Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recover dependency tree from nuspec files #1374

Merged
merged 8 commits into from
Sep 12, 2024
Merged

Recover dependency tree from nuspec files #1374

merged 8 commits into from
Sep 12, 2024

Conversation

prabhu
Copy link
Collaborator

@prabhu prabhu commented Sep 12, 2024
edited
Loading

.nuspec files could have dependencies defined under various groups. These dependencies were getting omitted thus reducing the number of indirect components reported for .Net framework <= 4.7 applications.

The captured indirect components would have slightly lower confidence with an optional scope to help downstream tools to better prioritize the issues in such components. Additionally, a property called cdx:dotnet:target_framework can be used to identify the target frameworks these components are part of.

Example:

{
            "group": "",
            "name": "xunit.abstractions",
            "version": "2.0.1",
            "scope": "required",
            "purl": "pkg:nuget/[email protected]",
            "type": "library",
            "bom-ref": "pkg:nuget/[email protected]",
            "evidence": {
                "identity": {
                    "field": "purl",
                    "confidence": 0.7,
                    "methods": [
                        {
                            "technique": "binary-analysis",
                            "confidence": 1,
                            "value": "/mnt/work/sandbox/net_testing/ImdbCommunication/packages/xunit.runner.utility.2.2.0/xunit.runner.utility.2.2.0.nupkg"
                        }
                    ]
                }
            },
            "properties": [
                {
                    "name": "SrcFile",
                    "value": "/mnt/work/sandbox/net_testing/ImdbCommunication/packages/xunit.runner.utility.2.2.0/xunit.runner.utility.2.2.0.nupkg"
                },
                {
                    "name": "cdx:dotnet:target_framework",
                    "value": ".NETFramework3.5"
                },
                {
                    "name": "cdx:dotnet:target_framework",
                    "value": ".NETStandard1.1"
                },
                {
                    "name": "cdx:dotnet:target_framework",
                    "value": ".NETStandard1.5"
                },
                {
                    "name": "SrcFile",
                    "value": "/mnt/work/sandbox/net_testing/ImdbCommunication/packages/xunit.extensibility.core.2.2.0/xunit.extensibility.core.2.2.0.nupkg"
                },

@prabhu
Copy link
Collaborator Author

prabhu commented Sep 12, 2024
edited
Loading

In addition, for non-versioned system packages (from Global Assembly Cache), target_framework property is set based on the information from the csproj file.

{
            "group": "",
            "name": "System.Net.Http",
            "version": "",
            "purl": "pkg:nuget/System.Net.Http",
            "type": "library",
            "bom-ref": "pkg:nuget/System.Net.Http",
            "evidence": {
                "identity": {
                    "field": "purl",
                    "confidence": 0.7,
                    "methods": [
                        {
                            "technique": "manifest-analysis",
                            "confidence": 0.7,
                            "value": "/mnt/work/sandbox/net_testing/ImdbCommunication/ImdbCommunication.Tests/ImdbCommunication.Tests.csproj"
                        }
                    ]
                }
            },
            "properties": [
                {
                    "name": "cdx:dotnet:target_framework",
                    "value": "v4.7"
                },
                {
                    "name": "SrcFile",
                    "value": "/mnt/work/sandbox/net_testing/ImdbCommunication/ImdbCommunication.Tests/ImdbCommunication.Tests.csproj"
                }
            ]
        }

In the above example, there is no version information for System.Net.Http. Hence, fallback to consuming the cdx:dotnet:target_framework property to track the appropriate version range.

@prabhu
Copy link
Collaborator Author

prabhu commented Sep 12, 2024

While testing this repo, noticed that cdxgen can generate duplicates in the below scenario:

<Reference Include="Microsoft.AI.Agent.Intercept, Version=2.0.6.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
      <HintPath>..\packages\Microsoft.ApplicationInsights.Agent.Intercept.2.0.6\lib\net45\Microsoft.AI.Agent.Intercept.dll</HintPath>
      <Private>True</Private>
    </Reference>

The include name used is different to the package path (and it's name in the .nupkg file). Therefore, both of these components are the same.

same-component

I have enhanced slightly to track the hint_path alone as a property. May be a future release could do a better job in expressing such aliases better.

@prabhu
Remove netty from snapshot tests for now
cabce69 
Signed-off-by: Prabhu Subramanian <[email protected]>
@prabhu
Bug fix for windows
918ff91 
Signed-off-by: Prabhu Subramanian <[email protected]>
@prabhu prabhu merged commit 041635c into master Sep 12, 2024
24 of 25 checks passed
@prabhu prabhu deleted the feature/nuspec-deps-tree branch September 12, 2024 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
lang:dotnet sponsored
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@prabhu