Redundant SCA reports

[aep-sunlife]

dotnet build shows the same CVE's twice, sometimes 4x or more.

That doesn't scale well for practical applications, which often exhibit hundreds of CVE's.

The redundant logging is noisy and makes it difficult to navigate the information. At cloud scale, the redundant log lines constitute measurable waste in terms of I/O and storage fees.

Using .NET 8.0.401.

Trace

$ dotnet build
  Determining projects to restore...
/Users/lo40/go/src/bitbucket.us.sunlife/SecOps/hello-world-csharp/hello-world-csharp.csproj : error NU1903: Warning As Error: Package 'Npgsql' 8.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-x9vc-6hfv-hg8c
  Failed to restore /Users/lo40/go/src/bitbucket.us.sunlife/SecOps/hello-world-csharp/hello-world-csharp.csproj (in 131 ms).

Build FAILED.

/Users/lo40/go/src/bitbucket.us.sunlife/SecOps/hello-world-csharp/hello-world-csharp.csproj : error NU1903: Warning As Error: Package 'Npgsql' 8.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-x9vc-6hfv-hg8c
    0 Warning(s)
    1 Error(s)

Time Elapsed 00:00:00.45

hello.csproj

<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <OutputType>Exe</OutputType>
        <TargetFramework>net8.0</TargetFramework>
        <RootNamespace>hello_world_csharp</RootNamespace>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
    </PropertyGroup>
    <ItemGroup>
        <PackageReference Include="Npgsql" Version="8.0.2" />
    </ItemGroup>
</Project>

[joeloff]

The double logging is a result of reporting it when the project is built and providing a summary of errors at the end of the build, e.g. when you're building a solution consisting of multiple projects. It's mostly done for convenience. It will likely get repeated more if you are targeting multiple TFMs as well.

[baronfel]

if you don't want the summary you can pass --consoleLoggerParameters:NoSummary to your build command. There are more switches to customize the logger behavior, see https://learn.microsoft.com/en-us/visualstudio/msbuild/msbuild-command-line-reference?view=vs-2022#switches-for-loggers for the full list.

[marcpopMSFT]

See Chet's response. The console logger does a summary at the end and you sometimes get duplicates when there's an error on restore and the same on in build. No plans to change this at the moment.