snyk-nuget-plugin - npm Package Compare versions

Comparing version 2.2.1 to 2.3.0

dist/nuget-parser/index.js

@@ -68,7 +68,7 @@ "use strict";
     const parser = PARSERS['dotnet-core-v2'];
-    const manifest = await parser.fileContentParser.parse(fileContent);
-    if (!((_a = manifest.project) === null || _a === void 0 ? void 0 : _a.frameworks)) {
+    const projectAssets = await parser.fileContentParser.parse(fileContent);
+    if (!((_a = projectAssets.project) === null || _a === void 0 ? void 0 : _a.frameworks)) {
         throw new errors_1.FileNotProcessableError(`unable to detect any target framework in manifest file ${safeTargetFile}, a valid one is needed to continue down this path.`);
     }
-    const targetFrameworks = Object.keys(manifest.project.frameworks);
+    const targetFrameworks = Object.keys(projectAssets.project.frameworks);
     if (targetFrameworks.length <= 0) {
@@ -83,3 +83,3 @@ throw new errors_1.FileNotProcessableError(`unable to detect a target framework in ${projectRootFolder}, a valid one is needed to continue down this path.`);
     let resolvedProjectName = getRootName(root, projectRootFolder, projectNamePrefix);
-    const projectNameFromManifestFile = (_c = (_b = manifest === null || manifest === void 0 ? void 0 : manifest.project) === null || _b === void 0 ? void 0 : _b.restore) === null || _c === void 0 ? void 0 : _c.projectName;
+    const projectNameFromManifestFile = (_c = (_b = projectAssets === null || projectAssets === void 0 ? void 0 : projectAssets.project) === null || _b === void 0 ? void 0 : _b.restore) === null || _c === void 0 ? void 0 : _c.projectName;
     if (manifestType === types_1.ManifestType.DOTNET_CORE &&
@@ -114,4 +114,6 @@ useProjectNameFromAssetsFile) {
         // Then inspect the dependency graph for the runtimepackage's assembly versions.
-        const depsFile = path.resolve(publishDir, `${projectNameFromManifestFile}.deps.json`);
-        const assemblyVersions = runtimeAssembly.generateRuntimeAssemblies(depsFile);
+        const depsFilePath = path.resolve(publishDir, `${projectNameFromManifestFile}.deps.json`);
+        const depsFile = fs.readFileSync(depsFilePath);
+        const publishedProjectDeps = JSON.parse(depsFile.toString('utf-8'));
+        const assemblyVersions = runtimeAssembly.generateRuntimeAssemblies(publishedProjectDeps);
         // Parse the TargetFramework using Nuget.Frameworks itself, instead of trying to reinvent the wheel, thus ensuring
@@ -126,3 +128,3 @@ // we have maximum context to use later when building the depGraph.
         }
-        const depGraph = parser.depParser.parse(resolvedProjectName, manifest, assemblyVersions, targetFrameworkInfo);
+        const depGraph = parser.depParser.parse(resolvedProjectName, projectAssets, publishedProjectDeps, assemblyVersions);
         results.push({
@@ -129,0 +131,0 @@ dependencyGraph: depGraph,

dist/nuget-parser/parsers/dotnet-core-v2-parser.d.ts

 import * as depGraphLib from '@snyk/dep-graph';
-import { AssemblyVersions, ProjectAssets, TargetFrameworkInfo } from '../types';
+import { AssemblyVersions, ProjectAssets, PublishedProjectDeps } from '../types';
 export declare const FILTERED_DEPENDENCY_PREFIX: string[];
-export declare function parse(projectName: string, projectAssets: ProjectAssets, runtimeAssembly: AssemblyVersions, targetFrameworkInfo: TargetFrameworkInfo): depGraphLib.DepGraph;
+export declare function parse(projectName: string, projectAssets: ProjectAssets, publishedProjectDeps: PublishedProjectDeps, runtimeAssembly: AssemblyVersions): depGraphLib.DepGraph;

dist/nuget-parser/parsers/dotnet-core-v2-parser.js

@@ -17,27 +17,2 @@ "use strict";
 ];
-// The list of top level dependencies and transitive dependencies differ based on the target runtime we've defined.
-// In the generated dependency file created by the `dotnet` CLI, this is organized by the target framework moniker (TFM).
-// Unfortunately, Microsoft has changed the way it denominates their targets throughout the different versions,
-// see: https://learn.microsoft.com/en-us/nuget/reference/target-frameworks#supported-frameworks.
-// So the logic has to be unnecessarily complex, as we cannot just access the key in the target dictionary
-// for versions different from the newest ones of .NET 5+.
-// Even better, it changes between how it defines them inside project.frameworks and the root targets object interchangeably.
-function findTargetFrameworkMonikerInManifest(targetFrameworkInfo, frameworks) {
-    const shortName = targetFrameworkInfo.ShortName;
-    const longName = targetFrameworkInfo.DotNetFrameworkName;
-    const parsedFrameworks = Object.keys(frameworks);
-    debug(`parsed the following frameworks in the manifest file: ${parsedFrameworks.join(',')}`);
-    // Try and find the "longName" (or DotNetFrameworkName) in the list of targets.
-    // The format is usually something like ".NETCoreApp,Version=v6.0". That seems to happen for older .NET target frameworks.
-    if (longName in frameworks) {
-        debug(`detected ${longName} in assets file, returning that`);
-        return longName;
-    }
-    // If that doesn't work, for newer versions of .NET core, they index the frameworks object by the 'shortname'.
-    if (shortName in frameworks) {
-        debug(`detected ${shortName} in assets file, returning that`);
-        return shortName;
-    }
-    throw new errors_1.FileNotProcessableError(`unable to find the determined target framework (${targetFrameworkInfo.ShortName}) in any of the available target frameworks: ${parsedFrameworks}`);
-}
 function recursivelyPopulateNodes(depGraphBuilder, targetDeps, node, runtimeAssembly, visited) {
@@ -84,3 +59,3 @@ const parentId = node.type === 'root' ? 'root-node' : `${node.name}@${node.version}`;
 }
-function buildGraph(projectName, projectAssets, runtimeAssembly, targetFrameworkInfo) {
+function buildGraph(projectName, projectAssets, publishedProjectDeps, runtimeAssembly) {
     const depGraphBuilder = new dep_graph_1.DepGraphBuilder({ name: 'nuget' }, {
@@ -90,30 +65,26 @@ name: projectName,
     });
-    if (Object.keys(projectAssets.project.frameworks).length <= 0) {
-        throw new errors_1.InvalidManifestError('no target frameworks found in assets file (project.assets.json -> project -> frameworks -> []), cannot continue without that');
+    // That's what `dotnet` wants to call this project. Which is not always the same as what Snyk wants to call it.
+    const restoreProjectName = `${projectAssets.project.restore.projectName}/${projectAssets.project.version}`;
+    // We publish to one RID and one only, so we can safely assume that the true dependencies will exist in this key.
+    // E.g. targets -> .NETCoreApp,Version=v8.0/osx-arm64
+    const runtimeTarget = publishedProjectDeps.runtimeTarget.name;
+    // Those dependencies are referenced in the 'targets' member in the same .deps file.
+    if (Object.keys(publishedProjectDeps.targets).length <= 0) {
+        throw new errors_1.InvalidManifestError('no target dependencies in found in published deps file (project.deps.json -> targets -> []), cannot continue without that');
     }
-    // Access all top-level dependencies from the right target point in the project.assets.json, or fail trying.
-    const directDepsMoniker = findTargetFrameworkMonikerInManifest(targetFrameworkInfo, projectAssets.project.frameworks);
-    // Potentially we're scanning a project that really has no dependencies
-    if (!projectAssets.project.frameworks[directDepsMoniker].dependencies) {
-        return depGraphBuilder.build();
+    if (!(runtimeTarget in publishedProjectDeps.targets)) {
+        throw new errors_1.InvalidManifestError(`no ${runtimeTarget} found in targets object, cannot continue without it`);
     }
-    // Those dependencies are referenced in the 'targets' member in the same assets file.
-    const topLevelDeps = Object.keys(projectAssets.project.frameworks[directDepsMoniker].dependencies);
-    // The list of targets gets decorated differently depending on version of the TargetFramework, (.NET 5+ versions
-    // just have their key as the target (net6.0), but .NET Standard append a version, such as .NETStandard,Version=VN.N.N).
-    if (Object.keys(projectAssets.targets).length <= 0) {
-        throw new errors_1.InvalidManifestError('no target dependencies in found in assets file (project.assets.json -> targets -> []), cannot continue without that');
+    if (!(restoreProjectName in publishedProjectDeps.targets[runtimeTarget])) {
+        throw new errors_1.InvalidManifestError(`no ${restoreProjectName} found in ${runtimeTarget} object, cannot continue without it`);
     }
-    // Further, they decorate them differently depending on where in the assets file it is.
-    // E.g., a direct dependency target moniker can be project -> frameworks -> 'netstandard2.0', while the
-    // transitive dependency line can be targets -> .NETStandard,Version=v2.1.
-    const transitiveDepsMoniker = findTargetFrameworkMonikerInManifest(targetFrameworkInfo, projectAssets.targets);
-    const targetFrameworkDependencies = projectAssets.targets[transitiveDepsMoniker];
+    const topLevelDependencies = Object.keys(publishedProjectDeps.targets[runtimeTarget][restoreProjectName]
+        .dependencies);
     // Iterate over all the dependencies found in the target dependency list, and build the depGraph based off of that.
-    const targetDeps = Object.entries(targetFrameworkDependencies).reduce((acc, entry) => {
+    const targetDependencies = Object.entries(publishedProjectDeps.targets[runtimeTarget]).reduce((acc, entry) => {
         const [nameWithVersion, pkg] = entry;
         return { ...acc, [nameWithVersion]: pkg };
     }, {});
-    const topLevelDepPackages = topLevelDeps.reduce((acc, topLevelDepName) => {
-        const nameWithVersion = Object.keys(targetDeps).find((targetDep) => 
+    const topLevelDepPackages = topLevelDependencies.reduce((acc, topLevelDepName) => {
+        const nameWithVersion = Object.keys(targetDependencies).find((targetDep) => 
         // Lowercase the comparison, as .csproj <PackageReference>s are not case-sensitive, and can be written however you like.
@@ -131,8 +102,8 @@ targetDep.toLowerCase().startsWith(topLevelDepName.toLowerCase()));
     };
-    recursivelyPopulateNodes(depGraphBuilder, targetDeps, rootNode, runtimeAssembly);
+    recursivelyPopulateNodes(depGraphBuilder, targetDependencies, rootNode, runtimeAssembly);
     return depGraphBuilder.build();
 }
-function parse(projectName, projectAssets, runtimeAssembly, targetFrameworkInfo) {
+function parse(projectName, projectAssets, publishedProjectDeps, runtimeAssembly) {
     debug('Trying to parse .net core manifest with v2 depGraph builder');
-    const result = buildGraph(projectName, projectAssets, runtimeAssembly, targetFrameworkInfo);
+    const result = buildGraph(projectName, projectAssets, publishedProjectDeps, runtimeAssembly);
     return result;
@@ -139,0 +110,0 @@ }

dist/nuget-parser/runtime-assembly.d.ts

@@ -1,2 +0,2 @@
-import { AssemblyVersions } from './types';
-export declare function generateRuntimeAssemblies(filePath: string): AssemblyVersions;
+import { AssemblyVersions, PublishedProjectDeps } from './types';
+export declare function generateRuntimeAssemblies(deps: PublishedProjectDeps): AssemblyVersions;

dist/nuget-parser/runtime-assembly.js

@@ -5,3 +5,2 @@ "use strict";
 const errors = require("../errors/");
-const fs = require("fs");
 const lodash_1 = require("lodash");
@@ -20,6 +19,5 @@ const debugModule = require("debug");
 // explanation of what the `deps.json` file is doing that we are traversing.
-function generateRuntimeAssemblies(filePath) {
-    debug('extracting runtime assemblies from ' + filePath);
-    const depsFile = fs.readFileSync(filePath);
-    const deps = JSON.parse(depsFile.toString('utf-8'));
+function generateRuntimeAssemblies(deps) {
+    const runtimeTargetName = deps.runtimeTarget.name;
+    debug(`extracting runtime assemblies from ${runtimeTargetName}`);
     if (!deps.targets) {
@@ -84,3 +82,3 @@ throw new errors.FileNotProcessableError('could not find any targets in deps file');
     }
-    debug('finished extracting runtime assemblies from ' + filePath);
+    debug(`finished extracting runtime assemblies from ${runtimeTargetName}`);
     return runtimeAssemblyVersions;
@@ -87,0 +85,0 @@ }

dist/nuget-parser/types.d.ts

@@ -60,2 +60,7 @@ import * as depGraphLib from '@snyk/dep-graph';
 }
+export interface PublishedProjectDeps {
+    runtimeTarget: Record<string, any>;
+    targets: Record<string, any>;
+    libraries: Record<string, any>;
+}
 export type AssemblyVersions = Record<string, string>;
@@ -62,0 +67,0 @@ export interface DotNetFile {

package.json

@@ -61,3 +61,3 @@ {
   },
-  "version": "2.2.1"
+  "version": "2.3.0"
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Number of low supply chain risk alerts

13

decreased by-7.14%

Worsened metrics

Total package byte prevSize

132515

decreased by-2%

Lines of code

1809

decreased by-1.31%

No dependency changes