Highlight transitive packages

.github/workflows/build.yml

@@ -183,6 +183,7 @@ jobs:
     name: Push to Nuget
     runs-on: ubuntu-latest
     needs:   [ sca, style-rules, unit-tests, integration-tests, nuget-package ]
+    if: github.event_name == 'push'
 
     steps:
       - uses: actions/checkout@v3
@@ -199,7 +200,6 @@ jobs:
           path: ${{ github.workspace }}/artifacts      
 
       - name: Push nuget package
-        if: github.event_name == 'push'
         run: dotnet nuget push "artifacts/*.nupkg"  --api-key ${{ secrets.NUGET_PAT }} --source "nuget.org"
 
   gh-release:

src/pkgchk-cli/Console.fs

@@ -6,6 +6,10 @@ open Spectre.Console
 module Console =
 
     let italic value = $"[italic]{value}[/]"
+    let cyan value = $"[cyan]{value}[/]"
+
+    let kindIndent (kind: ScaHitKind) =
+        kind |> Rendering.formatHitKind |> _.Length |> (+) 2 |> String.indent
 
     let formatReason value =
         let colour = Rendering.reasonColour value
@@ -35,34 +39,35 @@ module Console =
         let fmt (hit: ScaHit) =
             seq {
                 match hit.kind with
+                | ScaHitKind.VulnerabilityTransitive
                 | ScaHitKind.Vulnerability ->
                     sprintf
-                        "%s: %s - [cyan]%s[/]"
+                        "%s: %s - %s"
                         (Rendering.formatHitKind hit.kind)
                         (formatSeverity hit.severity)
-                        (nugetLinkPkgVsn hit.packageId hit.resolvedVersion)
+                        (nugetLinkPkgVsn hit.packageId hit.resolvedVersion |> cyan)
                 | ScaHitKind.Deprecated ->
                     sprintf
-                        "%s: [cyan]%s[/]"
+                        "%s: %s"
                         (Rendering.formatHitKind hit.kind)
-                        (nugetLinkPkgVsn hit.packageId hit.resolvedVersion)
+                        (nugetLinkPkgVsn hit.packageId hit.resolvedVersion |> cyan)
 
                 if String.isNotEmpty hit.advisoryUri then
-                    sprintf "                    %s" (italic hit.advisoryUri)
-
-                if
-                    (hit.reasons |> Array.isEmpty |> not)
-                    && String.isNotEmpty hit.suggestedReplacement
-                then
-                    sprintf
-                        "                    [italic]%s - use [cyan]%s[/][/]"
-                        (formatReasons hit.reasons)
-                        (match (hit.suggestedReplacement, hit.alternativePackageId) with
-                         | "", _ -> ""
-                         | x, y when x <> "" && y <> "" -> nugetLinkPkgSuggestion y x |> sprintf "Use %s"
-                         | x, _ -> x |> sprintf "Use %s")
-                else if (hit.reasons |> Array.isEmpty |> not) then
-                    sprintf "                    %s" (italic (formatReasons hit.reasons))
+                    sprintf "%s%s" (kindIndent hit.kind) (italic hit.advisoryUri)
+
+                if (hit.reasons |> Array.isEmpty |> not) then
+                    if String.isNotEmpty hit.suggestedReplacement then
+                        sprintf
+                            "%s%s - %s"
+                            (kindIndent hit.kind)
+                            (formatReasons hit.reasons)
+                            (match (hit.suggestedReplacement, hit.alternativePackageId) with
+                             | "", _ -> ""
+                             | x, y when x <> "" && y <> "" -> nugetLinkPkgSuggestion y x |> cyan |> sprintf "Use %s"
+                             | x, _ -> x |> cyan |> sprintf "Use %s")
+                        |> italic
+                    else
+                        sprintf "%s%s" (kindIndent hit.kind) (formatReasons hit.reasons) |> italic
 
                 ""
             }
@@ -113,6 +118,7 @@ module Console =
 
             let fmtSeverity =
                 function
+                | ScaHitKind.VulnerabilityTransitive
                 | ScaHitKind.Vulnerability -> formatSeverity
                 | ScaHitKind.Deprecated -> formatReason
 

src/pkgchk-cli/Markdown.fs

@@ -62,6 +62,7 @@ module Markdown =
             |> Seq.map (fun (k, s, c) ->
                 let fmt =
                     function
+                    | ScaHitKind.VulnerabilityTransitive
                     | ScaHitKind.Vulnerability -> formatSeverity
                     | ScaHitKind.Deprecated -> formatReason
 
@@ -92,6 +93,7 @@ module Markdown =
         let fmt (hit: ScaHit) =
             seq {
                 match hit.kind with
+                | ScaHitKind.VulnerabilityTransitive
                 | ScaHitKind.Vulnerability ->
                     sprintf
                         "| %s | %s | %s %s | [Advisory](%s) | "

src/pkgchk-cli/Rendering.fs

@@ -7,6 +7,7 @@ module Rendering =
 
     let formatHitKind =
         function
+        | ScaHitKind.VulnerabilityTransitive -> "Vulnerable transitive"
         | ScaHitKind.Vulnerability -> "Vulnerable package"
         | ScaHitKind.Deprecated -> "Deprecated package"
 

src/pkgchk-cli/Sca.fs

@@ -7,6 +7,7 @@ type ScaData = JsonProvider<"ScaSample.json">
 
 type ScaHitKind =
     | Vulnerability
+    | VulnerabilityTransitive
     | Deprecated
 
 type ScaHit =
@@ -114,7 +115,7 @@ module Sca =
                             tp.Vulnerabilities
                             |> Seq.map (fun v ->
                                 { ScaHit.projectPath = System.IO.Path.GetFullPath(p.Path)
-                                  kind = ScaHitKind.Vulnerability
+                                  kind = ScaHitKind.VulnerabilityTransitive
                                   framework = f.Framework
                                   packageId = tp.Id
                                   resolvedVersion = tp.ResolvedVersion
@@ -140,6 +141,7 @@ module Sca =
         let filter =
             (fun (h: ScaHit) ->
                 match h.kind with
+                | ScaHitKind.VulnerabilityTransitive
                 | ScaHitKind.Vulnerability -> h.severity |> HashSet.contains levels
                 | ScaHitKind.Deprecated -> h.reasons |> Seq.exists (fun r -> r |> HashSet.contains levels))
 

src/pkgchk-cli/Utils.fs

@@ -39,6 +39,9 @@ module String =
     [<DebuggerStepThrough>]
     let trim (value: string) = value.Trim()
 
+    [<DebuggerStepThrough>]
+    let indent length = new String(' ', length)
+
 module ReturnCodes =
 
     [<Literal>]

src/pkgchk-cli/pkgchk-cli.fsproj

@@ -15,6 +15,14 @@
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
+    <WarningsAsErrors>3239;$(WarningsAsErrors);FS0025</WarningsAsErrors>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
+    <WarningsAsErrors>3239;$(WarningsAsErrors);FS0025</WarningsAsErrors>
+  </PropertyGroup>
+
   <ItemGroup>
     <None Include="../../README.md" Pack="true" PackagePath="" Visible="False" />
     <Content Include="ScaSample.json" />