Skip to content

Add support for Nuget lockfiles #497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add support for Nuget lockfiles #497

wants to merge 2 commits into from

Conversation

@Porges
Copy link
Member

@Porges Porges commented Apr 6, 2023
edited
Loading

These have been supported since VS2017 but they are not yet parsed. The lockfile contains all transitive dependencies and does not require a build to be performed in order to be used.

I found that support for this was missing while investigating why our repo was not getting flagged for anything despite having transitive dependencies on packages with High- and Critical-level advisories. It turned out that Component Governance was not finding any dependencies at all, since the existing detectors require the project to be built first.

I've also added a simple test logger implementation when writing a test, since a mock logger is not very useful when tests fail.

tevoinea
tevoinea reviewed Apr 6, 2023
View reviewed changes
src/Microsoft.ComponentDetection.Detectors/nuget/NuGetComponentDetector.cs
foreach (var (name, value) in framework)
{
var component = new NuGetComponent(name, value.Resolved);
singleFileComponentRecorder.RegisterUsage(new DetectedComponent(component));
Copy link
Member

@tevoinea tevoinea Apr 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if the team would want it included in this PR or not, but packages.lock.json supports reconstructing the whole component graph (see parentComponentId docs link) by using the dependencies property and also isExplicitlyReferencedDependency (same doc link) through the type property (is it Direct or Transitive).

@Porges Porges marked this pull request as ready for review April 10, 2023 22:03
@Porges Porges requested a review from a team as a code owner April 10, 2023 22:03
@Porges Porges requested a review from Omotola April 10, 2023 22:03
Porges
Porges commented Apr 10, 2023
View reviewed changes
src/Microsoft.ComponentDetection.Detectors/nuget/NuGetComponentDetector.cs
else if ("paket.lock".Equals(stream.Pattern, StringComparison.OrdinalIgnoreCase))
{
this.ParsePaketLock(processRequest);
return;
Copy link
Member Author

@Porges Porges Apr 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed what seems like a small bug here; it would always continue to the "nuget bytes" parsing and throw a null reference exception which is then caught.

@melotic melotic added version:minor type:feature Feature (new functionality) detector:nuget The NuGet detector labels Apr 14, 2023
@bilby91
Copy link

bilby91 commented Mar 28, 2025

Is there any plans to merge this ?

@bilby91 bilby91 mentioned this pull request Mar 28, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@melotic melotic melotic left review comments

@tevoinea tevoinea tevoinea left review comments

@Omotola Omotola Awaiting requested review from Omotola Omotola is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

detector:nuget The NuGet detector type:feature Feature (new functionality) version:minor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Porges @bilby91 @melotic @tevoinea