Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing nuget command line in Ubuntu 24.04 image (CodeQL) #11446

Closed
2 of 16 tasks
abrousseau-hcgov opened this issue Jan 21, 2025 · 3 comments
Closed
2 of 16 tasks

Missing nuget command line in Ubuntu 24.04 image (CodeQL) #11446

abrousseau-hcgov opened this issue Jan 21, 2025 · 3 comments

Comments

@abrousseau-hcgov
Copy link

abrousseau-hcgov commented Jan 21, 2025

Description

Good morning,

I have been having CodeQL failures on sopme of my .NET applications and it seems like it is linked to an upgrade from Ubuntu 22.04 to 24.04 per the latest update for the runner image. I looked at the runner image and it no longer has NuGet as a package manager. Unfortunately, the dotnet nuget doesn't work for me since I have a specific nuget.config file that uses 3rd party repositories that require authentication. Is this something that can be added to the image or will I need to follow the guidance from Microsoft at https://learn.microsoft.com/en-us/nuget/install-nuget-client-tools?tabs=macos#cli-tools to update each of my workflows to ensure that NuGet exists on the image?

Thanks,

Adam Brousseau

Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • Ubuntu 24.04
  • macOS 12
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • macOS 15
  • macOS 15 Arm64
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2025

Image version and build link

Current runner:
Runner Image
Image: ubuntu-24.04
Version: 20250105.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250105.1/images/ubuntu/Ubuntu2404-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250105.1

Previous runner (approximately 3 weeks ago):
Runner Image
Image: ubuntu-22.04
Version: 20241215.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20241215.1/images/ubuntu/Ubuntu2204-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20241215.1

Is it regression?

Not sure if this qualifies as a regression, but the update to 24.04 is missing the NuGet package manager

Expected behavior

NuGet should be installed or a warning when transitioning from versions of Ubuntu should be available so a correction can be made as I have stated above.

Actual behavior

 |  nuget restore myproject.csproj -ConfigFile nuget.con …
 |  ~~~~~
 | The term 'nuget' is not recognized as a name of a cmdlet, function,
 | script file, or executable program. Check the spelling of the name, or
 | if a path was included, verify that the path is correct and try again.

Repro steps

  1. Create a .NET project, console is easiest, that has a nuget.config file in the repository
  2. Add a CodeQL configuration file as follows:
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: '18 13 * * 5'

jobs:
  analyze:
    name: Analyze
    # Runner size impacts CodeQL analysis time. To learn more, please see:
    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
    #   - https://gh.io/supported-runners-and-hardware-resources
    #   - https://gh.io/using-larger-runners
    # Consider using larger runners for possible analysis time improvements.
    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'csharp', 'javascript-typescript' ]
        # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
        # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
        # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
      
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4.2.2

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3.28.0
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.

        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        # queries: security-extended,security-and-quality
        
    - name: Setup .NET Core SDK
      uses: actions/setup-dotnet@v4.2.0
      with:
        # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx
        dotnet-version: 8.x
        # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo.
        config-file: myapplication/nuget.config
      if: ${{  matrix.language }} == 'csharp'
      
    - name: Build and publish Application
      run: |
        cd myapplication
        dotnet nuget update source "mysource" --source "https://mysource.com/v3/index.json" --configfile "nuget.config" --username "myuser" --password "mysecretpassword --store-password-in-clear-text
        nuget restore myapplication.csproj -ConfigFile nuget.config
        dotnet build --no-restore -property:Configuration=Release
        cd ..
      shell: pwsh
      if: ${{  matrix.language }} == 'csharp'

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3.28.0
      with:
        category: "/language:${{matrix.language}}"
  1. Let the runner fail at the NuGet restore step.
@vidyasagarnimmagaddi
Copy link
Contributor

Hi @abrousseau-hcgov , Thank you for bringing this issue to our attention. We will look into this issue closely and will update you after investigating.

@vidyasagarnimmagaddi
Copy link
Contributor

Hi , @abrousseau-hcgov ,Thank you for contacting us regarding the Nuget package in Ubuntu 24. The Nuget package is available in Ubuntu 20 and 22 images.

We understand the advantages of the Nuget package, however we decided to remove some tools in order to maintain a lightweight OS image. We recommend that you install it in build runtime and use it.

@abrousseau-hcgov
Copy link
Author

@vidyasagarnimmagaddi I am good with that explanations, but it is also important to let the community know when changes like this are going to occur. The only reason I found this is the default image runner for CodeQL recently updated to Ubuntu 24.04 and this broke multiple CodeQL scans. Searching the readme markdown for the Ubuntu 24.04 image runner is what led me to this. Again, I appreciate you looking into this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants