From aaa818df51b6f0a3ac19d4a16d2f058643470cbe Mon Sep 17 00:00:00 2001
From: "Brett V. Forsgren" <brettfo@microsoft.com>
Date: Fri, 2 Aug 2024 17:33:30 -0600
Subject: [PATCH] report no new version if a given package doesn't exist on any
 feed (#10354)

Co-authored-by: AbdulFattaah Popoola <abdulapopoola@github.com>
---
 .../Analyze/AnalyzeWorkerTests.cs             | 40 +++++++++++++++++++
 .../Analyze/AnalyzeWorker.cs                  |  6 +++
 2 files changed, 46 insertions(+)

diff --git a/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs b/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs
index 16209381cb1..828d039e569 100644
--- a/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs
+++ b/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs
@@ -264,6 +264,46 @@ await TestAnalyzeAsync(
 
     [Fact]
     public async Task ReturnsUpToDate_ForMissingDependency()
+    {
+        await TestAnalyzeAsync(
+            packages:
+            [
+                // no packages listed
+            ],
+            discovery: new()
+            {
+                Path = "/",
+                Projects = [
+                    new()
+                    {
+                        FilePath = "./project.csproj",
+                        TargetFrameworks = ["net8.0"],
+                        Dependencies = [
+                            new("Some.Package", "1.0.0", DependencyType.PackageReference), // this was found in the source, but doesn't exist in any feed
+                        ],
+                    },
+                ],
+            },
+            dependencyInfo: new()
+            {
+                Name = "Some.Package",
+                Version = "1.0.0",
+                IgnoredVersions = [],
+                IsVulnerable = false,
+                Vulnerabilities = [],
+            },
+            expectedResult: new()
+            {
+                UpdatedVersion = "1.0.0",
+                CanUpdate = false,
+                VersionComesFromMultiDependencyProperty = false,
+                UpdatedDependencies = [],
+            }
+        );
+    }
+
+    [Fact]
+    public async Task ReturnsUpToDate_ForIgnoredRequirements()
     {
         await TestAnalyzeAsync(
             packages:
diff --git a/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs b/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs
index d6fc1c597e8..0a45ce7cfd5 100644
--- a/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs
+++ b/nuget/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs
@@ -255,6 +255,12 @@ internal static async Task<T> DeserializeJsonFileAsync<T>(string path, string fi
         CancellationToken cancellationToken)
     {
         var versions = versionResult.GetVersions();
+        if (versions.Length == 0)
+        {
+            // if absolutely nothing was found, then we can't update
+            return null;
+        }
+
         var orderedVersions = findLowestVersion
             ? versions.OrderBy(v => v) // If we are fixing a vulnerability, then we want the lowest version that is safe.
             : versions.OrderByDescending(v => v); // If we are just updating versions, then we want the highest version possible.