[Bug Bash][Unstable] An error “Attempted to divide by zero.” occurs when executing command “dotnet list [ProjectPath] package --vulnerable”

[CiciLi1]

NuGet Product Used

dotnet.exe

Product Version

.NET SDK Version: 9.0.300-preview.0.25119.12

Worked before?

It’s not a regression since it reproes on .NET SDK 8.0.406.

Impact

It bothers me. A fix would be nice

Repro Steps & Context

Notes:  

1. The repro rate is 100%.

2. The error never reproes when executing “dotnet restore”.

3. This error will not repro after switching to execute “.\dotnet.exe list [ProjectPath] package --vulnerable”.

Repro Steps:   

1. Patched dotnet SDK with ‘-SDKChannel 9.0.3xx’.
2. Create a C# Console App (.NET 9.0) project via VS.
3. Add a ‘nuget.config’ file in the solution folder with the content below.

<?xml version="1.0" encoding="utf-8"?> 
<configuration> 
  <packageSources> 
    <clear /> 
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" /> 
  </packageSources> 
</configuration> 

4. Install the package ‘Newtonsoft.Json 10.0.1’ into the project from PM UI.
5. Update the 'nuget.config' file with below value:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <clear />
  </packageSources>
  <auditSources>
    <add key="nuget.org audit" value="https://api.nuget.org/v3/index.json" />
  </auditSources>
</configuration>

6. Open a CLI and cd to the path of ‘PatchedSDK’ folder and restore the project with command dotnet restore “…\NetProject.csproj" in the CLI.
7. Run the command dotnet list [ProjectPath] package --vulnerable in the CLI.

Expected:   

The command was executed successfully.

Actual:   

An error “Attempted to divide by zero.” occur as below screenshot: 

Verbose Logs

[nkolev92]

It’s not a regression since it’s a new feature.

I don't think this is a new feature. There's nothing in the scenario that makes it a new feature.
Can you please do regression analysis.

Can you also post the project file you end up with?

Unfortunately, I seem to be hitting the 30% where I can't repro it.

NuGet/NuGet.Client@38f10f6 is the likely root cause if it's a recent regression.

[CiciLi1]

Hi @nkolev92, we nerver encountered this issue in the regular Dotnet list Test before Dev\6.14.0.27, it is started to repro when the new feature dotnet list package --vulnerable was updated.

I have attatched the project to this path \\mlangfs1\Public\NuGet\Bug_14122,. (Note: we don't think this issue is releated to the proejct.)

[Nigusu-Allehu]

I was able to reproduce the issue on 8.0.3 and 9.0.1. I don't think this is a regression

[Nigusu-Allehu]

I think the config file you have in the repro description is different from the one you have in the attached project. For me, this repros only when a nuget.config file has no packageSources configured. And I think the error occurs here because we divide by the number of package sources. https://github.com/NuGet/NuGet.Client/blob/68db83a99814547864e09170f6c3179b33933a27/src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs#L443

[Nigusu-Allehu]

I don't think it is related to NuGet/NuGet.Client@38f10f6 either.
I was not able to repro it with AuditSource configured.

[nkolev92]

I have attatched the project to this path \mlangfs1\Public\NuGet\Bug_14122,. (Note: we don't think this issue is releated to the proejct.)

@CiciLi1
I don't think it's related to the project either, but in cases like this, the project file is the only thing that matters, so instead of following the steps to create the project, having the project directly speeds up things.
We don't really need the whole project directory. We just need the content of the csproj file.

[nkolev92]

I think the config file you have in the repro description is different from the one you have in the attached project. For me, this repros only when a nuget.config file has no packageSources configured. And I think the error occurs here because we divide by the number of package sources. https://github.com/NuGet/NuGet.Client/blob/68db83a99814547864e09170f6c3179b33933a27/src/NuGet.Core/NuGet.CommandLine.XPlat/Commands/PackageReferenceCommands/ListPackage/ListPackageCommandRunner.cs#L443

Great catch @Nigusu-Allehu

This should be a quick fix.

[CiciLi1]

Hi @nkolev92 & @Nigusu-Allehu, thanks for your reply! We were previously able to repro this issue when adding packageSources to the config file(as the bug repro step), but today we were unable to repro it after patching latest .NET SDK 9.0.300-preview.0.25124.16 with NuGet Client Dev\6.14.0.40.

Today we can reproduce it 100% when the nuget.config file is not configured with packageSources and has the AuditSource as below. Can I update the repro steps?

[nkolev92]

Thanks for confirming.

Up to you @CiciLi1

We know the root cause now, this is an easy fix.

[Nigusu-Allehu]

I was taking a look at this again. I noticed <AuditSources> is not recognized and <auditSources> is recognized when we read configuration files. It looks like we are case-sensitive