snyk-nuget-plugin
Advanced tools
Comparing version 2.3.2 to 2.3.3
@@ -80,4 +80,6 @@ "use strict"; | ||
} | ||
const topLevelDependencies = Object.keys(publishedProjectDeps.targets[runtimeTarget][restoreProjectName] | ||
.dependencies); | ||
// Find names and versions of all dependencies of the root package. These are already structured correctly in | ||
// the deps.json generated by `dotnet publish`. | ||
const topLevelDepPackages = publishedProjectDeps.targets[runtimeTarget][restoreProjectName] | ||
.dependencies; | ||
// Iterate over all the dependencies found in the target dependency list, and build the depGraph based off of that. | ||
@@ -88,12 +90,2 @@ const targetDependencies = Object.entries(publishedProjectDeps.targets[runtimeTarget]).reduce((acc, entry) => { | ||
}, {}); | ||
const topLevelDepPackages = topLevelDependencies.reduce((acc, topLevelDepName) => { | ||
const nameWithVersion = Object.keys(targetDependencies).find((targetDep) => | ||
// Lowercase the comparison, as .csproj <PackageReference>s are not case-sensitive, and can be written however you like. | ||
targetDep.toLowerCase().startsWith(topLevelDepName.toLowerCase())); | ||
if (!nameWithVersion) { | ||
throw new errors_1.InvalidManifestError(`cant find a name and a version in assets file, something's very malformed`); | ||
} | ||
const [name, version] = nameWithVersion.split('/'); | ||
return { ...acc, [name]: version }; | ||
}, {}); | ||
const rootNode = { | ||
@@ -100,0 +92,0 @@ type: 'root', |
@@ -24,19 +24,17 @@ "use strict"; | ||
} | ||
// Run through all TargetFrameworks, indexed for example | ||
// .NETCoreApp,Version=v6.0/osx-arm64, | ||
// .NETCoreApp,Version=v6.0/alpine-armv6 | ||
if (!(runtimeTargetName in deps.targets)) { | ||
throw new errors.FileNotProcessableError(`could not locate ${runtimeTargetName} in list of targets, cannot continue`); | ||
} | ||
// Run through all runtimepacks in target, indexed for example as | ||
// runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/7.0.14 | ||
// runtimepack.Microsoft.AspNetCore.App.Runtime.osx-arm64/7.0.14 | ||
// ... etc. | ||
// See all: https://github.com/dotnet/runtime/blob/bd83e17052d3c09022bad1d91dca860ca6b27ab9/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json | ||
let runtimeAssemblyVersions = {}; | ||
Object.entries(deps.targets).forEach(([target, dependencies]) => { | ||
// Ignore target frameworks without dependencies, as they hold no dlls and thus no assembly versions to gauge. | ||
if ((0, lodash_1.isEmpty)(dependencies)) { | ||
return; | ||
} | ||
// Since we're running `dotnet publish` with `--use-current-runtime`, this should exist in the dependency list, | ||
// but guard against it to ensure good user feedback in case we did something wrong. | ||
const runtimePack = Object.keys(dependencies).find((dep) => dep.startsWith('runtimepack')); | ||
if (!runtimePack) { | ||
throw new errors.FileNotProcessableError(`could not find any runtimepack.* identifier in the ${target} dependency`); | ||
} | ||
const runtimePacks = Object.keys(deps.targets[runtimeTargetName]).filter((t) => t.startsWith('runtimepack')); | ||
if (runtimePacks.length <= 0) { | ||
throw new errors.FileNotProcessableError(`could not find any runtimepack.* identifiers in ${runtimeTargetName}, cannot continue`); | ||
} | ||
runtimePacks.forEach((runtimePack) => { | ||
const dependencies = deps.targets[runtimeTargetName][runtimePack]; | ||
// The runtimepack contains all the current RuntimeIdentifier (RID) assemblies which we are interested in. | ||
@@ -50,6 +48,6 @@ // Such as | ||
// We traverse all those and store them for the dependency graph build. | ||
if (!('runtime' in dependencies[runtimePack])) { | ||
if (!('runtime' in dependencies)) { | ||
throw new errors.FileNotProcessableError(`could not find any runtime list in the ${runtimePack} dependency`); | ||
} | ||
const runtimes = dependencies[runtimePack]['runtime']; | ||
const runtimes = dependencies['runtime']; | ||
// Dig down into the specific runtimepack which contains all the assembly versions of | ||
@@ -70,10 +68,10 @@ // the bundled DLLs for the given runtime, as: | ||
// on how vulnerabilities are reported in the future. | ||
runtimeAssemblyVersions = Object.entries(runtimes).reduce((acc, [dll, versions]) => { | ||
// Take the version number (N.N.N.N) and remove the last element, in order for vulndb to understand anything. | ||
acc[dll] = versions.assemblyVersion.split('.').slice(0, -1).join('.'); | ||
return acc; | ||
}, {}); | ||
// `dotnet publish` does not support multiple consecutive `--runtime` parameters, so there should really only | ||
// be one. Thus, drop iterating more. | ||
return; | ||
runtimeAssemblyVersions = { | ||
...runtimeAssemblyVersions, | ||
...Object.entries(runtimes).reduce((acc, [dll, versions]) => { | ||
// Take the version number (N.N.N.N) and remove the last element, in order for vulndb to understand anything. | ||
acc[dll] = versions.assemblyVersion.split('.').slice(0, -1).join('.'); | ||
return acc; | ||
}, {}), | ||
}; | ||
}); | ||
@@ -80,0 +78,0 @@ if ((0, lodash_1.isEmpty)(runtimeAssemblyVersions)) { |
@@ -61,3 +61,3 @@ { | ||
}, | ||
"version": "2.3.2" | ||
"version": "2.3.3" | ||
} |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
132177
1803