snyk-nuget-plugin - npm Package Compare versions

Comparing version 2.3.2 to 2.3.3

dist/nuget-parser/parsers/dotnet-core-v2-parser.js

@@ -80,4 +80,6 @@ "use strict";
     }
-    const topLevelDependencies = Object.keys(publishedProjectDeps.targets[runtimeTarget][restoreProjectName]
-        .dependencies);
+    // Find names and versions of all dependencies of the root package. These are already structured correctly in
+    // the deps.json generated by `dotnet publish`.
+    const topLevelDepPackages = publishedProjectDeps.targets[runtimeTarget][restoreProjectName]
+        .dependencies;
     // Iterate over all the dependencies found in the target dependency list, and build the depGraph based off of that.
@@ -88,12 +90,2 @@ const targetDependencies = Object.entries(publishedProjectDeps.targets[runtimeTarget]).reduce((acc, entry) => {
     }, {});
-    const topLevelDepPackages = topLevelDependencies.reduce((acc, topLevelDepName) => {
-        const nameWithVersion = Object.keys(targetDependencies).find((targetDep) => 
-        // Lowercase the comparison, as .csproj <PackageReference>s are not case-sensitive, and can be written however you like.
-        targetDep.toLowerCase().startsWith(topLevelDepName.toLowerCase()));
-        if (!nameWithVersion) {
-            throw new errors_1.InvalidManifestError(`cant find a name and a version in assets file, something's very malformed`);
-        }
-        const [name, version] = nameWithVersion.split('/');
-        return { ...acc, [name]: version };
-    }, {});
     const rootNode = {
@@ -100,0 +92,0 @@ type: 'root',

dist/nuget-parser/runtime-assembly.js

@@ -24,19 +24,17 @@ "use strict";
     }
-    // Run through all TargetFrameworks, indexed for example
-    // .NETCoreApp,Version=v6.0/osx-arm64,
-    // .NETCoreApp,Version=v6.0/alpine-armv6
+    if (!(runtimeTargetName in deps.targets)) {
+        throw new errors.FileNotProcessableError(`could not locate ${runtimeTargetName} in list of targets, cannot continue`);
+    }
+    // Run through all runtimepacks in target, indexed for example as
+    // runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/7.0.14
+    // runtimepack.Microsoft.AspNetCore.App.Runtime.osx-arm64/7.0.14
     // ... etc.
     // See all: https://github.com/dotnet/runtime/blob/bd83e17052d3c09022bad1d91dca860ca6b27ab9/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json
     let runtimeAssemblyVersions = {};
-    Object.entries(deps.targets).forEach(([target, dependencies]) => {
-        // Ignore target frameworks without dependencies, as they hold no dlls and thus no assembly versions to gauge.
-        if ((0, lodash_1.isEmpty)(dependencies)) {
-            return;
-        }
-        // Since we're running `dotnet publish` with `--use-current-runtime`, this should exist in the dependency list,
-        // but guard against it to ensure good user feedback in case we did something wrong.
-        const runtimePack = Object.keys(dependencies).find((dep) => dep.startsWith('runtimepack'));
-        if (!runtimePack) {
-            throw new errors.FileNotProcessableError(`could not find any runtimepack.* identifier in the ${target} dependency`);
-        }
+    const runtimePacks = Object.keys(deps.targets[runtimeTargetName]).filter((t) => t.startsWith('runtimepack'));
+    if (runtimePacks.length <= 0) {
+        throw new errors.FileNotProcessableError(`could not find any runtimepack.* identifiers in ${runtimeTargetName}, cannot continue`);
+    }
+    runtimePacks.forEach((runtimePack) => {
+        const dependencies = deps.targets[runtimeTargetName][runtimePack];
         // The runtimepack contains all the current RuntimeIdentifier (RID) assemblies which we are interested in.
@@ -50,6 +48,6 @@ // Such as
         // We traverse all those and store them for the dependency graph build.
-        if (!('runtime' in dependencies[runtimePack])) {
+        if (!('runtime' in dependencies)) {
             throw new errors.FileNotProcessableError(`could not find any runtime list in the ${runtimePack} dependency`);
         }
-        const runtimes = dependencies[runtimePack]['runtime'];
+        const runtimes = dependencies['runtime'];
         // Dig down into the specific runtimepack which contains all the assembly versions of
@@ -70,10 +68,10 @@ // the bundled DLLs for the given runtime, as:
         // on how vulnerabilities are reported in the future.
-        runtimeAssemblyVersions = Object.entries(runtimes).reduce((acc, [dll, versions]) => {
-            // Take the version number (N.N.N.N) and remove the last element, in order for vulndb to understand anything.
-            acc[dll] = versions.assemblyVersion.split('.').slice(0, -1).join('.');
-            return acc;
-        }, {});
-        // `dotnet publish` does not support multiple consecutive `--runtime` parameters, so there should really only
-        // be one. Thus, drop iterating more.
-        return;
+        runtimeAssemblyVersions = {
+            ...runtimeAssemblyVersions,
+            ...Object.entries(runtimes).reduce((acc, [dll, versions]) => {
+                // Take the version number (N.N.N.N) and remove the last element, in order for vulndb to understand anything.
+                acc[dll] = versions.assemblyVersion.split('.').slice(0, -1).join('.');
+                return acc;
+            }, {}),
+        };
     });
@@ -80,0 +78,0 @@ if ((0, lodash_1.isEmpty)(runtimeAssemblyVersions)) {

package.json

@@ -61,3 +61,3 @@ {
   },
-  "version": "2.3.2"
+  "version": "2.3.3"
 }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Worsened metrics

Total package byte prevSize

132177

decreased by-0.88%

Lines of code

1803

decreased by-0.55%

No dependency changes