Merge pull request #41753 from dotnet/main

Publish What's new for .NET 9 Preview 6
dotnet · Jul 13, 2024 · cddcb28 · cddcb28
2 parents 566b11c + 8e1612e
commit cddcb28
Show file tree

Hide file tree

Showing 24 changed files with 945 additions and 129 deletions.
diff --git a/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md b/docs/core/compatibility/sdk/8.0/dotnet-restore-audit.md
@@ -13,7 +13,7 @@ Previously, `dotnet restore` did not emit any security vulnerability warnings by
 
 ## New behavior
 
-If you're developing with the .NET 8 SDK or a later version, `dotnet restore` produces security vulnerability warnings by default for *all* restored projects. When you load a solution or project, or run a CI/CD script, this change may break your workflow if you have `<TreatWarningsAsErrors>` enabled.
+If you're developing with the .NET 8 SDK or a later version, `dotnet restore` produces security vulnerability warnings by default for *all* restored projects. When you load a solution or project, or run a CI/CD script, this change might break your workflow if you have `<TreatWarningsAsErrors>` enabled.
 
 ## Version introduced
 
@@ -25,7 +25,7 @@ This change is a [behavioral change](../../categories.md#behavioral-change).
 
 ## Reason for change
 
-In most cases when you restore a package, you want to know whether the restored package version contains any known security vulnerabilities. This functionality was added as it is a highly requested feature and security concerns continue to increase each year where known security issues can not be visible enough to taking immediate action.
+Many users want to know whether the packages they restore contain any known security vulnerabilities. This functionality was a highly requested feature. Security concerns continue to increase each year and some known security issues aren't visible enough to take immediate action.
 
 ## Recommended action
 
@@ -39,4 +39,5 @@ In most cases when you restore a package, you want to know whether the restored
 
 ## See also
 
+- [Audit for security vulnerabilities (`dotnet restore`)](../../../tools/dotnet-restore.md#audit-for-security-vulnerabilities)
 - [Auditing package dependencies for security vulnerabilities](/nuget/concepts/auditing-packages)
diff --git a/docs/core/diagnostics/metrics-instrumentation.md b/docs/core/diagnostics/metrics-instrumentation.md
@@ -327,7 +327,7 @@ summarize the distribution differently or offer more configuration options.
   ```csharp
   using System;
   using System.Diagnostics.Metrics;
-  
+
   class Program
   {
       // BEWARE! Static initializers only run when code in a running method refers to a static variable.
@@ -336,7 +336,7 @@ summarize the distribution differently or offer more configuration options.
       static Meter s_meter = new Meter("HatCo.Store");
       static ObservableCounter<int> s_coatsSold = s_meter.CreateObservableCounter<int>("hatco.store.coats_sold", () => s_rand.Next(1,10));
       static Random s_rand = new Random();
-  
+
       static void Main(string[] args)
       {
           Console.ReadLine();
@@ -502,8 +502,7 @@ Press p to pause, r to resume, q to quit.
 
 ### Best practices
 
-- Although the API allows any object to be used as the tag value, numeric types and strings are anticipated by collection tools. Other types may or may not be
-  supported by a given collection tool.
+- Although the API allows any object to be used as the tag value, numeric types and strings are anticipated by collection tools. Other types may or may not be supported by a given collection tool.
 
 - We recommend tag names follow the [OpenTelemetry naming guidelines](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/general/metrics.md#general-guidelines),
   which use lowercase dotted hierarchal names with '_' characters to separate multiple words in the same element. If tag names are reused in different metrics or other telemetry

diff --git a/docs/core/tools/buildcheck-rules/bc0101.md b/docs/core/tools/buildcheck-rules/bc0101.md
@@ -0,0 +1,19 @@
+---
+title: "BC0101: Shared output path"
+description: Learn about .NET SDK error BC0101, which occurs when an output path or intermediate outpath is shared between multiple projects.
+ms.topic: error-reference
+ms.date: 07/10/2024
+f1_keywords:
+- BC0101
+---
+# BC0101
+
+**This article applies to:** ✔️ .NET 9 SDK and later versions
+
+It's not recommended to share an output path or intermediate output path between multiple projects. Such practice can lead to silent overwrites of the outputs. Order of write depends on the order of the build, which isn't guaranteed unless explicitly configured. Sharing an output path can cause nondeterministic behavior of the build.
+
+If you want to produce outputs in a consolidated output folder, consider using the [Artifacts output layout](../../sdk/artifacts-output.md) or [Microsoft.Build.Artifacts SDK](https://github.com/microsoft/MSBuildSdks/tree/main/src/Artifacts).
+
+The full error message is similar to the following example:
+
+> **BC0101: Two projects should not share their OutputPath or IntermediateOutputPath locations.**
diff --git a/docs/core/tools/buildcheck-rules/bc0102.md b/docs/core/tools/buildcheck-rules/bc0102.md
@@ -0,0 +1,21 @@
+---
+title: "BC0102: Double writes"
+description: Learn about .NET SDK error BC0102, which occurs when multiple tasks attempt to write to a single file.
+ms.topic: error-reference
+ms.date: 07/10/2024
+f1_keywords:
+- BC0102
+---
+# BC0102
+
+**This article applies to:** ✔️ .NET 9 SDK and later versions
+
+Multiple tasks attempt to write to a single file. Such behavior can lead to nondeterminism of a build (results can be dependent on the order of task execution if they belong to independent projects) or to lost updates.
+
+If multiple tasks need to produce or update a single file in a one-by-one pipeline fashion, each intermediate output should be given a distinct name. Distinct files prevent silent mixups if any of the tasks in the chain are skipped or removed.
+
+The full error message is similar to the following example:
+
+> **BC0102: Two tasks should not write the same file.**
+
+This rule flags a similar problem as [BC0101 - Shared output path](bc0101.md), but applies more generally to *any* tasks that write to a file.
diff --git a/docs/core/tools/buildcheck-rules/index.md b/docs/core/tools/buildcheck-rules/index.md
@@ -0,0 +1,20 @@
+---
+title: BuildCheck rule list
+description: A complete list of BCxxxx build check errors.
+ms.topic: error-reference
+ms.date: 07/10/2024
+ms.custom: updateeachrelease
+f1_keywords:
+- BC0101
+- BC0102
+---
+# BuildCheck rule list
+
+**This article applies to:** ✔️ .NET 9 SDK and later versions
+
+The following list includes all build-check warnings that you might get from the .NET SDK.
+
+| Rule                | Message                                                                             |
+|---------------------|-------------------------------------------------------------------------------------|
+| [BC0101](bc0101.md) | Two projects should not share their OutputPath or IntermediateOutputPath locations. |
+| [BC0102](bc0102.md) | Two tasks should not write the same file.                                           |
diff --git a/docs/core/tools/dotnet-restore.md b/docs/core/tools/dotnet-restore.md
@@ -192,9 +192,11 @@ There are three specific settings that `dotnet restore` ignores:
 
 ## Audit for security vulnerabilities
 
-Starting in .NET 8, you can opt into NuGet security auditing for `dotnet restore`. This auditing produces a report of security vulnerabilities with the affected package name, the severity of the vulnerability, and a link to the advisory for more details.
+Starting in .NET 8, `dotnet restore` includes NuGet security auditing. This auditing produces a report of security vulnerabilities with the affected package name, the severity of the vulnerability, and a link to the advisory for more details.
 
-To opt into security auditing, set the `<NuGetAudit>` MSBuild property to `true` in your project file. Additionally, to retrieve the known vulnerability dataset, ensure that you have the NuGet.org central registry defined as one of your package sources:
+To opt out of the security auditing, set the `<NuGetAudit>` MSBuild property to `false` in your project file.
+
+To retrieve the known vulnerability dataset, ensure that you have the NuGet.org central registry defined as one of your package sources:
 
 ```xml
 <packageSources>
@@ -203,3 +205,7 @@ To opt into security auditing, set the `<NuGetAudit>` MSBuild property to `true`
 ```
 
 You can configure the level at which auditing will fail by setting the `<NuGetAuditLevel>` MSBuild property. Possible values are `low`, `moderate`, `high`, and `critical`. For example if you only want to see moderate, high, and critical advisories, you can set the property to `moderate`.
+
+Starting in .NET 9, NuGet audits both *direct* and *transitive* package references, by default. In .NET 8, only *direct* package references are audited. You can change the mode by setting the `<NuGetAuditMode>` MSBuild property to `direct` or `all`.
+
+For more information, see [Auditing package dependencies for security vulnerabilities](/nuget/concepts/auditing-packages).
diff --git a/docs/core/whats-new/dotnet-8/sdk.md b/docs/core/whats-new/dotnet-8/sdk.md
@@ -19,6 +19,7 @@ This section contains the following subtopics:
 - [Simplified output paths](#simplified-output-paths)
 - ['dotnet workload clean' command](#dotnet-workload-clean-command)
 - ['dotnet publish' and 'dotnet pack' assets](#dotnet-publish-and-dotnet-pack-assets)
+- [`dotnet restore` security auditing](#dotnet-restore-security-auditing)
 - [Template engine](#template-engine)
 - [Source Link](#source-link)
 - [Source-build SDK](#source-build-sdk)