(log)
+    {
+    }
+
+    [Fact]
+    public void IsDisabledWhenEnvVarIsSet()
+    {
+        var cache = new SdkReleaseMetadataCache(
+            GetTempCacheDir(),
+            name => name == EnvironmentVariableNames.SDK_VULNERABILITY_CHECK_DISABLE ? "true" : null);
+
+        cache.IsDisabled().Should().BeTrue();
+    }
+
+    [Fact]
+    public void IsNotDisabledByDefault()
+    {
+        var cache = new SdkReleaseMetadataCache(
+            GetTempCacheDir(),
+            _ => null);
+
+        cache.IsDisabled().Should().BeFalse();
+    }
+
+    [Fact]
+    public void IsDueForUpdateWhenNoSentinelExists()
+    {
+        var cache = new SdkReleaseMetadataCache(
+            GetTempCacheDir(),
+            _ => null);
+
+        cache.IsDueForUpdate().Should().BeTrue();
+    }
+
+    [Fact]
+    public void IsNotDueForUpdateWhenSentinelIsRecent()
+    {
+        string cacheDir = GetTempCacheDir();
+        Directory.CreateDirectory(cacheDir);
+        string sentinelPath = Path.Combine(cacheDir, ".sentinel");
+        File.Create(sentinelPath).Close();
+        File.SetLastAccessTime(sentinelPath, DateTime.Now);
+
+        var cache = new SdkReleaseMetadataCache(cacheDir, _ => null);
+
+        cache.IsDueForUpdate().Should().BeFalse();
+    }
+
+    [Fact]
+    public void IsDueForUpdateWhenSentinelIsOld()
+    {
+        string cacheDir = GetTempCacheDir();
+        Directory.CreateDirectory(cacheDir);
+        string sentinelPath = Path.Combine(cacheDir, ".sentinel");
+        File.Create(sentinelPath).Close();
+        File.SetLastAccessTime(sentinelPath, DateTime.Now.AddHours(-25));
+
+        var cache = new SdkReleaseMetadataCache(cacheDir, _ => null);
+
+        cache.IsDueForUpdate().Should().BeTrue();
+    }
+
+    [Fact]
+    public void ReadsNullWhenNoCacheExists()
+    {
+        var cache = new SdkReleaseMetadataCache(
+            GetTempCacheDir(),
+            _ => null);
+
+        cache.ReadCachedSummary("9.0.100").Should().BeNull();
+    }
+
+    [Fact]
+    public void ReadsCachedSummarySuccessfully()
+    {
+        string cacheDir = GetTempCacheDir();
+        Directory.CreateDirectory(cacheDir);
+
+        var info = new SdkVulnerabilityInfo
+        {
+            IsEol = true,
+            EolDate = new DateTime(2024, 5, 14),
+            Cves = [new SdkCveInfo { Id = "CVE-2025-12345", Url = "https://example.com" }],
+            LatestSdkVersion = "9.0.200"
+        };
+
+        string json = JsonSerializer.Serialize(info, SdkVulnerabilityJsonContext.Default.SdkVulnerabilityInfo);
+        File.WriteAllText(Path.Combine(cacheDir, "sdk-status-9.0.100.json"), json);
+
+        var cache = new SdkReleaseMetadataCache(cacheDir, _ => null);
+        var result = cache.ReadCachedSummary("9.0.100");
+
+        result.Should().NotBeNull();
+        result!.IsEol.Should().BeTrue();
+        result.HasVulnerabilities.Should().BeTrue();
+        result.Cves.Should().Contain(c => c.Id == "CVE-2025-12345");
+        result.LatestSdkVersion.Should().Be("9.0.200");
+    }
+
+    [Fact]
+    public void ReturnsNullForCorruptCacheFile()
+    {
+        string cacheDir = GetTempCacheDir();
+        Directory.CreateDirectory(cacheDir);
+        File.WriteAllText(Path.Combine(cacheDir, "sdk-status-9.0.100.json"), "not valid json");
+
+        var cache = new SdkReleaseMetadataCache(cacheDir, _ => null);
+
+        cache.ReadCachedSummary("9.0.100").Should().BeNull();
+    }
+
+    [Fact]
+    public void CustomIntervalHoursIsRespected()
+    {
+        string cacheDir = GetTempCacheDir();
+        Directory.CreateDirectory(cacheDir);
+        string sentinelPath = Path.Combine(cacheDir, ".sentinel");
+        File.Create(sentinelPath).Close();
+        // Set sentinel to 2 hours ago
+        File.SetLastAccessTime(sentinelPath, DateTime.Now.AddHours(-2));
+
+        // With default 24h interval, should not be due
+        var cache24h = new SdkReleaseMetadataCache(cacheDir, _ => null);
+        cache24h.IsDueForUpdate().Should().BeFalse();
+
+        // With 1h interval, should be due
+        var cache1h = new SdkReleaseMetadataCache(
+            cacheDir,
+            name => name == EnvironmentVariableNames.SDK_VULNERABILITY_CHECK_INTERVAL_HOURS ? "1" : null);
+        cache1h.IsDueForUpdate().Should().BeTrue();
+    }
+
+    private string GetTempCacheDir()
+    {
+        return Path.Combine(Path.GetTempPath(), "sdk-vuln-test-" + Guid.NewGuid().ToString("N")[..8]);
+    }
+}
diff --git a/test/dotnet.Tests/SdkVulnerabilityTests/GivenSdkVulnerabilityCacheReader.cs b/test/dotnet.Tests/SdkVulnerabilityTests/GivenSdkVulnerabilityCacheReader.cs
diff --git a/test/dotnet.Tests/SdkVulnerabilityTests/GivenSdkVulnerabilityChecker.cs b/test/dotnet.Tests/SdkVulnerabilityTests/GivenSdkVulnerabilityChecker.cs
