npm - snyk-nuget-plugin - Versions diffs - 2.1.0 → 2.2.0 - Mend

snyk-nuget-plugin 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/nuget-parser/runtime-assembly.js +22 -36
package/dist/nuget-parser/runtime-assembly.js.map +1 -1
package/dist/nuget-parser/types.d.ts +0 -1
package/package.json +1 -1

package/dist/nuget-parser/runtime-assembly.js CHANGED Viewed

@@ -4,7 +4,6 @@ exports.generateRuntimeAssemblies = void 0;
 const errors = require("../errors/");
 const fs = require("fs");
 const lodash_1 = require("lodash");
-const path = require("path");
 const debugModule = require("debug");
 const debug = debugModule('snyk');
 // The Nuget dependency resolution rule of lowest applicable version
@@ -27,44 +26,30 @@ function generateRuntimeAssemblies(filePath) {
     // .NETCoreApp,Version=v6.0/alpine-armv6
     // ... etc.
     // See all: https://github.com/dotnet/runtime/blob/bd83e17052d3c09022bad1d91dca860ca6b27ab9/src/libraries/Microsoft.NETCore.Platforms/src/runtime.json
-    const runtimeAssemblyVersions = {};
+    let runtimeAssemblyVersions = {};
     Object.entries(deps.targets).forEach(([target, dependencies]) => {
         // Ignore target frameworks without dependencies, as they hold no dlls and thus no assembly versions to gauge.
         if ((0, lodash_1.isEmpty)(dependencies)) {
             return;
         }
-        // The RuntimeIdentifier's (RID) dependencies are located as `runtime` objects under dependencies.
-        // Depending on the TargetFramework, they can be located different places, so we need to iterate the whole
-        // list of targets for their `runtime` objects
-        // E.g., find the first entry in the list of targets as:
-        //  "your-top-level-project/1.0.0": {...},
-        //  "Castle.Core/4.4.1": {...},
-        //  "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": { runtime: {...} },
-        // ... etc.
-        const runtimes = {};
-        let name;
-        let runtime;
-        for (const packageInfo of Object.values(dependencies)) {
-            if (!('runtime' in packageInfo)) {
-                continue;
-            }
-            // This can be either one or more runtime deps nested under a single leaf.
-            runtime = packageInfo.runtime;
-            if (runtime && Object.keys(runtime).length > 0) {
-                for (const [fullName, version] of Object.entries(runtime)) {
-                    if ((0, lodash_1.isEmpty)(version)) {
-                        continue;
-                    }
-                    // For some versions of .NET, the dependency version generated can be more than just the System.* name, but a
-                    // full path-like structure, such as lib/netstandard2.0/System.Buffers.dll, so extract as needed:
-                    name = path.basename(fullName);
-                    runtimes[name] = version;
-                }
-            }
+        // Since we're running `dotnet publish` with `--use-current-runtime`, this should exist in the dependency list,
+        // but guard against it to ensure good user feedback in case we did something wrong.
+        const runtimePack = Object.keys(dependencies).find((dep) => dep.startsWith('runtimepack'));
+        if (!runtimePack) {
+            throw new errors.FileNotProcessableError(`could not find any runtimepack.* identifier in the ${target} dependency`);
         }
-        if (!runtimes) {
-            throw new errors.FileNotProcessableError(`could not find any runtime dependencies in the ${target} dependency`);
+        // The runtimepack contains all the current RuntimeIdentifier (RID) assemblies which we are interested in.
+        // Such as
+        //   "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": {
+        //         "runtime": {
+        //           "Microsoft.CSharp.dll": { .. assembly version 6.0.0 }
+        //          }
+        //   }
+        // We traverse all those and store them for the dependency graph build.
+        if (!('runtime' in dependencies[runtimePack])) {
+            throw new errors.FileNotProcessableError(`could not find any runtime list in the ${runtimePack} dependency`);
         }
+        const runtimes = dependencies[runtimePack]['runtime'];
         // Dig down into the specific runtimepack which contains all the assembly versions of
         // the bundled DLLs for the given runtime, as:
         // "runtimepack.Microsoft.NETCore.App.Runtime.osx-arm64/6.0.16": {
@@ -80,19 +65,20 @@ function generateRuntimeAssemblies(filePath) {
         //  (...)
         // We currently only address assemblyVersions. FileVersion might become relevant, depending
         // on how vulnerabilities are reported in the future.
-        runtimeAssemblyVersions[target] = Object.entries(runtimes).reduce((acc, [dll, versions]) => {
+        runtimeAssemblyVersions = Object.entries(runtimes).reduce((acc, [dll, versions]) => {
             // Take the version number (N.N.N.N) and remove the last element, in order for vulndb to understand anything.
             acc[dll] = versions.assemblyVersion.split('.').slice(0, -1).join('.');
             return acc;
         }, {});
+        // `dotnet publish` does not support multiple consecutive `--runtime` parameters, so there should really only
+        // be one. Thus, drop iterating more.
+        return;
     });
     if ((0, lodash_1.isEmpty)(runtimeAssemblyVersions)) {
         throw new errors.FileNotProcessableError('collection of runtime assembly versions was empty, that should not happen');
     }
     debug('finished extracting runtime assemblies from ' + filePath);
-    // FIXME: This has been done to make the future easier, as we probably soon will need to support multiple
-    //  RIDs. Currently, we are only looking at the first one.
-    return Object.values(runtimeAssemblyVersions)[0];
+    return runtimeAssemblyVersions;
 }
 exports.generateRuntimeAssemblies = generateRuntimeAssemblies;
 //# sourceMappingURL=runtime-assembly.js.map

package/dist/nuget-parser/runtime-assembly.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"runtime-assembly.js","sourceRoot":"","sources":["../../lib/nuget-parser/runtime-assembly.ts"],"names":[],"mappings":";;;AACA,qCAAqC;AACrC,yBAAyB;AACzB,mCAAiC;AACjC,~~6BAA6B;AAC7B,~~qCAAqC;AAErC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAWlC,oEAAoE;AACpE,yGAAyG;AACzG,6GAA6G;AAC7G,8GAA8G;AAC9G,yBAAyB;AACzB,kHAAkH;AAClH,wBAAwB;AACxB,wFAAwF;AACxF,SAAgB,yBAAyB,CAAC,QAAgB;IACxD,KAAK,CAAC,qCAAqC,GAAG,QAAQ,CAAC,CAAC;IAExD,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE;QACjB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,yCAAyC,CAC1C,CAAC;KACH;IAED,wDAAwD;IACxD,sCAAsC;IACtC,wCAAwC;IACxC,WAAW;IACX,sJAAsJ;IACtJ,~~MAAM~~,uBAAuB,~~GAA4B~~,EAAE,CAAC;~~IAC5D~~,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,EAAE;QACzE,8GAA8G;QAC9G,IAAI,IAAA,gBAAO,EAAC,YAAY,CAAC,EAAE;YACzB,OAAO;SACR;QAED~~,kGAAkG;QAClG,0GAA0G;QAC1G,8CAA8C;QAC9C,wDAAwD;QACxD,0CAA0C;QAC1C~~,+~~BAA~~+B;QAC/B,~~qFAAqF~~;~~QACrF~~,~~WAAW;QACX,~~MAAM,~~QAAQ~~,GAAG,~~EAAE~~,CAAC~~;QACpB~~,IAAI,~~IAAY,~~CAAC~~;QACjB~~,~~IAAI~~,~~OAAiC~~,CAAC~~;QACtC~~,~~KAAK,MAAM,WAAW,~~IAAI,~~MAAM,~~CAAC,~~MAAM,~~CAAC,~~YAAY~~,~~CAAC~~,EAAE~~;YACrD~~,~~IAAI~~,~~CAAC~~,CAAC,~~SAAS~~,~~IAAI~~,~~WAAW~~,CAAC,~~EAAE;gBAC/B~~,~~SAAS~~;~~aACV;YAED~~,~~0EAA0E;YAC1E~~,~~OAAO~~,~~GAAG,~~WAAW,~~CAAC,OAAO,CAAC~~;~~YAE9B~~,~~IAAI~~,~~OAAO,~~IAAI,MAAM,CAAC,~~IAAI~~,~~CAAC~~,~~OAAO~~,~~CAAC~~,~~CAAC~~,~~MAAM~~,~~GAAG,~~CAAC,~~EAAE~~;~~gBAC9C~~,~~KAAK~~,~~MAAM~~,~~CAAC~~,~~QAAQ~~,~~EAAE~~,~~OAAO~~,~~CAAC~~,IAAI,~~MAAM,~~CAAC,~~OAAO,~~CAAC,~~OAAO~~,~~CAAC,EAAE;oBACzD,~~IAAI,~~IAAA~~,~~gBAAO~~,~~EAAC~~,~~OAAO~~,CAAC,EAAE;~~wBACpB~~,~~SAAS;qBACV;oBAED~~,~~6GAA6G;oBAC7G,iGAAiG;oBACjG,~~IAAI,~~GAAG~~,~~IAAI,~~CAAC,~~QAAQ~~,~~CAAC~~,~~QAAQ~~,~~CAAC~~,~~CAAC;oBAC/B~~,~~QAAQ~~,CAAC~~,IAAI,CAAC,GAAG,OAAO,CAAC~~;~~iBAC1B~~;~~aACF;SACF;~~QAED,~~IAAI~~,~~CAAC,~~QAAQ,~~EAAE;YACb~~,~~MAAM~~,~~IAAI~~,~~MAAM~~,CAAC,~~uBAAuB~~,~~CACtC~~,~~kDAAkD~~,~~MAAM,aAAa,CACtE,~~CAAC;~~SACH;QAED~~,qFAAqF;QACrF,8CAA8C;QAC9C,kEAAkE;QAClE,iBAAiB;QACjB,gCAAgC;QAChC,sCAAsC;QACtC,wCAAwC;QACxC,SAAS;QACT,0CAA0C;QAC1C,uCAAuC;QACvC,2CAA2C;QAC3C,SAAS;QACT,SAAS;QACT,2FAA2F;QAC3F,qDAAqD;QACrD,uBAAuB,~~CAAC,MAAM,CAAC,~~GAAG,MAAM,CAAC,OAAO,~~CAC9C~~,QAAoB,~~CACrB~~,CAAC,MAAM,~~CAAC~~,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE;~~YAChC~~,6GAA6G;YAC7G,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtE,OAAO,GAAG,CAAC;QACb,CAAC,~~EAAE~~,EAAE,~~CAAC~~,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,IAAI,IAAA,gBAAO,EAAC,uBAAuB,CAAC,EAAE;QACpC,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,2EAA2E,CAC5E,CAAC;KACH;IAED,KAAK,CAAC,8CAA8C,GAAG,QAAQ,CAAC,CAAC;IAEjE,~~yGAAyG;IACzG,0DAA0D;IAC1D,~~OAAO,~~MAAM,CAAC,MAAM,CAAC,~~uBAAuB,CAAC~~,CAAC,CAAC,CAAC,CAAC~~;~~AACnD~~,CAAC;~~AAlGD~~,~~8DAkGC~~"}
1	+ {"version":3,"file":"runtime-assembly.js","sourceRoot":"","sources":["../../lib/nuget-parser/runtime-assembly.ts"],"names":[],"mappings":";;;AACA,qCAAqC;AACrC,yBAAyB;AACzB,mCAAiC;AACjC,qCAAqC;AAErC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAWlC,oEAAoE;AACpE,yGAAyG;AACzG,6GAA6G;AAC7G,8GAA8G;AAC9G,yBAAyB;AACzB,kHAAkH;AAClH,wBAAwB;AACxB,wFAAwF;AACxF,SAAgB,yBAAyB,CAAC,QAAgB;IACxD,KAAK,CAAC,qCAAqC,GAAG,QAAQ,CAAC,CAAC;IAExD,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE;QACjB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,yCAAyC,CAC1C,CAAC;KACH;IAED,wDAAwD;IACxD,sCAAsC;IACtC,wCAAwC;IACxC,WAAW;IACX,sJAAsJ;IACtJ,IAAI,uBAAuB,GAAqB,EAAE,CAAC;IACnD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,EAAE;QACzE,8GAA8G;QAC9G,IAAI,IAAA,gBAAO,EAAC,YAAY,CAAC,EAAE;YACzB,OAAO;SACR;QAED,+GAA+G;QAC/G,oFAAoF;QACpF,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACzD,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,CAC9B,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE;YAChB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,sDAAsD,MAAM,aAAa,CAC1E,CAAC;SACH;QAED,0GAA0G;QAC1G,UAAU;QACV,oEAAoE;QACpE,uBAAuB;QACvB,kEAAkE;QAClE,aAAa;QACb,MAAM;QACN,uEAAuE;QACvE,IAAI,CAAC,CAAC,SAAS,IAAI,YAAY,CAAC,WAAW,CAAC,CAAC,EAAE;YAC7C,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,0CAA0C,WAAW,aAAa,CACnE,CAAC;SACH;QAED,MAAM,QAAQ,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,CAAC;QAEtD,qFAAqF;QACrF,8CAA8C;QAC9C,kEAAkE;QAClE,iBAAiB;QACjB,gCAAgC;QAChC,sCAAsC;QACtC,wCAAwC;QACxC,SAAS;QACT,0CAA0C;QAC1C,uCAAuC;QACvC,2CAA2C;QAC3C,SAAS;QACT,SAAS;QACT,2FAA2F;QAC3F,qDAAqD;QACrD,uBAAuB,GAAG,MAAM,CAAC,OAAO,CAAC,QAAoB,CAAC,CAAC,MAAM,CACnE,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE;YACvB,6GAA6G;YAC7G,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtE,OAAO,GAAG,CAAC;QACb,CAAC,EACD,EAAE,CACH,CAAC;QAEF,6GAA6G;QAC7G,qCAAqC;QACrC,OAAO;IACT,CAAC,CAAC,CAAC;IAEH,IAAI,IAAA,gBAAO,EAAC,uBAAuB,CAAC,EAAE;QACpC,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,2EAA2E,CAC5E,CAAC;KACH;IAED,KAAK,CAAC,8CAA8C,GAAG,QAAQ,CAAC,CAAC;IAEjE,OAAO,uBAAuB,CAAC;AACjC,CAAC;AA1FD,8DA0FC"}

package/dist/nuget-parser/types.d.ts CHANGED Viewed

@@ -58,7 +58,6 @@ export interface ProjectAssets {
     project: Project;
 }
 export type AssemblyVersions = Record<string, string>;
-export type RuntimeAssemblyVersions = Record<string, AssemblyVersions>;
 export interface DotNetFile {
     name: string;
     contents: string;

package/package.json CHANGED Viewed

@@ -58,5 +58,5 @@
     "ts-jest": "^29.1.1",
     "typescript": "^5.1.6"
   },
-  "version": "2.1.0"
+  "version": "2.2.0"
 }