[Bug Bash] Vulnerability icon should not show on the right side of the ‘Installed’ tab when a local path was configured as audit source

[v-luzh]

NuGet Product Used

Visual Studio Package Management UI

Product Version

VS Main/11421.133 + NuGet Client Dev/7.4.0.14

Worked before?

It is a regression since it doesn’t repro on D18.0\11304.174 since ‘audit source’ is a new feature.

Impact

It bothers me. A fix would be nice

Repro Steps & Context

Note:

1. Repro rate: 100%.

Repro Steps:

1. Create a C# Console App (.NET 10.0) in VS and open the project-level PM UI.
2. Click the menu ‘Tools->Options->NuGet Package Manager->Sources’ and add a package source ‘https://api.nuget.org/v3/index.json’ in the ‘Package sources’ section.
3. Check the checkbox ‘Use separate sources for vulnerability audit’ and add a local package source with the package name ‘Local’ in the ‘Audit sources’ section.
4. Go back to the ‘Browse’ tab of PM UI, select the source added in step 2 from the ‘Package source’ dropdown list and select a vulnerable package from the ‘Version’ dropdown list (for example, Newtonsoft.Json 12.0.1 in this instance).
5. Install the package, click the ‘Installed’ tab and observe.

Expected Result:

No vulnerability icon shows on the right side of the ‘Installed’ tab because the configured audit source doesn’t have vulnerability data.

Actual Result:

A vulnerability icon shows on the right side of the ‘Installed’ tab as the screenshot below.

Verbose Logs

[donnie-msft]

This is because nuget.org is still flagging this package in the Search results, which the Installed Tab indicator looks at and finds that Newtonsoft.Json is vulnerable.
I will look into this in Quality Week to see if stopping that logic makes sense now that we're using Audit Sources & VulnerabilityInfo resources.