C#: Emit diagnostic if private registries are configured

mbg · mbg · commit 571f21ba49d3 · 2026-02-03T15:28:47.000Z
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs
@@ -5,6 +5,7 @@
 using Semmle.Util;
 using Semmle.Util.Logging;
 using Newtonsoft.Json;
+using System.Linq;
 
 namespace Semmle.Extraction.CSharp.DependencyFetching
 {
@@ -37,7 +38,8 @@ public record class RegistryConfig(string Type, string URL);
         /// </summary>
         internal X509Certificate2? Certificate { get; private set; }
 
-        internal static DependabotProxy? GetDependabotProxy(ILogger logger, TemporaryDirectory tempWorkingDirectory)
+        internal static DependabotProxy? GetDependabotProxy(
+            ILogger logger, IDiagnosticsWriter diagnosticsWriter, TemporaryDirectory tempWorkingDirectory)
         {
             // Setting HTTP(S)_PROXY and SSL_CERT_FILE have no effect on Windows or macOS,
             // but we would still end up using the Dependabot proxy to check for feed reachability.
@@ -112,6 +114,23 @@ public record class RegistryConfig(string Type, string URL);
                 }
             }
 
+            // Emit a diagnostic for the discovered private registries, so that it is easy
+            // for users to see that they were picked up.
+            if (result.RegistryURLs.Count > 0)
+            {
+                diagnosticsWriter.AddEntry(new DiagnosticMessage(
+                    Language.CSharp,
+                    "buildless/analysis-using-private-registries",
+                    severity: DiagnosticMessage.TspSeverity.Note,
+                    visibility: new DiagnosticMessage.TspVisibility(true, true, true),
+                    name: "C# extraction used private package registries",
+                    markdownMessage: string.Format(
+                        "C# was extracted using the following private package registries:\n\n{0}\n",
+                        string.Join("\n", result.RegistryURLs.Select(url => string.Format("- `{0}`", url)))
+                    )
+                ));
+            }
+
             return result;
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
@@ -106,7 +106,7 @@ void exitCallback(int ret, string msg, bool silent)
                 return BuildScript.Success;
             }).Run(SystemBuildActions.Instance, startCallback, exitCallback);
 
-            dependabotProxy = DependabotProxy.GetDependabotProxy(logger, tempWorkingDirectory);
+            dependabotProxy = DependabotProxy.GetDependabotProxy(logger, diagnosticsWriter, tempWorkingDirectory);
 
             try
             {

Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ void exitCallback(int ret, string msg, bool silent)`
`106`	`106`	`return BuildScript.Success;`
`107`	`107`	`}).Run(SystemBuildActions.Instance, startCallback, exitCallback);`
`108`	`108`
`109`		`- dependabotProxy = DependabotProxy.GetDependabotProxy(logger, tempWorkingDirectory);`
	`109`	`+ dependabotProxy = DependabotProxy.GetDependabotProxy(logger, diagnosticsWriter, tempWorkingDirectory);`
`110`	`110`
`111`	`111`	`try`
`112`	`112`	`{`