snyk-nuget-plugin 2.0.1 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/nuget-parser/cli/dotnet.js +12 -41
- package/dist/nuget-parser/cli/dotnet.js.map +1 -1
- package/dist/nuget-parser/parsers/dotnet-core-v2-parser.js +3 -1
- package/dist/nuget-parser/parsers/dotnet-core-v2-parser.js.map +1 -1
- package/dist/nuget-parser/runtime-assembly.js +22 -36
- package/dist/nuget-parser/runtime-assembly.js.map +1 -1
- package/dist/nuget-parser/types.d.ts +0 -1
- package/package.json +1 -1
|
@@ -5,6 +5,8 @@ const debugModule = require("debug");
|
|
|
5
5
|
const errors_1 = require("../../errors");
|
|
6
6
|
const path = require("path");
|
|
7
7
|
const subprocess = require("./subprocess");
|
|
8
|
+
const fs = require("fs");
|
|
9
|
+
const os = require("os");
|
|
8
10
|
const debug = debugModule('snyk');
|
|
9
11
|
async function handle(operation, command, args) {
|
|
10
12
|
debug(`running dotnet command: ${operation}: ${command}`);
|
|
@@ -49,59 +51,28 @@ async function run(projectPath, options) {
|
|
|
49
51
|
}
|
|
50
52
|
exports.run = run;
|
|
51
53
|
async function publish(projectPath, targetFramework) {
|
|
52
|
-
var _a;
|
|
53
54
|
const command = 'dotnet';
|
|
54
55
|
const args = ['publish', '--nologo'];
|
|
55
56
|
// Self-contained: Create all required .dlls for version investigation, don't rely on the environment.
|
|
56
57
|
args.push('--sc');
|
|
58
|
+
// Use the current runtime of whatever platform we are on.
|
|
59
|
+
// This ensures that .dlls will be packaged containing the runtime assembly versions.
|
|
60
|
+
// TODO: (OSM-521) if/when we allow this to be dynamic based on user input, remember to change this.
|
|
61
|
+
args.push('--use-current-runtime');
|
|
57
62
|
// If your .csproj file contains multiple <TargetFramework> references, you need to supply which one you want to publish.
|
|
58
63
|
if (targetFramework) {
|
|
59
64
|
args.push('--framework');
|
|
60
65
|
args.push(targetFramework);
|
|
61
66
|
}
|
|
67
|
+
// Define a temporary output dir to use for detecting .dlls to use for runtime version assembly detection.
|
|
68
|
+
const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), `snyk-nuget-plugin-publish-csharp-`));
|
|
69
|
+
args.push('--output');
|
|
70
|
+
args.push(tempDir);
|
|
62
71
|
// The path that contains either some form of project file, or a .sln one.
|
|
63
72
|
// See: https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-publish#arguments
|
|
64
73
|
args.push(projectPath);
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
// for a self-contained executable. Specifically determining an output folder with --output is deprecated,
|
|
68
|
-
// as it leads to unpredictable results for multiple target frameworks and runtimes, so we have to cherry-pick
|
|
69
|
-
// the folders.
|
|
70
|
-
// See: https://learn.microsoft.com/en-us/dotnet/core/compatibility/sdk/7.0/solution-level-output-no-longer-valid.
|
|
71
|
-
// FIXME: As we're not supporting multiple frameworks all over the place, we have to just take the first one.
|
|
72
|
-
// It's probably safe, as runtime dll versions most likely don't differ much across *most* dependencies, but
|
|
73
|
-
// OS-specific ones (e.g. crypto) might.
|
|
74
|
-
// Looking for something like <project_name> -> /path/to/<project_name>/bin/Debug/<target_framework>/publish/ on Unix.
|
|
75
|
-
// We could also just hope Microsoft never changes their naming convention, but I think this is less error-prone,
|
|
76
|
-
// and will potentially also support multiple target frameworks.
|
|
77
|
-
const publishDirLine = response.stdout
|
|
78
|
-
.split(/[\r\n]+/)
|
|
79
|
-
// Projects that are referring to other local projects in their PackageReference item groups will also be restored
|
|
80
|
-
// in a chained operation. The project we're interested in will be shown last, thus we reverse it.
|
|
81
|
-
.reverse()
|
|
82
|
-
// TODO: For multiple target frameworks, replace `find` with a map or something of that kind to return more than the first.
|
|
83
|
-
// The first thing to get published ought to be the project's own .dll or .exe file, depending on the architecture.
|
|
84
|
-
// E.g., something like:
|
|
85
|
-
// dotnet_6 -> /foo/bar/project/bin/Debug/net6.0/osx-arm64/project_name.dll
|
|
86
|
-
// Either way, since we're forcing a publish of a self-contained project, all .dlls should be placed there.
|
|
87
|
-
// PRs are welcome!
|
|
88
|
-
.find((line) => line.endsWith('.dll') || line.endsWith('.exe'));
|
|
89
|
-
if (!publishDirLine) {
|
|
90
|
-
const err = `Could not find a valid publish path while reading stdout: ${response.stdout}`;
|
|
91
|
-
debug(err);
|
|
92
|
-
throw new errors_1.CliCommandError(`Unable to find a publish dir: ${err}`);
|
|
93
|
-
}
|
|
94
|
-
// dotnet_6 -> /foo/bar/project/bin/Debug/net6.0/osx-arm64/project_name.dll will then have the first part removed:
|
|
95
|
-
const [, publishedDllPath] = (_a = publishDirLine.split('->')) !== null && _a !== void 0 ? _a : [];
|
|
96
|
-
if (!publishedDllPath) {
|
|
97
|
-
const err = `Could not find a valid publish dir while splitting the line: ${publishDirLine}`;
|
|
98
|
-
debug(err);
|
|
99
|
-
throw new errors_1.CliCommandError(`Unable to find a publish dir: ${err}`);
|
|
100
|
-
}
|
|
101
|
-
// /foo/bar/project/bin/Debug/net6.0/osx-arm64/project_name.dll will then need to be stripped from a file name,
|
|
102
|
-
// in order to return just the so-called "publish dir":
|
|
103
|
-
const dirName = path.dirname(publishedDllPath.trim());
|
|
104
|
-
return dirName;
|
|
74
|
+
await handle('publish', command, args);
|
|
75
|
+
return tempDir;
|
|
105
76
|
}
|
|
106
77
|
exports.publish = publish;
|
|
107
78
|
//# sourceMappingURL=dotnet.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dotnet.js","sourceRoot":"","sources":["../../../lib/nuget-parser/cli/dotnet.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AACrC,yCAA+C;AAC/C,6BAA6B;AAC7B,2CAA2C;
|
|
1
|
+
{"version":3,"file":"dotnet.js","sourceRoot":"","sources":["../../../lib/nuget-parser/cli/dotnet.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AACrC,yCAA+C;AAC/C,6BAA6B;AAC7B,2CAA2C;AAC3C,yBAAyB;AACzB,yBAAyB;AAEzB,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAElC,KAAK,UAAU,MAAM,CACnB,SAAiB,EACjB,OAAe,EACf,IAAc;IAEd,KAAK,CAAC,2BAA2B,SAAS,KAAK,OAAO,EAAE,CAAC,CAAC;IAE1D,IAAI;QACF,OAAO,MAAM,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;KAChD;IAAC,OAAO,KAAc,EAAE;QACvB,IACE,CAAC,CACC,OAAO,KAAK,KAAK,QAAQ;YACzB,KAAK,KAAK,IAAI;YACd,QAAQ,IAAI,KAAK;YACjB,QAAQ,IAAI,KAAK,CAClB,EACD;YACA,MAAM,IAAI,wBAAe,CACvB,UAAU,SAAS,uBAAuB,KAAK,EAAE,CAClD,CAAC;SACH;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC;QAC7C,MAAM,IAAI,wBAAe,CACvB,UAAU,SAAS,uBAAuB,OAAO,EAAE,CACpD,CAAC;KACH;AACH,CAAC;AAEM,KAAK,UAAU,QAAQ;IAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC;IACzB,MAAM,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IAE3B,IAAI;QACF,MAAM,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;KACxC;IAAC,OAAO,KAAc,EAAE;QACvB,KAAK,CAAC,qDAAqD,CAAC,CAAC;QAC7D,MAAM,KAAK,CAAC;KACb;AACH,CAAC;AAVD,4BAUC;AAEM,KAAK,UAAU,OAAO,CAAC,WAAmB;IAC/C,MAAM,OAAO,GAAG,QAAQ,CAAC;IACzB,MAAM,IAAI,GAAG,CAAC,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACvC,OAAO;AACT,CAAC;AALD,0BAKC;AAEM,KAAK,UAAU,GAAG,CACvB,WAAmB,EACnB,OAAiB;IAEjB,MAAM,OAAO,GAAG,QAAQ,CAAC;IACzB,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,QAAQ,CAAC,MAAM,CAAC;AACzB,CAAC;AARD,kBAQC;AAEM,KAAK,UAAU,OAAO,CAC3B,WAAmB,EACnB,eAAwB;IAExB,MAAM,OAAO,GAAG,QAAQ,CAAC;IACzB,MAAM,IAAI,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACrC,sGAAsG;IACtG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAElB,0DAA0D;IAC1D,qFAAqF;IACrF,oGAAoG;IACpG,IAAI,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAEnC,yHAAyH;IACzH,IAAI,eAAe,EAAE;QACnB,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;KAC5B;IAED,0GAA0G;IAC1G,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAC5B,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,mCAAmC,CAAC,CAC5D,CAAC;IACF,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACtB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAEnB,0EAA0E;IAC1E,oFAAoF;IACpF,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAEvB,MAAM,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAEvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAlCD,0BAkCC"}
|
|
@@ -103,7 +103,9 @@ function buildGraph(projectName, projectAssets, runtimeAssembly, targetFramework
|
|
|
103
103
|
return { ...acc, [nameWithVersion]: pkg };
|
|
104
104
|
}, {});
|
|
105
105
|
const topLevelDepPackages = topLevelDeps.reduce((acc, topLevelDepName) => {
|
|
106
|
-
const nameWithVersion = Object.keys(targetDeps).find((targetDep) =>
|
|
106
|
+
const nameWithVersion = Object.keys(targetDeps).find((targetDep) =>
|
|
107
|
+
// Lowercase the comparison, as .csproj <PackageReference>s are not case-sensitive, and can be written however you like.
|
|
108
|
+
targetDep.toLowerCase().startsWith(topLevelDepName.toLowerCase()));
|
|
107
109
|
if (!nameWithVersion) {
|
|
108
110
|
throw new errors_1.InvalidManifestError(`cant find a name and a version in assets file, something's very malformed`);
|
|
109
111
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dotnet-core-v2-parser.js","sourceRoot":"","sources":["../../../lib/nuget-parser/parsers/dotnet-core-v2-parser.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,+CAAkD;AAElD,yCAA6E;AAE7E,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAYlC,oDAAoD;AACpD,MAAM,0BAA0B,GAAG,CAAC,SAAS,CAAC,CAAC;AAE/C,mHAAmH;AACnH,yHAAyH;AACzH,+GAA+G;AAC/G,iGAAiG;AACjG,0GAA0G;AAC1G,0DAA0D;AAC1D,6HAA6H;AAC7H,SAAS,oCAAoC,CAC3C,mBAAwC,EACxC,UAA+B;IAE/B,MAAM,SAAS,GAAG,mBAAmB,CAAC,SAAS,CAAC;IAChD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,mBAAmB,CAAC;IACzD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACjD,KAAK,CACH,yDAAyD,gBAAgB,CAAC,IAAI,CAC5E,GAAG,CACJ,EAAE,CACJ,CAAC;IAEF,+EAA+E;IAC/E,0HAA0H;IAC1H,IAAI,QAAQ,IAAI,UAAU,EAAE;QAC1B,KAAK,CAAC,YAAY,QAAQ,iCAAiC,CAAC,CAAC;QAC7D,OAAO,QAAQ,CAAC;KACjB;IAED,8GAA8G;IAC9G,IAAI,SAAS,IAAI,UAAU,EAAE;QAC3B,KAAK,CAAC,YAAY,SAAS,iCAAiC,CAAC,CAAC;QAC9D,OAAO,SAAS,CAAC;KAClB;IAED,MAAM,IAAI,gCAAuB,CAC/B,mDAAmD,mBAAmB,CAAC,SAAS,gDAAgD,gBAAgB,EAAE,CACnJ,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,eAAgC,EAChC,UAAyC,EACzC,IAAmB,EACnB,eAAiC,EACjC,OAAqB;IAErB,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;IAEtE,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE;QAC7D,MAAM,YAAY,GAAG,OAAO,IAAI,IAAI,GAAG,EAAU,CAAC;QAClD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAE3B,MAAM,SAAS,GAAG;YAChB,GAAG,UAAU,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI;YACJ,OAAO;SACR,CAAC;QAEF,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QAEzD,4GAA4G;QAC5G,0FAA0F;QAC1F,IAAI,eAAe,GAAG,OAAO,CAAC;QAC9B,4GAA4G;QAC5G,sGAAsG;QACtG,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;QAC1B,IAAI,GAAG,IAAI,eAAe,EAAE;YAC1B,eAAe,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;SACxC;QAED,IAAI,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;YAC7B,MAAM,QAAQ,GAAG,GAAG,OAAO,SAAS,CAAC;YACrC,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,QAAQ,EACR;gBACE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;aAC3B,CACF,CAAC;YACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/C,SAAS;SACV;QAED,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,OAAO,CACR,CAAC;QACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAE1B,wBAAwB,CACtB,eAAe,EACf,UAAU,EACV,SAAS,EACT,eAAe,EACf,YAAY,CACb,CAAC;KACH;AACH,CAAC;AAED,SAAS,UAAU,CACjB,WAAmB,EACnB,aAA4B,EAC5B,eAAiC,EACjC,mBAAwC;IAExC,MAAM,eAAe,GAAG,IAAI,2BAAe,CACzC,EAAE,IAAI,EAAE,OAAO,EAAE,EACjB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,OAAO;KACvC,CACF,CAAC;IAEF,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE;QAC7D,MAAM,IAAI,6BAAoB,CAC5B,8HAA8H,CAC/H,CAAC;KACH;IAED,4GAA4G;IAC5G,MAAM,iBAAiB,GAAG,oCAAoC,CAC5D,mBAAmB,EACnB,aAAa,CAAC,OAAO,CAAC,UAAU,CACjC,CAAC;IAEF,uEAAuE;IACvE,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,YAAY,EAAE;QACrE,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC;KAChC;IAED,qFAAqF;IACrF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAC9B,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,YAAY,CACjE,CAAC;IAEF,gHAAgH;IAChH,wHAAwH;IACxH,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE;QAClD,MAAM,IAAI,6BAAoB,CAC5B,qHAAqH,CACtH,CAAC;KACH;IAED,uFAAuF;IACvF,uGAAuG;IACvG,0EAA0E;IAC1E,MAAM,qBAAqB,GAAG,oCAAoC,CAChE,mBAAmB,EACnB,aAAa,CAAC,OAAO,CACtB,CAAC;IACF,MAAM,2BAA2B,GAC/B,aAAa,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAE/C,mHAAmH;IACnH,MAAM,UAAU,GAAkC,MAAM,CAAC,OAAO,CAC9D,2BAA2B,CAC5B,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACtB,MAAM,CAAC,eAAe,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;QAErC,uHAAuH;QACvH,IACE,0BAA0B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACzC,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,CACnC,EACD;YACA,OAAO,GAAG,CAAC;SACZ;QAED,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC;IAC5C,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,mBAAmB,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,eAAe,EAAE,EAAE;QACvE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,
|
|
1
|
+
{"version":3,"file":"dotnet-core-v2-parser.js","sourceRoot":"","sources":["../../../lib/nuget-parser/parsers/dotnet-core-v2-parser.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,+CAAkD;AAElD,yCAA6E;AAE7E,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAYlC,oDAAoD;AACpD,MAAM,0BAA0B,GAAG,CAAC,SAAS,CAAC,CAAC;AAE/C,mHAAmH;AACnH,yHAAyH;AACzH,+GAA+G;AAC/G,iGAAiG;AACjG,0GAA0G;AAC1G,0DAA0D;AAC1D,6HAA6H;AAC7H,SAAS,oCAAoC,CAC3C,mBAAwC,EACxC,UAA+B;IAE/B,MAAM,SAAS,GAAG,mBAAmB,CAAC,SAAS,CAAC;IAChD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,mBAAmB,CAAC;IACzD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACjD,KAAK,CACH,yDAAyD,gBAAgB,CAAC,IAAI,CAC5E,GAAG,CACJ,EAAE,CACJ,CAAC;IAEF,+EAA+E;IAC/E,0HAA0H;IAC1H,IAAI,QAAQ,IAAI,UAAU,EAAE;QAC1B,KAAK,CAAC,YAAY,QAAQ,iCAAiC,CAAC,CAAC;QAC7D,OAAO,QAAQ,CAAC;KACjB;IAED,8GAA8G;IAC9G,IAAI,SAAS,IAAI,UAAU,EAAE;QAC3B,KAAK,CAAC,YAAY,SAAS,iCAAiC,CAAC,CAAC;QAC9D,OAAO,SAAS,CAAC;KAClB;IAED,MAAM,IAAI,gCAAuB,CAC/B,mDAAmD,mBAAmB,CAAC,SAAS,gDAAgD,gBAAgB,EAAE,CACnJ,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAC/B,eAAgC,EAChC,UAAyC,EACzC,IAAmB,EACnB,eAAiC,EACjC,OAAqB;IAErB,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;IAEtE,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE;QAC7D,MAAM,YAAY,GAAG,OAAO,IAAI,IAAI,GAAG,EAAU,CAAC;QAClD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAE3B,MAAM,SAAS,GAAG;YAChB,GAAG,UAAU,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI;YACJ,OAAO;SACR,CAAC;QAEF,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QAEzD,4GAA4G;QAC5G,0FAA0F;QAC1F,IAAI,eAAe,GAAG,OAAO,CAAC;QAC9B,4GAA4G;QAC5G,sGAAsG;QACtG,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;QAC1B,IAAI,GAAG,IAAI,eAAe,EAAE;YAC1B,eAAe,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;SACxC;QAED,IAAI,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;YAC7B,MAAM,QAAQ,GAAG,GAAG,OAAO,SAAS,CAAC;YACrC,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,QAAQ,EACR;gBACE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;aAC3B,CACF,CAAC;YACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/C,SAAS;SACV;QAED,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,OAAO,CACR,CAAC;QACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAE1B,wBAAwB,CACtB,eAAe,EACf,UAAU,EACV,SAAS,EACT,eAAe,EACf,YAAY,CACb,CAAC;KACH;AACH,CAAC;AAED,SAAS,UAAU,CACjB,WAAmB,EACnB,aAA4B,EAC5B,eAAiC,EACjC,mBAAwC;IAExC,MAAM,eAAe,GAAG,IAAI,2BAAe,CACzC,EAAE,IAAI,EAAE,OAAO,EAAE,EACjB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,OAAO;KACvC,CACF,CAAC;IAEF,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE;QAC7D,MAAM,IAAI,6BAAoB,CAC5B,8HAA8H,CAC/H,CAAC;KACH;IAED,4GAA4G;IAC5G,MAAM,iBAAiB,GAAG,oCAAoC,CAC5D,mBAAmB,EACnB,aAAa,CAAC,OAAO,CAAC,UAAU,CACjC,CAAC;IAEF,uEAAuE;IACvE,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,YAAY,EAAE;QACrE,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC;KAChC;IAED,qFAAqF;IACrF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAC9B,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,YAAY,CACjE,CAAC;IAEF,gHAAgH;IAChH,wHAAwH;IACxH,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE;QAClD,MAAM,IAAI,6BAAoB,CAC5B,qHAAqH,CACtH,CAAC;KACH;IAED,uFAAuF;IACvF,uGAAuG;IACvG,0EAA0E;IAC1E,MAAM,qBAAqB,GAAG,oCAAoC,CAChE,mBAAmB,EACnB,aAAa,CAAC,OAAO,CACtB,CAAC;IACF,MAAM,2BAA2B,GAC/B,aAAa,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAE/C,mHAAmH;IACnH,MAAM,UAAU,GAAkC,MAAM,CAAC,OAAO,CAC9D,2BAA2B,CAC5B,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACtB,MAAM,CAAC,eAAe,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;QAErC,uHAAuH;QACvH,IACE,0BAA0B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACzC,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,CACnC,EACD;YACA,OAAO,GAAG,CAAC;SACZ;QAED,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC;IAC5C,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,mBAAmB,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,eAAe,EAAE,EAAE;QACvE,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QACjE,wHAAwH;QACxH,SAAS,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC,CAClE,CAAC;QACF,IAAI,CAAC,eAAe,EAAE;YACpB,MAAM,IAAI,6BAAoB,CAC5B,2EAA2E,CAC5E,CAAC;SACH;QAED,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEnD,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC;IACrC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,MAAM;QACZ,YAAY,EAAE,mBAAmB;KACjB,CAAC;IAEnB,wBAAwB,CACtB,eAAe,EACf,UAAU,EACV,QAAQ,EACR,eAAe,CAChB,CAAC;IAEF,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC;AACjC,CAAC;AAED,SAAgB,KAAK,CACnB,WAAmB,EACnB,aAA4B,EAC5B,eAAiC,EACjC,mBAAwC;IAExC,KAAK,CAAC,6DAA6D,CAAC,CAAC;IAErE,MAAM,MAAM,GAAG,UAAU,CACvB,WAAW,EACX,aAAa,EACb,eAAe,EACf,mBAAmB,CACpB,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAfD,sBAeC"}
|
|
@@ -4,7 +4,6 @@ exports.generateRuntimeAssemblies = void 0;
|
|
|
4
4
|
const errors = require("../errors/");
|
|
5
5
|
const fs = require("fs");
|
|
6
6
|
const lodash_1 = require("lodash");
|
|
7
|
-
const path = require("path");
|
|
8
7
|
const debugModule = require("debug");
|
|
9
8
|
const debug = debugModule('snyk');
|
|
10
9
|
// The Nuget dependency resolution rule of lowest applicable version
|
|
@@ -27,44 +26,30 @@ function generateRuntimeAssemblies(filePath) {
|
|
|
27
26
|
// .NETCoreApp,Version=v6.0/alpine-armv6
|
|
28
27
|
// ... etc.
|
|
29
28
|
// See all: https://github.com/dotnet/runtime/blob/bd83e17052d3c09022bad1d91dca860ca6b27ab9/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json
|
|
30
|
-
|
|
29
|
+
let runtimeAssemblyVersions = {};
|
|
31
30
|
Object.entries(deps.targets).forEach(([target, dependencies]) => {
|
|
32
31
|
// Ignore target frameworks without dependencies, as they hold no dlls and thus no assembly versions to gauge.
|
|
33
32
|
if ((0, lodash_1.isEmpty)(dependencies)) {
|
|
34
33
|
return;
|
|
35
34
|
}
|
|
36
|
-
//
|
|
37
|
-
//
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
// "Castle.Core/4.4.1": {...},
|
|
42
|
-
// "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": { runtime: {...} },
|
|
43
|
-
// ... etc.
|
|
44
|
-
const runtimes = {};
|
|
45
|
-
let name;
|
|
46
|
-
let runtime;
|
|
47
|
-
for (const packageInfo of Object.values(dependencies)) {
|
|
48
|
-
if (!('runtime' in packageInfo)) {
|
|
49
|
-
continue;
|
|
50
|
-
}
|
|
51
|
-
// This can be either one or more runtime deps nested under a single leaf.
|
|
52
|
-
runtime = packageInfo.runtime;
|
|
53
|
-
if (runtime && Object.keys(runtime).length > 0) {
|
|
54
|
-
for (const [fullName, version] of Object.entries(runtime)) {
|
|
55
|
-
if ((0, lodash_1.isEmpty)(version)) {
|
|
56
|
-
continue;
|
|
57
|
-
}
|
|
58
|
-
// For some versions of .NET, the dependency version generated can be more than just the System.* name, but a
|
|
59
|
-
// full path-like structure, such as lib/netstandard2.0/System.Buffers.dll, so extract as needed:
|
|
60
|
-
name = path.basename(fullName);
|
|
61
|
-
runtimes[name] = version;
|
|
62
|
-
}
|
|
63
|
-
}
|
|
35
|
+
// Since we're running `dotnet publish` with `--use-current-runtime`, this should exist in the dependency list,
|
|
36
|
+
// but guard against it to ensure good user feedback in case we did something wrong.
|
|
37
|
+
const runtimePack = Object.keys(dependencies).find((dep) => dep.startsWith('runtimepack'));
|
|
38
|
+
if (!runtimePack) {
|
|
39
|
+
throw new errors.FileNotProcessableError(`could not find any runtimepack.* identifier in the ${target} dependency`);
|
|
64
40
|
}
|
|
65
|
-
|
|
66
|
-
|
|
41
|
+
// The runtimepack contains all the current RuntimeIdentifier (RID) assemblies which we are interested in.
|
|
42
|
+
// Such as
|
|
43
|
+
// "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": {
|
|
44
|
+
// "runtime": {
|
|
45
|
+
// "Microsoft.CSharp.dll": { .. assembly version 6.0.0 }
|
|
46
|
+
// }
|
|
47
|
+
// }
|
|
48
|
+
// We traverse all those and store them for the dependency graph build.
|
|
49
|
+
if (!('runtime' in dependencies[runtimePack])) {
|
|
50
|
+
throw new errors.FileNotProcessableError(`could not find any runtime list in the ${runtimePack} dependency`);
|
|
67
51
|
}
|
|
52
|
+
const runtimes = dependencies[runtimePack]['runtime'];
|
|
68
53
|
// Dig down into the specific runtimepack which contains all the assembly versions of
|
|
69
54
|
// the bundled DLLs for the given runtime, as:
|
|
70
55
|
// "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": {
|
|
@@ -80,19 +65,20 @@ function generateRuntimeAssemblies(filePath) {
|
|
|
80
65
|
// (...)
|
|
81
66
|
// We currently only address assemblyVersions. FileVersion might become relevant, depending
|
|
82
67
|
// on how vulnerabilities are reported in the future.
|
|
83
|
-
runtimeAssemblyVersions
|
|
68
|
+
runtimeAssemblyVersions = Object.entries(runtimes).reduce((acc, [dll, versions]) => {
|
|
84
69
|
// Take the version number (N.N.N.N) and remove the last element, in order for vulndb to understand anything.
|
|
85
70
|
acc[dll] = versions.assemblyVersion.split('.').slice(0, -1).join('.');
|
|
86
71
|
return acc;
|
|
87
72
|
}, {});
|
|
73
|
+
// `dotnet publish` does not support multiple consecutive `--runtime` parameters, so there should really only
|
|
74
|
+
// be one. Thus, drop iterating more.
|
|
75
|
+
return;
|
|
88
76
|
});
|
|
89
77
|
if ((0, lodash_1.isEmpty)(runtimeAssemblyVersions)) {
|
|
90
78
|
throw new errors.FileNotProcessableError('collection of runtime assembly versions was empty, that should not happen');
|
|
91
79
|
}
|
|
92
80
|
debug('finished extracting runtime assemblies from ' + filePath);
|
|
93
|
-
|
|
94
|
-
// RIDs. Currently, we are only looking at the first one.
|
|
95
|
-
return Object.values(runtimeAssemblyVersions)[0];
|
|
81
|
+
return runtimeAssemblyVersions;
|
|
96
82
|
}
|
|
97
83
|
exports.generateRuntimeAssemblies = generateRuntimeAssemblies;
|
|
98
84
|
//# sourceMappingURL=runtime-assembly.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runtime-assembly.js","sourceRoot":"","sources":["../../lib/nuget-parser/runtime-assembly.ts"],"names":[],"mappings":";;;AACA,qCAAqC;AACrC,yBAAyB;AACzB,mCAAiC;AACjC,
|
|
1
|
+
{"version":3,"file":"runtime-assembly.js","sourceRoot":"","sources":["../../lib/nuget-parser/runtime-assembly.ts"],"names":[],"mappings":";;;AACA,qCAAqC;AACrC,yBAAyB;AACzB,mCAAiC;AACjC,qCAAqC;AAErC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAWlC,oEAAoE;AACpE,yGAAyG;AACzG,6GAA6G;AAC7G,8GAA8G;AAC9G,yBAAyB;AACzB,kHAAkH;AAClH,wBAAwB;AACxB,wFAAwF;AACxF,SAAgB,yBAAyB,CAAC,QAAgB;IACxD,KAAK,CAAC,qCAAqC,GAAG,QAAQ,CAAC,CAAC;IAExD,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE;QACjB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,yCAAyC,CAC1C,CAAC;KACH;IAED,wDAAwD;IACxD,sCAAsC;IACtC,wCAAwC;IACxC,WAAW;IACX,sJAAsJ;IACtJ,IAAI,uBAAuB,GAAqB,EAAE,CAAC;IACnD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,EAAE;QACzE,8GAA8G;QAC9G,IAAI,IAAA,gBAAO,EAAC,YAAY,CAAC,EAAE;YACzB,OAAO;SACR;QAED,+GAA+G;QAC/G,oFAAoF;QACpF,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACzD,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,CAC9B,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE;YAChB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,sDAAsD,MAAM,aAAa,CAC1E,CAAC;SACH;QAED,0GAA0G;QAC1G,UAAU;QACV,oEAAoE;QACpE,uBAAuB;QACvB,kEAAkE;QAClE,aAAa;QACb,MAAM;QACN,uEAAuE;QACvE,IAAI,CAAC,CAAC,SAAS,IAAI,YAAY,CAAC,WAAW,CAAC,CAAC,EAAE;YAC7C,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,0CAA0C,WAAW,aAAa,CACnE,CAAC;SACH;QAED,MAAM,QAAQ,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,CAAC;QAEtD,qFAAqF;QACrF,8CAA8C;QAC9C,kEAAkE;QAClE,iBAAiB;QACjB,gCAAgC;QAChC,sCAAsC;QACtC,wCAAwC;QACxC,SAAS;QACT,0CAA0C;QAC1C,uCAAuC;QACvC,2CAA2C;QAC3C,SAAS;QACT,SAAS;QACT,2FAA2F;QAC3F,qDAAqD;QACrD,uBAAuB,GAAG,MAAM,CAAC,OAAO,CAAC,QAAoB,CAAC,CAAC,MAAM,CACnE,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE;YACvB,6GAA6G;YAC7G,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtE,OAAO,GAAG,CAAC;QACb,CAAC,EACD,EAAE,CACH,CAAC;QAEF,6GAA6G;QAC7G,qCAAqC;QACrC,OAAO;IACT,CAAC,CAAC,CAAC;IAEH,IAAI,IAAA,gBAAO,EAAC,uBAAuB,CAAC,EAAE;QACpC,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,2EAA2E,CAC5E,CAAC;KACH;IAED,KAAK,CAAC,8CAA8C,GAAG,QAAQ,CAAC,CAAC;IAEjE,OAAO,uBAAuB,CAAC;AACjC,CAAC;AA1FD,8DA0FC"}
|
|
@@ -58,7 +58,6 @@ export interface ProjectAssets {
|
|
|
58
58
|
project: Project;
|
|
59
59
|
}
|
|
60
60
|
export type AssemblyVersions = Record<string, string>;
|
|
61
|
-
export type RuntimeAssemblyVersions = Record<string, AssemblyVersions>;
|
|
62
61
|
export interface DotNetFile {
|
|
63
62
|
name: string;
|
|
64
63
|
contents: string;
|
package/package.json
CHANGED