From 571f21ba49d37a091ee48de92914017eb17b74a7 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Tue, 3 Feb 2026 15:28:47 +0000
Subject: [PATCH] C#: Emit diagnostic if private registries are configured

---
 .../DependabotProxy.cs                        | 21 ++++++++++++++++++-
 .../DependencyManager.cs                      |  2 +-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs
index be5f137548c4..e06970141fed 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs
@@ -5,6 +5,7 @@
 using Semmle.Util;
 using Semmle.Util.Logging;
 using Newtonsoft.Json;
+using System.Linq;
 
 namespace Semmle.Extraction.CSharp.DependencyFetching
 {
@@ -37,7 +38,8 @@ public record class RegistryConfig(string Type, string URL);
         /// </summary>
         internal X509Certificate2? Certificate { get; private set; }
 
-        internal static DependabotProxy? GetDependabotProxy(ILogger logger, TemporaryDirectory tempWorkingDirectory)
+        internal static DependabotProxy? GetDependabotProxy(
+            ILogger logger, IDiagnosticsWriter diagnosticsWriter, TemporaryDirectory tempWorkingDirectory)
         {
             // Setting HTTP(S)_PROXY and SSL_CERT_FILE have no effect on Windows or macOS,
             // but we would still end up using the Dependabot proxy to check for feed reachability.
@@ -112,6 +114,23 @@ public record class RegistryConfig(string Type, string URL);
                 }
             }
 
+            // Emit a diagnostic for the discovered private registries, so that it is easy
+            // for users to see that they were picked up.
+            if (result.RegistryURLs.Count > 0)
+            {
+                diagnosticsWriter.AddEntry(new DiagnosticMessage(
+                    Language.CSharp,
+                    "buildless/analysis-using-private-registries",
+                    severity: DiagnosticMessage.TspSeverity.Note,
+                    visibility: new DiagnosticMessage.TspVisibility(true, true, true),
+                    name: "C# extraction used private package registries",
+                    markdownMessage: string.Format(
+                        "C# was extracted using the following private package registries:\n\n{0}\n",
+                        string.Join("\n", result.RegistryURLs.Select(url => string.Format("- `{0}`", url)))
+                    )
+                ));
+            }
+
             return result;
         }
 
diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
index ad69d0c85c37..bc010e318c35 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
@@ -106,7 +106,7 @@ void exitCallback(int ret, string msg, bool silent)
                 return BuildScript.Success;
             }).Run(SystemBuildActions.Instance, startCallback, exitCallback);
 
-            dependabotProxy = DependabotProxy.GetDependabotProxy(logger, tempWorkingDirectory);
+            dependabotProxy = DependabotProxy.GetDependabotProxy(logger, diagnosticsWriter, tempWorkingDirectory);
 
             try
             {