Skip to content

NugetService: Find PackageVulnerabilityInfo from IVulnerabilityInfoResource (Issue 805) #985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LarsPellarin wants to merge 7 commits into
base: master
Choose a base branch
from
Open

NugetService: Find PackageVulnerabilityInfo from IVulnerabilityInfoResource (Issue 805) #985

LarsPellarin wants to merge 7 commits into from
+452 −173

Conversation

@LarsPellarin
Copy link

@LarsPellarin LarsPellarin commented Nov 20, 2025

NugetService: Add support to find PackageVulnerabilityInfo from IVulnerabilityInfoResource.
Reduce code duplication in test and make it easier to inject vulnerability service mock.
Refactor to inject source repository from factory.

@LarsPellarin LarsPellarin marked this pull request as ready for review November 20, 2025 08:14
@LarsPellarin LarsPellarin requested a review from a team as a code owner November 20, 2025 08:14
LarsPellarin
LarsPellarin commented Nov 20, 2025
View reviewed changes
CycloneDX/Services/NugetV3Service.cs

var vulnerabilities = await GetVulnerabilitiesAsync(name, version);
var vulnerabilityDescriptions = vulnerabilities.OrderBy(v => v.Severity).Select(v => v.ToJson()).ToArray();
component.Description = string.Join(',', vulnerabilityDescriptions);
Copy link
Author

@LarsPellarin LarsPellarin Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No appropriate property found for this, please advice as component is in an external package and cant be modified here

Lars Pellarin and others added 3 commits November 20, 2025 13:19
unnecessary parentheses
c7f06c1
@mtsfoni
feat: Implement vulnerability mapping from NuGet to CycloneDX BOM
260d952 
Signed-off-by: MTsfoni <mibau89@gmail.com>
@mtsfoni
refactor(nugetservice): instead of cyclonedx library component use nu…
e3513c0 
…getServiceDTO - this decouples the library and the nugetService

Signed-off-by: MTsfoni <mibau89@gmail.com>
@mtsfoni
Copy link
Member

mtsfoni commented Dec 5, 2025
edited
Loading

@LarsPellarin Cool that you took on that feature!

The Class from the CycloneDX-library shouldn't be used in the NugetService imo.
I replaced it with a dto class for the service and mapped it to the Library class in the runner.cs.

I think it still needs to use more fields of the Vulnerability and probably testing (log4net is a classic here, oracle adapter also has vulnerabilities). Let me know if you still want to on, otherwise I will finish it in the coming days.

@LarsPellarin
Copy link
Author

LarsPellarin commented Dec 5, 2025

Thanks for feedback! Agree on the DTO refactor.

Feel free to finish this, i will not have time the next couple of days myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LarsPellarin @mtsfoni