ci: scope NuGet vulnerability gate to PR-introduced changes

[oskogstad]

No description provided.

[coderabbitai]

Note

Reviews paused

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Enable package-lock restores and adjust MSBuild warning rules; add numerous NuGet packages.lock.json files across projects; downgrade two HotChocolate package references by one patch; add a dependency-review job to the PR CI workflow.

Changes

Cohort / File(s)	Summary
MSBuild warning & lockfile toggles Directory.Build.props, src/Digdir.Library.Dialogporten.WebApiClient/Directory.Build.props, tests/Directory.Build.props	Set RestorePackagesWithLockFile=true (root and client Directory.Build.props). Root WarningsNotAsErrors appended NU1901;NU1902;NU1903;NU1904. tests/Directory.Build.props changed to $(WarningsNotAsErrors);CS0618. Removed an NuGetAuditSuppress item in root props.
CI workflow .github/workflows/ci-cd-pull-request.yml	Added dependency-review job using actions/dependency-review-action configured to fail on low severity and post a dependency summary comment on failure.
NuGet lock files (many projects) src/.../packages.lock.json, tests/.../packages.lock.json	Added numerous packages.lock.json files across source and test projects (pins resolved package graphs for net10.0/net8.0/net9.0 where applicable). These are lockfile additions only (no source/API changes).
HotChocolate package version changes src/Digdir.Domain.Dialogporten.GraphQL/Digdir.Domain.Dialogporten.GraphQL.csproj, src/Digdir.Library.Utils.AspNet/Digdir.Library.Utils.AspNet.csproj	Downgraded HotChocolate package references from 15.1.14 to 15.1.13 in the two project files.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is completely empty, missing all required sections from the template including Description, Related Issues, Verification checklist, and Documentation.	Add a comprehensive description including the purpose of changes, related issue number, verification steps completed, and any documentation updates.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main change: scoping NuGet vulnerability checks to PR-introduced changes. This directly relates to the new dependency-review CI job added to the workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/disable-error-on-nu1904

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Directory.Build.props`:
- Line 12: Add a clear explanatory comment above the WarningsNotAsErrors entry
that suppresses NU1904: state which specific advisory or vulnerable package(s)
required the NU1904 suppression, reference the existing tracking TODO/issue
number, indicate whether this is temporary and include a target remediation
date, and note why a global suppression was chosen instead of using
NuGetAuditSuppress or adjusting NuGetAuditLevel; if suppression can be scoped,
replace the global NU1904 entry with specific <NuGetAuditSuppress> entries (see
existing GHSA-rvv3-g6hj-g44x usage) or lower NuGetAuditLevel to keep critical
advisories visible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dbbc3f3d-2657-41c2-a759-626f577fe770

📥 Commits

Reviewing files that changed from the base of the PR and between 64009cb and e3cc4c2.

📒 Files selected for processing (2)

• Directory.Build.props
• tests/Directory.Build.props

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/ci-cd-pull-request.yml (1)

65-79: Consider fail-on-severity: moderate or high to avoid friction from low-severity advisories with no fix available.

Setting fail-on-severity: low is the strictest option and will block PRs on any low-severity advisory introduced or updated in dependencies. Given this PR also downgrades NU1901–NU1904 from build errors to warnings in Directory.Build.props, the intent appears to be shifting vulnerability gating from build-time to this CI job — in which case low is defensible, but may cause friction. There is no allow-ghsas escape hatch configured, so unblocking a PR requires editing the workflow.

Also note: this job has no if: guard and runs on all PRs, unlike other jobs that skip on docs-only or tests/k6/** changes. This is appropriate for a security gate and intentional-by-design.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci-cd-pull-request.yml around lines 65 - 79, Update the
dependency-review job to use a less noisy failure threshold by changing the
actions/dependency-review-action input fail-on-severity from "low" to "moderate"
or "high" (modify the fail-on-severity key in the dependency-review job), and
optionally add an allow-ghsas or similar exception mechanism if you want
allowed/unblockable advisories; ensure the uses:
actions/dependency-review-action and comment-summary-in-pr inputs remain
unchanged so the action still posts PR summaries.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci-cd-pull-request.yml:
- Around line 65-79: Update the dependency-review job to use a less noisy
failure threshold by changing the actions/dependency-review-action input
fail-on-severity from "low" to "moderate" or "high" (modify the fail-on-severity
key in the dependency-review job), and optionally add an allow-ghsas or similar
exception mechanism if you want allowed/unblockable advisories; ensure the uses:
actions/dependency-review-action and comment-summary-in-pr inputs remain
unchanged so the action still posts PR summaries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2ae13c49-aec9-4575-95bd-82fdd1b97b0c

📥 Commits

Reviewing files that changed from the base of the PR and between e3cc4c2 and 73a69bd.

📒 Files selected for processing (2)

• .github/workflows/ci-cd-pull-request.yml
• Directory.Build.props

✅ Files skipped from review due to trivial changes (1)

• Directory.Build.props

[coderabbitai]

Actionable comments posted: 7

♻️ Duplicate comments (1)

src/Digdir.Domain.Dialogporten.WebApi/packages.lock.json (1)

144-148: ⚠️ Potential issue | 🟠 Major

Address AutoMapper security vulnerability (duplicate finding).

AutoMapper 14.0.0 has the same HIGH severity DoS vulnerability (GHSA-rvv3-g6hj-g44x) flagged in the test project. This affects multiple projects in the solution. Once a patched version is identified, ensure it's updated consistently across all lock files.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Digdir.Domain.Dialogporten.WebApi/packages.lock.json` around lines 144 -
148, The AutoMapper package entry ("AutoMapper") in the lock file is pinned to
the vulnerable 14.0.0; update it to the patched version across all affected lock
files (search for the "AutoMapper" entries in packages.lock.json files),
regenerate the lock files (e.g., restore/restore-lock) so the resolved version
is updated consistently, and verify the new resolved version replaces "14.0.0"
in every occurrence to eliminate the GHSA-rvv3-g6hj-g44x vulnerability.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Digdir.Domain.Dialogporten.Application/packages.lock.json`:
- Around line 11-18: Update the AutoMapper package reference in the
Digdir.Domain.Dialogporten.Application project: change the PackageReference for
"AutoMapper" in Digdir.Domain.Dialogporten.Application.csproj to a patched
version (e.g., 15.1.1 or 16.1.1+), restore/refresh NuGet packages and regenerate
the packages.lock.json so the lockfile reflects the new resolved AutoMapper
version, then commit the updated csproj and regenerated lockfile.

In `@src/Digdir.Domain.Dialogporten.GraphQL/packages.lock.json`:
- Around line 5-13: The lockfile shows AppAny.HotChocolate.FluentValidation
(0.12.0) depending on HotChocolate.Execution 14.1.0 which is incompatible with
the resolved HotChocolate 15.1.13 set; fix by either (A) replacing
AppAny.HotChocolate.FluentValidation with a compatible alternative (e.g., switch
to FairyBread or HotChocolate.Validation middleware and update package
references and registration code), (B) pin HotChocolate packages back to a 14.x
set that matches AppAny.HotChocolate.FluentValidation, or (C) use the unmerged
HC-15.1 branch of AppAny.HotChocolate.FluentValidation (PR `#116`) and update
project package references to that branch; update the project/nuget package
references (csproj/PackageReference or package management config) and regenerate
the lockfile so HotChocolate.Execution and AppAny.HotChocolate.FluentValidation
are aligned.

In `@src/Digdir.Domain.Dialogporten.Janitor/packages.lock.json`:
- Around line 219-223: The packages.lock.json currently pins AutoMapper at
14.0.0 which is vulnerable (GHSA-rvv3-g6hj-g44x); update the AutoMapper
dependency entry from 14.0.0 to a safe patched release (15.1.1 or 16.1.1
depending on the target framework) in your project dependency declarations
(where AutoMapper is referenced) and then regenerate all lockfiles
(packages.lock.json / any other lock manifests) so the resolved field for
AutoMapper reflects the new version; ensure the change propagates to any related
dependency entries (e.g., the AutoMapper package block in packages.lock.json)
and run a restore/build to verify no breaking changes.

In `@src/Digdir.Tool.Dialogporten.GenerateFakeData/packages.lock.json`:
- Around line 22-29: The project currently pins AutoMapper to 14.0.0 in the
.csproj which is vulnerable (GHSA-rvv3-g6hj-g44x); update the package reference
in the relevant .csproj to a patched release (>=15.1.1 or 16.1.1) replacing the
PackageReference for AutoMapper, then run dotnet restore / dotnet restore
--use-lock-file and regenerate all packages.lock.json files so the lockfiles
reflect the new version (verify AutoMapper entry in packages.lock.json shows
15.1.1 or 16.1.1); repeat for any other projects referencing AutoMapper and
commit the updated .csproj and regenerated lockfiles.

In `@tests/Digdir.Domain.Dialogporten.E2E.Cleanup.Tests/packages.lock.json`:
- Around line 62-68: The lockfile pins AutoMapper at 14.0.0 which is vulnerable
to GHSA-rvv3-g6hj-g44x; update the upstream package reference for AutoMapper
(the dependency named "AutoMapper" in packages.lock.json) to a patched version
(>=15.1.1 or >=16.1.1) in your project file(s), then
restore/restore-lock/regenerate the lockfile so packages.lock.json is updated
(ensure the "resolved" entry reflects the new version and re-run your restore
command to produce a new lockfile).

In `@tests/Digdir.Domain.Dialogporten.GraphQl.E2E.Tests/packages.lock.json`:
- Around line 107-113: The AutoMapper entry in packages.lock.json shows version
14.0.0 which has a DoS vulnerability; update your project NuGet reference(s) to
a fixed version (at least 15.1.1, or preferably 16.1.1) by changing the
AutoMapper package version in the project file(s) that reference AutoMapper,
then run dotnet restore (or your package restore) to regenerate
packages.lock.json so the "AutoMapper" resolved version reflects the upgraded
release; ensure any build/test CI steps pick up the new lock file and that
transitive consumers (see the "AutoMapper" entry and its
"Microsoft.Extensions.Options" dependency) remain compatible.

In
`@tests/Digdir.Domain.Dialogporten.Infrastructure.Unit.Tests/packages.lock.json`:
- Around line 62-69: The lockfile shows AutoMapper at 14.0.0 which is vulnerable
(CVE-2026-32933); update the AutoMapper package reference in the owning project
(where PackageReference for "AutoMapper" is declared) to 15.1.1 or newer,
restore/rebuild to regenerate the packages.lock.json, and commit the updated
lockfile so the tests use the patched AutoMapper version.

---

Duplicate comments:
In `@src/Digdir.Domain.Dialogporten.WebApi/packages.lock.json`:
- Around line 144-148: The AutoMapper package entry ("AutoMapper") in the lock
file is pinned to the vulnerable 14.0.0; update it to the patched version across
all affected lock files (search for the "AutoMapper" entries in
packages.lock.json files), regenerate the lock files (e.g.,
restore/restore-lock) so the resolved version is updated consistently, and
verify the new resolved version replaces "14.0.0" in every occurrence to
eliminate the GHSA-rvv3-g6hj-g44x vulnerability.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9044a10c-3349-4e67-bb5c-93b8872c190d

📥 Commits

Reviewing files that changed from the base of the PR and between 73a69bd and 92c8165.

📒 Files selected for processing (29)

• Directory.Build.props
• src/Digdir.Domain.Dialogporten.Application/packages.lock.json
• src/Digdir.Domain.Dialogporten.Domain/packages.lock.json
• src/Digdir.Domain.Dialogporten.GraphQL/Digdir.Domain.Dialogporten.GraphQL.csproj
• src/Digdir.Domain.Dialogporten.GraphQL/packages.lock.json
• src/Digdir.Domain.Dialogporten.Infrastructure/packages.lock.json
• src/Digdir.Domain.Dialogporten.Janitor/packages.lock.json
• src/Digdir.Domain.Dialogporten.Service/packages.lock.json
• src/Digdir.Domain.Dialogporten.WebApi/packages.lock.json
• src/Digdir.Library.Dialogporten.WebApiClient.WebApiSample/packages.lock.json
• src/Digdir.Library.Dialogporten.WebApiClient/Directory.Build.props
• src/Digdir.Library.Dialogporten.WebApiClient/packages.lock.json
• src/Digdir.Library.Entity.Abstractions/packages.lock.json
• src/Digdir.Library.Entity.EntityFrameworkCore/packages.lock.json
• src/Digdir.Library.Utils.AspNet/Digdir.Library.Utils.AspNet.csproj
• src/Digdir.Library.Utils.AspNet/packages.lock.json
• src/Digdir.Tool.Dialogporten.GenerateFakeData/packages.lock.json
• tests/Digdir.Domain.Dialogporten.Application.Integration.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.Application.Unit.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.Architecture.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.E2E.Cleanup.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.GraphQl.E2E.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.GraphQl.Integration.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.GraphQl.Unit.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.Infrastructure.Unit.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.WebAPI.E2E.Tests/packages.lock.json
• tests/Digdir.Domain.Dialogporten.WebApi.Unit.Tests/packages.lock.json
• tests/Digdir.Library.Dialogporten.E2E.Common/packages.lock.json
• tests/Digdir.Library.Dialogporten.WebApiClient.Unit.Tests/packages.lock.json

✅ Files skipped from review due to trivial changes (7)

• src/Digdir.Library.Dialogporten.WebApiClient/Directory.Build.props
• src/Digdir.Library.Utils.AspNet/Digdir.Library.Utils.AspNet.csproj
• src/Digdir.Library.Entity.Abstractions/packages.lock.json
• src/Digdir.Domain.Dialogporten.Domain/packages.lock.json
• src/Digdir.Library.Entity.EntityFrameworkCore/packages.lock.json
• src/Digdir.Library.Dialogporten.WebApiClient/packages.lock.json
• src/Digdir.Domain.Dialogporten.GraphQL/Digdir.Domain.Dialogporten.GraphQL.csproj

🚧 Files skipped from review as they are similar to previous changes (1)

• Directory.Build.props

[oskogstad]

@coderabbitai pause

[coderabbitai]

✅ Actions performed

Reviews paused.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud