Fix: Do not default to an empty list if Security scheme is missing

src/Microsoft.OpenApi/Models/OpenApiDocument.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license.
 
 using System;
@@ -48,8 +48,7 @@
         /// <summary>
         /// A declaration of which security mechanisms can be used across the API.
         /// </summary>
-        public IList<OpenApiSecurityRequirement> SecurityRequirements { get; set; } =
-            new List<OpenApiSecurityRequirement>();
+        public IList<OpenApiSecurityRequirement> SecurityRequirements { get; set; }
 
         /// <summary>
         /// A list of tags used by the specification with additional metadata.
@@ -435,7 +434,7 @@
                 return null;
             }
 
             // Todo: Verify if we need to check to see if this external reference is actually targeted at this document.
             if (useExternal)
             {
                 if (this.Workspace == null)

src/Microsoft.OpenApi/Models/OpenApiOperation.cs

@@ -91,7 +91,7 @@ public class OpenApiOperation : IOpenApiSerializable, IOpenApiExtensible, IOpenA
         /// This definition overrides any declared top-level security.
         /// To remove a top-level security declaration, an empty array can be used.
         /// </summary>
-        public IList<OpenApiSecurityRequirement> Security { get; set; } = new List<OpenApiSecurityRequirement>();
+        public IList<OpenApiSecurityRequirement> Security { get; set; }
 
         /// <summary>
         /// An alternative server array to service this operation.

test/Microsoft.OpenApi.Readers.Tests/V3Tests/OpenApiDocumentTests.cs

@@ -10,6 +10,7 @@
 using FluentAssertions;
 using Microsoft.OpenApi.Any;
 using Microsoft.OpenApi.Exceptions;
+using Microsoft.OpenApi.Extensions;
 using Microsoft.OpenApi.Interfaces;
 using Microsoft.OpenApi.Models;
 using Microsoft.OpenApi.Readers.Interface;
@@ -1432,5 +1433,65 @@ public void ParseBasicDocumentWithServerVariableAndNoDefaultShouldFail()
 
             diagnostic.Errors.Should().NotBeEmpty();
         }
+
+        [Fact]
+        public void ParseDocumentWithMissingSecuritySchemeDefaultsToNull()
+        {
+            // Arrange
+            var input = @"openapi: 3.0.0
+info:
+  title: test
+  version: ""1.0""
+paths:
+  /test:
+    get:
+      description: description for test path
+      responses:
+        '200':
+          description: test
+components:
+  securitySchemes:
+    apiKey0:
+      type: apiKey,
+      name: x-api-key,
+      in: header";
+
+            // Act && Assert
+            var doc = new OpenApiStringReader().Read(input, out var diagnostic);
+
+            doc.Paths["/test"].Operations[OperationType.Get].Security.Should().BeNull();
+            doc.SecurityRequirements.Should().BeNull();
+        }
+
+        [Fact]
+        public void ParseDocumentWithEmptySecuritySchemeDefaultsToEmptyList()
+        {
+            // Arrange
+            var input = @"openapi: 3.0.0
+info:
+  title: test
+  version: ""1.0""
+paths:
+  /test:
+    get:
+      description: description for test path
+      responses:
+        '200':
+          description: test
+      security: []
+security: 
+- apiKey0: []
+components:
+  securitySchemes:
+    apiKey0:
+      type: apiKey,
+      name: x-api-key,
+      in: header";
+
+            // Act && Assert
+            var doc = new OpenApiStringReader().Read(input, out var diagnostic);
+
+            doc.Paths["/test"].Operations[OperationType.Get].Security.Should().BeEmpty();
+        }
     }
 }