snyk-nuget-plugin 1.27.0 → 1.28.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +3 -1
- package/dist/index.js.map +1 -1
- package/dist/nuget-parser/index.js +18 -7
- package/dist/nuget-parser/index.js.map +1 -1
- package/dist/nuget-parser/parsers/dotnet-core-v2-parser.js +14 -6
- package/dist/nuget-parser/parsers/dotnet-core-v2-parser.js.map +1 -1
- package/dist/nuget-parser/runtime-assembly.js +74 -0
- package/dist/nuget-parser/runtime-assembly.js.map +1 -0
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -58,7 +58,9 @@ async function inspect(root, targetFile, options) {
|
|
|
58
58
|
if (manifestType !== types_1.ManifestType.DOTNET_CORE) {
|
|
59
59
|
return Promise.reject(new Error('runtime resolution beta flag is currently only applicable for .net core projects'));
|
|
60
60
|
}
|
|
61
|
-
|
|
61
|
+
// TODO: Replaced by a CLI argument when project is stabilized
|
|
62
|
+
const useRuntimeDependencies = true;
|
|
63
|
+
const result = await nugetParser.buildDepGraphFromFiles(root, targetFile, manifestType, options['assets-project-name'], useRuntimeDependencies, options['project-name-prefix']);
|
|
62
64
|
return {
|
|
63
65
|
dependencyGraph: result.dependencyGraph,
|
|
64
66
|
package: 'n/a',
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":";;;AAAA,6BAA6B;AAC7B,8CAA8C;AAC9C,iDAAiD;AACjD,qCAA6C;AAC7C,gDAAmE;AAEnE,SAAS,qBAAqB,CAAC,QAAQ;IACrC,QAAQ,IAAI,EAAE;QACZ,KAAK,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACnC,OAAO,oBAAY,CAAC,YAAY,CAAC;SAClC;QACD,KAAK,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC1C,OAAO,oBAAY,CAAC,WAAW,CAAC;SACjC;QACD,KAAK,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACtC,OAAO,oBAAY,CAAC,eAAe,CAAC;SACrC;QACD,KAAK,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACzC,OAAO,oBAAY,CAAC,KAAK,CAAC;SAC3B;QACD,OAAO,CAAC,CAAC;YACP,MAAM,IAAI,0BAAiB,CACzB,wCAAwC,GAAG,QAAQ,CACpD,CAAC;SACH;KACF;AACH,CAAC;AAEM,KAAK,UAAU,OAAO,CAC3B,IAAI,EACJ,UAAU,EACV,OAAQ;IAER,OAAO,GAAG,OAAO,IAAI,EAAE,CAAC;IACxB,IAAI,YAA0B,CAAC;IAC/B,IAAI;QACF,YAAY,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC;KACzE;IAAC,OAAO,KAAK,EAAE;QACd,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KAC9B;IAED,MAAM,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE;QACpC,MAAM,eAAe,GAAG,OAAO,CAAC,IAAI;YAClC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe;YAC9B,CAAC,CAAC,SAAS,CAAC;QACd,OAAO,OAAO,CAAC,IAAI,CAAC;QACpB,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,MAAM,EAAE;gBACN,IAAI,EAAE,mBAAmB;gBACzB,UAAU;gBACV,aAAa,EAAE,eAAe;aAC/B;SACF,CAAC;IACJ,CAAC,CAAC;IAEF,IAAI,YAAY,KAAK,oBAAY,CAAC,KAAK,EAAE;QACvC,OAAO,WAAW;aACf,qBAAqB,CACpB,IAAI,EACJ,UAAU,EACV,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,EACjD,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,gDAAgD;QACvF,OAAO,CAAC,MAAM,CACf;aACA,IAAI,CAAC,iBAAiB,CAAC,CAAC;KAC5B;IAED,IAAI,OAAO,CAAC,2BAA2B,CAAC,EAAE;QACxC,IAAI,YAAY,KAAK,oBAAY,CAAC,WAAW,EAAE;YAC7C,OAAO,OAAO,CAAC,MAAM,CACnB,IAAI,KAAK,CACP,kFAAkF,CACnF,CACF,CAAC;SACH;QAED,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,sBAAsB,CACrD,IAAI,EACJ,UAAU,EACV,YAAY,EACZ,OAAO,CAAC,qBAAqB,CAAC,EAC9B,OAAO,CAAC,qBAAqB,CAAC,CAC/B,CAAC;QACF,OAAO;YACL,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,OAAO,EAAE,KAAK;YACd,MAAM,EAAE;gBACN,IAAI,EAAE,mBAAmB;gBACzB,UAAU;gBACV,aAAa,EAAE,MAAM,CAAC,eAAe;aACtC;SACF,CAAC;KACH;IAED,OAAO,WAAW;SACf,qBAAqB,CACpB,IAAI,EACJ,UAAU,EACV,OAAO,CAAC,cAAc,EACtB,YAAY,EACZ,OAAO,CAAC,qBAAqB,CAAC,EAC9B,OAAO,CAAC,qBAAqB,CAAC,CAC/B;SACA,IAAI,CAAC,iBAAiB,CAAC,CAAC;AAC7B,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":";;;AAAA,6BAA6B;AAC7B,8CAA8C;AAC9C,iDAAiD;AACjD,qCAA6C;AAC7C,gDAAmE;AAEnE,SAAS,qBAAqB,CAAC,QAAQ;IACrC,QAAQ,IAAI,EAAE;QACZ,KAAK,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACnC,OAAO,oBAAY,CAAC,YAAY,CAAC;SAClC;QACD,KAAK,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC1C,OAAO,oBAAY,CAAC,WAAW,CAAC;SACjC;QACD,KAAK,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACtC,OAAO,oBAAY,CAAC,eAAe,CAAC;SACrC;QACD,KAAK,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACzC,OAAO,oBAAY,CAAC,KAAK,CAAC;SAC3B;QACD,OAAO,CAAC,CAAC;YACP,MAAM,IAAI,0BAAiB,CACzB,wCAAwC,GAAG,QAAQ,CACpD,CAAC;SACH;KACF;AACH,CAAC;AAEM,KAAK,UAAU,OAAO,CAC3B,IAAI,EACJ,UAAU,EACV,OAAQ;IAER,OAAO,GAAG,OAAO,IAAI,EAAE,CAAC;IACxB,IAAI,YAA0B,CAAC;IAC/B,IAAI;QACF,YAAY,GAAG,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC;KACzE;IAAC,OAAO,KAAK,EAAE;QACd,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KAC9B;IAED,MAAM,iBAAiB,GAAG,CAAC,OAAO,EAAE,EAAE;QACpC,MAAM,eAAe,GAAG,OAAO,CAAC,IAAI;YAClC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe;YAC9B,CAAC,CAAC,SAAS,CAAC;QACd,OAAO,OAAO,CAAC,IAAI,CAAC;QACpB,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,MAAM,EAAE;gBACN,IAAI,EAAE,mBAAmB;gBACzB,UAAU;gBACV,aAAa,EAAE,eAAe;aAC/B;SACF,CAAC;IACJ,CAAC,CAAC;IAEF,IAAI,YAAY,KAAK,oBAAY,CAAC,KAAK,EAAE;QACvC,OAAO,WAAW;aACf,qBAAqB,CACpB,IAAI,EACJ,UAAU,EACV,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,EACjD,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,EAAE,gDAAgD;QACvF,OAAO,CAAC,MAAM,CACf;aACA,IAAI,CAAC,iBAAiB,CAAC,CAAC;KAC5B;IAED,IAAI,OAAO,CAAC,2BAA2B,CAAC,EAAE;QACxC,IAAI,YAAY,KAAK,oBAAY,CAAC,WAAW,EAAE;YAC7C,OAAO,OAAO,CAAC,MAAM,CACnB,IAAI,KAAK,CACP,kFAAkF,CACnF,CACF,CAAC;SACH;QAED,8DAA8D;QAC9D,MAAM,sBAAsB,GAAG,IAAI,CAAC;QACpC,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,sBAAsB,CACrD,IAAI,EACJ,UAAU,EACV,YAAY,EACZ,OAAO,CAAC,qBAAqB,CAAC,EAC9B,sBAAsB,EACtB,OAAO,CAAC,qBAAqB,CAAC,CAC/B,CAAC;QACF,OAAO;YACL,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,OAAO,EAAE,KAAK;YACd,MAAM,EAAE;gBACN,IAAI,EAAE,mBAAmB;gBACzB,UAAU;gBACV,aAAa,EAAE,MAAM,CAAC,eAAe;aACtC;SACF,CAAC;KACH;IAED,OAAO,WAAW;SACf,qBAAqB,CACpB,IAAI,EACJ,UAAU,EACV,OAAO,CAAC,cAAc,EACtB,YAAY,EACZ,OAAO,CAAC,qBAAqB,CAAC,EAC9B,OAAO,CAAC,qBAAqB,CAAC,CAC/B;SACA,IAAI,CAAC,iBAAiB,CAAC,CAAC;AAC7B,CAAC;AAhFD,0BAgFC"}
|
|
@@ -12,6 +12,8 @@ const projectJsonParser = require("./parsers/project-json-parser");
|
|
|
12
12
|
const packagesConfigParser = require("./parsers/packages-config-parser");
|
|
13
13
|
const errors_1 = require("../errors");
|
|
14
14
|
const types_1 = require("./types");
|
|
15
|
+
const dotnet = require("./cli/dotnet");
|
|
16
|
+
const runtimeAssembly = require("./runtime-assembly");
|
|
15
17
|
const debug = debugModule('snyk');
|
|
16
18
|
const PARSERS = {
|
|
17
19
|
'dotnet-core': {
|
|
@@ -53,7 +55,7 @@ function getFileContents(fileContentPath) {
|
|
|
53
55
|
throw new errors_1.FileNotProcessableError(error);
|
|
54
56
|
}
|
|
55
57
|
}
|
|
56
|
-
async function buildDepGraphFromFiles(root, targetFile, manifestType, useProjectNameFromAssetsFile, projectNamePrefix) {
|
|
58
|
+
async function buildDepGraphFromFiles(root, targetFile, manifestType, useProjectNameFromAssetsFile, useRuntimeDependencies, projectNamePrefix) {
|
|
57
59
|
var _a, _b;
|
|
58
60
|
const safeRoot = root || '.';
|
|
59
61
|
const safeTargetFile = targetFile || '.';
|
|
@@ -64,18 +66,27 @@ async function buildDepGraphFromFiles(root, targetFile, manifestType, useProject
|
|
|
64
66
|
const parser = PARSERS['dotnet-core-v2'];
|
|
65
67
|
const manifest = await parser.fileContentParser.parse(fileContent);
|
|
66
68
|
let resolvedProjectName = getRootName(root, projectRootFolder, projectNamePrefix);
|
|
69
|
+
const projectNameFromManifestFile = (_b = (_a = manifest === null || manifest === void 0 ? void 0 : manifest.project) === null || _a === void 0 ? void 0 : _a.restore) === null || _b === void 0 ? void 0 : _b.projectName;
|
|
67
70
|
if (manifestType === types_1.ManifestType.DOTNET_CORE &&
|
|
68
71
|
useProjectNameFromAssetsFile) {
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
resolvedProjectName = projectName;
|
|
72
|
+
if (projectNameFromManifestFile) {
|
|
73
|
+
resolvedProjectName = projectNameFromManifestFile;
|
|
72
74
|
}
|
|
73
75
|
else {
|
|
74
|
-
debug(
|
|
75
|
-
resolvedProjectName);
|
|
76
|
+
debug(`project.assets.json file doesn't contain a value for 'projectName'. Using default value: ${resolvedProjectName}`);
|
|
76
77
|
}
|
|
77
78
|
}
|
|
78
|
-
|
|
79
|
+
let assemblyVersions = {};
|
|
80
|
+
if (useRuntimeDependencies) {
|
|
81
|
+
// Ensure `dotnet` is installed on the system or fail trying.
|
|
82
|
+
await dotnet.validate();
|
|
83
|
+
// Run `dotnet publish` to create a self-contained publishable binary with included .dlls for assembly version inspection.
|
|
84
|
+
const publishDir = await dotnet.publish(projectRootFolder);
|
|
85
|
+
// Then inspect the dependency graph for the runtimepackage's assembly versions.
|
|
86
|
+
const depsFile = path.resolve(publishDir, `${projectNameFromManifestFile}.deps.json`);
|
|
87
|
+
assemblyVersions = await runtimeAssembly.generateRuntimeAssemblies(depsFile);
|
|
88
|
+
}
|
|
89
|
+
const depGraph = parser.depParser.parse(resolvedProjectName, manifest, assemblyVersions);
|
|
79
90
|
return {
|
|
80
91
|
dependencyGraph: depGraph,
|
|
81
92
|
targetFramework: targetFramework === null || targetFramework === void 0 ? void 0 : targetFramework.original,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/nuget-parser/index.ts"],"names":[],"mappings":";;;AAAA,yBAAyB;AACzB,6BAA6B;AAC7B,wDAAwD;AACxD,qCAAqC;AACrC,iEAAiE;AACjE,sEAAsE;AACtE,2EAA2E;AAC3E,mEAAmE;AACnE,yEAAyE;AACzE,sCAAoD;AACpD,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/nuget-parser/index.ts"],"names":[],"mappings":";;;AAAA,yBAAyB;AACzB,6BAA6B;AAC7B,wDAAwD;AACxD,qCAAqC;AACrC,iEAAiE;AACjE,sEAAsE;AACtE,2EAA2E;AAC3E,mEAAmE;AACnE,yEAAyE;AACzE,sCAAoD;AACpD,mCAA0E;AAE1E,uCAAuC;AACvC,sDAAsD;AAEtD,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAElC,MAAM,OAAO,GAAG;IACd,aAAa,EAAE;QACb,SAAS,EAAE,gBAAgB;QAC3B,iBAAiB,EAAE,IAAI;KACxB;IACD,gBAAgB,EAAE;QAChB,SAAS,EAAE,kBAAkB;QAC7B,iBAAiB,EAAE,IAAI;KACxB;IACD,iBAAiB,EAAE;QACjB,SAAS,EAAE,qBAAqB;QAChC,iBAAiB,EAAE,oBAAoB;KACxC;IACD,cAAc,EAAE;QACd,SAAS,EAAE,qBAAqB;QAChC,iBAAiB,EAAE,iBAAiB;KACrC;CACF,CAAC;AAEF,SAAS,iBAAiB,CAAC,cAAc,EAAE,iBAAiB;IAC1D,IAAI,cAAc,EAAE;QAClB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;KACpD;IACD,OAAO,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,WAAW,CAClB,IAAa,EACb,iBAA0B,EAC1B,iBAA0B;IAE1B,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,iBAAiB,IAAI,EAAE,CAAC,CAAC;IACvE,IAAI,iBAAiB,EAAE;QACrB,OAAO,iBAAiB,GAAG,eAAe,CAAC;KAC5C;IACD,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,eAAuB;IAC9C,IAAI;QACF,KAAK,CAAC,sBAAsB,eAAe,EAAE,CAAC,CAAC;QAC/C,OAAO,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;KAClD;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,gCAAuB,CAAC,KAAK,CAAC,CAAC;KAC1C;AACH,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,IAAwB,EACxB,UAA8B,EAC9B,YAA0B,EAC1B,4BAAqC,EACrC,sBAA+B,EAC/B,iBAA0B;;IAK1B,MAAM,QAAQ,GAAG,IAAI,IAAI,GAAG,CAAC;IAC7B,MAAM,cAAc,GAAG,UAAU,IAAI,GAAG,CAAC;IACzC,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,eAAe,CAAC,eAAe,CAAC,CAAC;IACrD,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IAClE,MAAM,eAAe,GAAG,MAAM,YAAY,CAAC,+BAA+B,CACxE,iBAAiB,CAClB,CAAC;IAEF,MAAM,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAEnE,IAAI,mBAAmB,GAAG,WAAW,CACnC,IAAI,EACJ,iBAAiB,EACjB,iBAAiB,CAClB,CAAC;IAEF,MAAM,2BAA2B,GAAG,MAAA,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,OAAO,0CAAE,OAAO,0CAAE,WAAW,CAAC;IAC5E,IACE,YAAY,KAAK,oBAAY,CAAC,WAAW;QACzC,4BAA4B,EAC5B;QACA,IAAI,2BAA2B,EAAE;YAC/B,mBAAmB,GAAG,2BAA2B,CAAC;SACnD;aAAM;YACL,KAAK,CACH,4FAA4F,mBAAmB,EAAE,CAClH,CAAC;SACH;KACF;IAED,IAAI,gBAAgB,GAAqB,EAAE,CAAC;IAC5C,IAAI,sBAAsB,EAAE;QAC1B,6DAA6D;QAC7D,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC;QAExB,0HAA0H;QAC1H,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QAC3D,gFAAgF;QAChF,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAC3B,UAAU,EACV,GAAG,2BAA2B,YAAY,CAC3C,CAAC;QACF,gBAAgB,GAAG,MAAM,eAAe,CAAC,yBAAyB,CAChE,QAAQ,CACT,CAAC;KACH;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CACrC,mBAAmB,EACnB,QAAQ,EACR,gBAAgB,CACjB,CAAC;IACF,OAAO;QACL,eAAe,EAAE,QAAQ;QACzB,eAAe,EAAE,eAAe,aAAf,eAAe,uBAAf,eAAe,CAAE,QAAQ;KAC3C,CAAC;AACJ,CAAC;AArED,wDAqEC;AAEM,KAAK,UAAU,qBAAqB,CACzC,IAAwB,EACxB,UAA8B,EAC9B,kBAAsC,EACtC,YAA0B,EAC1B,4BAAqC,EACrC,iBAA0B;;IAE1B,MAAM,QAAQ,GAAG,IAAI,IAAI,GAAG,CAAC;IAC7B,MAAM,cAAc,GAAG,UAAU,IAAI,GAAG,CAAC;IACzC,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,eAAe,CAAC,eAAe,CAAC,CAAC;IACrD,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,iBAAiB,CACtC,kBAAkB,EAClB,iBAAiB,CAClB,CAAC;IAEF,MAAM,IAAI,GAAG;QACX,YAAY,EAAE,EAAE;QAChB,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,iBAAiB,EAAE,iBAAiB,CAAC;QAC7D,oBAAoB,EAAE,aAAa;QACnC,OAAO,EAAE,OAAO;KACjB,CAAC;IAEF,IAAI,eAA4C,CAAC;IACjD,IAAI;QACF,IAAI,YAAY,KAAK,oBAAY,CAAC,WAAW,EAAE;YAC7C,eAAe,GAAG,MAAM,YAAY,CAAC,+BAA+B,CAClE,iBAAiB,CAClB,CAAC;SACH;aAAM;YACL,sEAAsE;YACtE,MAAM,0BAA0B,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;YACxE,eAAe,GAAG,MAAM,YAAY,CAAC,+BAA+B,CAClE,0BAA0B,CAC3B,CAAC;YAEF,+FAA+F;YAC/F,IAAI,CAAC,eAAe,EAAE;gBACpB,+CAA+C;gBAC/C,IAAI,YAAY,KAAK,oBAAY,CAAC,eAAe,EAAE;oBACjD,eAAe;wBACb,MAAM,oBAAoB,CAAC,yBAAyB,CAAC,WAAW,CAAC,CAAC;iBACrE;aACF;SACF;KACF;IAAC,OAAO,KAAK,EAAE;QACd,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KAC9B;IAED,IAAI,CAAC,IAAI,GAAG;QACV,eAAe,EAAE,eAAe,CAAC,CAAC,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,EAAE,sCAAsC;KAChH,CAAC;IAEF,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;IAEzE,IACE,YAAY,KAAK,oBAAY,CAAC,WAAW;QACzC,4BAA4B,EAC5B;QACA,MAAM,WAAW,GAAG,MAAA,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,OAAO,0CAAE,OAAO,0CAAE,WAAW,CAAC;QAE5D,IAAI,WAAW,EAAE;YACf,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;SACzB;aAAM;YACL,KAAK,CACH,2FAA2F;gBACzF,IAAI,CAAC,IAAI,CACZ,CAAC;SACH;KACF;IAED,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAC3B,IAAI,EACJ,QAAQ,EACR,eAAe,EACf,cAAc,CACf,CAAC;AACJ,CAAC;AAjFD,sDAiFC"}
|
|
@@ -11,22 +11,30 @@ function recursivelyPopulateNodes(depGraphBuilder, targetDeps, node, runtimeAsse
|
|
|
11
11
|
for (const depNode of Object.entries(node.dependencies || {})) {
|
|
12
12
|
const localVisited = visited || new Set();
|
|
13
13
|
const name = depNode[0];
|
|
14
|
-
|
|
15
|
-
if (runtimeAssembly && name in runtimeAssembly) {
|
|
16
|
-
version = runtimeAssembly[name];
|
|
17
|
-
}
|
|
14
|
+
const version = depNode[1];
|
|
18
15
|
const childNode = Object.assign(Object.assign({}, targetDeps[`${name}/${version}`]), { name,
|
|
19
16
|
version });
|
|
20
17
|
const childId = `${childNode.name}@${childNode.version}`;
|
|
18
|
+
// If we've supplied runtime assembly versions for self-contained dlls, overwrite the dependency version
|
|
19
|
+
// we've found in the graph with those from the runtime assembly, as they take precedence.
|
|
20
|
+
let assemblyVersion = version;
|
|
21
|
+
if (runtimeAssembly) {
|
|
22
|
+
// The RuntimeAssembly type contains the name with a .dll suffix, as this is how .NET represents them in the
|
|
23
|
+
// dependency file. This must be stripped in order to match the elements during depGraph construction.
|
|
24
|
+
const dll = `${name}.dll`;
|
|
25
|
+
if (dll in runtimeAssembly) {
|
|
26
|
+
assemblyVersion = runtimeAssembly[dll];
|
|
27
|
+
}
|
|
28
|
+
}
|
|
21
29
|
if (localVisited.has(childId)) {
|
|
22
30
|
const prunedId = `${childId}:pruned`;
|
|
23
|
-
depGraphBuilder.addPkgNode({ name: childNode.name, version:
|
|
31
|
+
depGraphBuilder.addPkgNode({ name: childNode.name, version: assemblyVersion }, prunedId, {
|
|
24
32
|
labels: { pruned: 'true' },
|
|
25
33
|
});
|
|
26
34
|
depGraphBuilder.connectDep(parentId, prunedId);
|
|
27
35
|
continue;
|
|
28
36
|
}
|
|
29
|
-
depGraphBuilder.addPkgNode({ name: childNode.name, version:
|
|
37
|
+
depGraphBuilder.addPkgNode({ name: childNode.name, version: assemblyVersion }, childId);
|
|
30
38
|
depGraphBuilder.connectDep(parentId, childId);
|
|
31
39
|
localVisited.add(childId);
|
|
32
40
|
recursivelyPopulateNodes(depGraphBuilder, targetDeps, childNode, runtimeAssembly, localVisited);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dotnet-core-v2-parser.js","sourceRoot":"","sources":["../../../lib/nuget-parser/parsers/dotnet-core-v2-parser.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,+CAAkD;
|
|
1
|
+
{"version":3,"file":"dotnet-core-v2-parser.js","sourceRoot":"","sources":["../../../lib/nuget-parser/parsers/dotnet-core-v2-parser.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,+CAAkD;AAGlD,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAiBlC,oDAAoD;AACpD,MAAM,0BAA0B,GAAG,CAAC,SAAS,CAAC,CAAC;AAE/C,SAAS,wBAAwB,CAC/B,eAAgC,EAChC,UAAyC,EACzC,IAAmB,EACnB,eAAkC,EAClC,OAAqB;IAErB,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;IAEtE,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE;QAC7D,MAAM,YAAY,GAAG,OAAO,IAAI,IAAI,GAAG,EAAU,CAAC;QAClD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAE3B,MAAM,SAAS,mCACV,UAAU,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC,KACnC,IAAI;YACJ,OAAO,GACR,CAAC;QAEF,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QAEzD,wGAAwG;QACxG,0FAA0F;QAC1F,IAAI,eAAe,GAAG,OAAO,CAAC;QAC9B,IAAI,eAAe,EAAE;YACnB,4GAA4G;YAC5G,sGAAsG;YACtG,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;YAC1B,IAAI,GAAG,IAAI,eAAe,EAAE;gBAC1B,eAAe,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;aACxC;SACF;QAED,IAAI,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;YAC7B,MAAM,QAAQ,GAAG,GAAG,OAAO,SAAS,CAAC;YACrC,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,QAAQ,EACR;gBACE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;aAC3B,CACF,CAAC;YACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/C,SAAS;SACV;QAED,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,OAAO,CACR,CAAC;QACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAE1B,wBAAwB,CACtB,eAAe,EACf,UAAU,EACV,SAAS,EACT,eAAe,EACf,YAAY,CACb,CAAC;KACH;AACH,CAAC;AAED,SAAS,UAAU,CACjB,WAAmB,EACnB,aAA4B,EAC5B,eAAkC;IAElC,MAAM,eAAe,GAAG,IAAI,2BAAe,CACzC,EAAE,IAAI,EAAE,OAAO,EAAE,EACjB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,OAAO;KACvC,CACF,CAAC;IAEF,6BAA6B;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAC9B,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,YAAY,CACnD,CAAC;IAEF,uGAAuG;IACvG,MAAM,UAAU,GAAkC,MAAM,CAAC,OAAO,CAC9D,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,CAC3B,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACtB,MAAM,CAAC,eAAe,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;QAErC,IACE,0BAA0B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACzC,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,CACnC,EACD;YACA,OAAO,GAAG,CAAC;SACZ;QAED,uCAAY,GAAG,KAAE,CAAC,eAAe,CAAC,EAAE,GAAG,IAAG;IAC5C,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,mBAAmB,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,eAAe,EAAE,EAAE;QACvE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CACjE,SAAS,CAAC,UAAU,CAAC,eAAe,CAAC,CACtC,CAAC;QACF,IAAI,CAAC,eAAe,EAAE;YACpB,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;SACH;QAED,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEnD,uCAAY,GAAG,KAAE,CAAC,IAAI,CAAC,EAAE,OAAO,IAAG;IACrC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,MAAM;QACZ,YAAY,EAAE,mBAAmB;KACjB,CAAC;IAEnB,wBAAwB,CACtB,eAAe,EACf,UAAU,EACV,QAAQ,EACR,eAAe,CAChB,CAAC;IAEF,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC;AACjC,CAAC;AAED,SAAgB,KAAK,CACnB,WAAmB,EACnB,aAA4B,EAC5B,eAAkC;IAElC,KAAK,CAAC,6DAA6D,CAAC,CAAC;IAErE,IAAI,MAAM,CAAC;IACX,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,GAAG,UAAU,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;KACjD;SAAM;QACL,MAAM,GAAG,UAAU,CAAC,WAAW,EAAE,aAAa,EAAE,eAAe,CAAC,CAAC;KAClE;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAdD,sBAcC"}
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.generateRuntimeAssemblies = void 0;
|
|
4
|
+
const errors = require("../errors/");
|
|
5
|
+
const fs = require("fs");
|
|
6
|
+
const lodash_1 = require("lodash");
|
|
7
|
+
// The Nuget dependency resolution rule of lowest applicable version
|
|
8
|
+
// (see https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#lowest-applicable-version)
|
|
9
|
+
// does not apply to runtime dependencies. If you resolve a dependency graph of some package, that depends on
|
|
10
|
+
// System.Http.Net 4.0.0, you might still very well end up using System.Http.Net 7.0.0 if you are running your
|
|
11
|
+
// executable on .net7.0.
|
|
12
|
+
// The `dotnet publish` will give a good estimate of what runtime dependencies are going to be used, so we inspect
|
|
13
|
+
// that for information.
|
|
14
|
+
// See https://natemcmaster.com/blog/2017/12/21/netcore-primitives/ for a good overview.
|
|
15
|
+
async function generateRuntimeAssemblies(filePath) {
|
|
16
|
+
const depsFile = fs.readFileSync(filePath);
|
|
17
|
+
const deps = JSON.parse(depsFile.toString('utf-8'));
|
|
18
|
+
if (!deps.targets) {
|
|
19
|
+
throw new errors.FileNotProcessableError('could not find any targets in deps file');
|
|
20
|
+
}
|
|
21
|
+
// Run through all TargetFrameworks, indexed for example
|
|
22
|
+
// .NETCoreApp,Version=v6.0/osx-arm64,
|
|
23
|
+
// .NETCoreApp,Version=v6.0/alpine-armv6
|
|
24
|
+
// ... etc.
|
|
25
|
+
// See all: https://github.com/dotnet/runtime/blob/bd83e17052d3c09022bad1d91dca860ca6b27ab9/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json
|
|
26
|
+
const runtimeAssemblyVersions = {};
|
|
27
|
+
Object.entries(deps.targets).forEach(([target, dependencies]) => {
|
|
28
|
+
// Ignore target frameworks without dependencies, as they hold no dlls and thus no assembly versions to gauge.
|
|
29
|
+
if ((0, lodash_1.isEmpty)(dependencies)) {
|
|
30
|
+
return;
|
|
31
|
+
}
|
|
32
|
+
// The RuntimeIdentifier' (RID) dependencies are indexed in the target dependencies as a 'runtimepack'.
|
|
33
|
+
// Find the first entry in the list of targets as:
|
|
34
|
+
// "your-top-level-project/1.0.0": {...},
|
|
35
|
+
// "Castle.Core/4.4.1": {...},
|
|
36
|
+
// "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": {...},
|
|
37
|
+
// ... etc.
|
|
38
|
+
const [runtimePack, runtimeDependencies] = Object.entries(dependencies).find(([key]) => key.toLowerCase().startsWith('runtimepack')) || [];
|
|
39
|
+
if (!runtimePack) {
|
|
40
|
+
throw new errors.FileNotProcessableError(`could not find any runtimepack.* targets in the ${target} dependency`);
|
|
41
|
+
}
|
|
42
|
+
if (!runtimeDependencies || !('runtime' in runtimeDependencies)) {
|
|
43
|
+
throw new errors.FileNotProcessableError(`could not find any runtime dependencies the ${target} dependency`);
|
|
44
|
+
}
|
|
45
|
+
// Dig down into the specific runtimepack which contains all the assembly versions of
|
|
46
|
+
// the bundled DLLs for the given runtime, as:
|
|
47
|
+
// "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": {
|
|
48
|
+
// "runtime": {
|
|
49
|
+
// "Microsoft.CSharp.dll": {
|
|
50
|
+
// "assemblyVersion": "6.0.0.0",
|
|
51
|
+
// "fileVersion": "6.0.1623.17311"
|
|
52
|
+
// },
|
|
53
|
+
// "Microsoft.VisualBasic.Core.dll": {
|
|
54
|
+
// "assemblyVersion": "11.0.0.0",
|
|
55
|
+
// "fileVersion": "11.100.1623.17311"
|
|
56
|
+
// },
|
|
57
|
+
// (...)
|
|
58
|
+
// We currently only address assemblyVersions. FileVersion might become relevant, depending
|
|
59
|
+
// on how vulnerabilities are reported in the future.
|
|
60
|
+
runtimeAssemblyVersions[target] = Object.entries(runtimeDependencies.runtime).reduce((acc, [dll, versions]) => {
|
|
61
|
+
// Take the version number (N.N.N.N) and remove the last element, in order for vulndb to understand anything.
|
|
62
|
+
acc[dll] = versions.assemblyVersion.split('.').slice(0, -1).join('.');
|
|
63
|
+
return acc;
|
|
64
|
+
}, {});
|
|
65
|
+
});
|
|
66
|
+
if ((0, lodash_1.isEmpty)(runtimeAssemblyVersions)) {
|
|
67
|
+
throw new errors.FileNotProcessableError('collection of runtime assembly versions was empty, that should not happen');
|
|
68
|
+
}
|
|
69
|
+
// FIXME: This has been done to make the future easier, as we probably soon will need to support multiple
|
|
70
|
+
// RIDs. Currently, we are only looking at the first one.
|
|
71
|
+
return Object.values(runtimeAssemblyVersions)[0];
|
|
72
|
+
}
|
|
73
|
+
exports.generateRuntimeAssemblies = generateRuntimeAssemblies;
|
|
74
|
+
//# sourceMappingURL=runtime-assembly.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"runtime-assembly.js","sourceRoot":"","sources":["../../lib/nuget-parser/runtime-assembly.ts"],"names":[],"mappings":";;;AACA,qCAAqC;AACrC,yBAAyB;AACzB,mCAAiC;AASjC,oEAAoE;AACpE,yGAAyG;AACzG,6GAA6G;AAC7G,8GAA8G;AAC9G,yBAAyB;AACzB,kHAAkH;AAClH,wBAAwB;AACxB,wFAAwF;AACjF,KAAK,UAAU,yBAAyB,CAC7C,QAAgB;IAEhB,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE;QACjB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,yCAAyC,CAC1C,CAAC;KACH;IAED,wDAAwD;IACxD,sCAAsC;IACtC,wCAAwC;IACxC,WAAW;IACX,sJAAsJ;IACtJ,MAAM,uBAAuB,GAA4B,EAAE,CAAC;IAC5D,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,EAAE;QACzE,8GAA8G;QAC9G,IAAI,IAAA,gBAAO,EAAC,YAAY,CAAC,EAAE;YACzB,OAAO;SACR;QAED,uGAAuG;QACvG,kDAAkD;QAClD,0CAA0C;QAC1C,+BAA+B;QAC/B,wEAAwE;QACxE,WAAW;QACX,MAAM,CAAC,WAAW,EAAE,mBAAmB,CAAC,GACtC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAC1C,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,CAC5C,IAAI,EAAE,CAAC;QAEV,IAAI,CAAC,WAAW,EAAE;YAChB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,mDAAmD,MAAM,aAAa,CACvE,CAAC;SACH;QAED,IAAI,CAAC,mBAAmB,IAAI,CAAC,CAAC,SAAS,IAAI,mBAAmB,CAAC,EAAE;YAC/D,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,+CAA+C,MAAM,aAAa,CACnE,CAAC;SACH;QAED,qFAAqF;QACrF,8CAA8C;QAC9C,kEAAkE;QAClE,iBAAiB;QACjB,gCAAgC;QAChC,sCAAsC;QACtC,wCAAwC;QACxC,SAAS;QACT,0CAA0C;QAC1C,uCAAuC;QACvC,2CAA2C;QAC3C,SAAS;QACT,SAAS;QACT,2FAA2F;QAC3F,qDAAqD;QACrD,uBAAuB,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAC9C,mBAAmB,CAAC,OAAmB,CACxC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE;YAChC,6GAA6G;YAC7G,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtE,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAAE,CAAC,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,IAAI,IAAA,gBAAO,EAAC,uBAAuB,CAAC,EAAE;QACpC,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,2EAA2E,CAC5E,CAAC;KACH;IAED,yGAAyG;IACzG,0DAA0D;IAC1D,OAAO,MAAM,CAAC,MAAM,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC;AAhFD,8DAgFC"}
|
package/package.json
CHANGED