snyk-nuget-plugin 2.2.1 → 2.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/nuget-parser/index.js +11 -7
- package/dist/nuget-parser/index.js.map +1 -1
- package/dist/nuget-parser/parsers/dotnet-core-v2-parser.d.ts +2 -2
- package/dist/nuget-parser/parsers/dotnet-core-v2-parser.js +21 -50
- package/dist/nuget-parser/parsers/dotnet-core-v2-parser.js.map +1 -1
- package/dist/nuget-parser/runtime-assembly.d.ts +2 -2
- package/dist/nuget-parser/runtime-assembly.js +4 -6
- package/dist/nuget-parser/runtime-assembly.js.map +1 -1
- package/dist/nuget-parser/types.d.ts +5 -0
- package/package.json +1 -1
|
@@ -65,11 +65,13 @@ async function buildDepGraphFromFiles(root, targetFile, manifestType, useProject
|
|
|
65
65
|
const fileContent = getFileContents(fileContentPath);
|
|
66
66
|
const projectRootFolder = path.resolve(fileContentPath, '../../');
|
|
67
67
|
const parser = PARSERS['dotnet-core-v2'];
|
|
68
|
-
const
|
|
69
|
-
if (!((_a =
|
|
68
|
+
const projectAssets = await parser.fileContentParser.parse(fileContent);
|
|
69
|
+
if (!((_a = projectAssets.project) === null || _a === void 0 ? void 0 : _a.frameworks)) {
|
|
70
70
|
throw new errors_1.FileNotProcessableError(`unable to detect any target framework in manifest file ${safeTargetFile}, a valid one is needed to continue down this path.`);
|
|
71
71
|
}
|
|
72
|
-
|
|
72
|
+
// Scan all 'frameworks' detected in the project.assets.json file, and use the targetAlias if detected and
|
|
73
|
+
// otherwise the raw key name, as it's not guaranteed that all framework objects contains a targetAlias.
|
|
74
|
+
const targetFrameworks = Object.entries(projectAssets.project.frameworks).map(([key, value]) => ('targetAlias' in value ? value.targetAlias : key));
|
|
73
75
|
if (targetFrameworks.length <= 0) {
|
|
74
76
|
throw new errors_1.FileNotProcessableError(`unable to detect a target framework in ${projectRootFolder}, a valid one is needed to continue down this path.`);
|
|
75
77
|
}
|
|
@@ -79,7 +81,7 @@ manifest file. Available targetFrameworks detected was \x1b[1m${targetFrameworks
|
|
|
79
81
|
Will attempt to build dependency graph anyway, but the operation might fail.`);
|
|
80
82
|
}
|
|
81
83
|
let resolvedProjectName = getRootName(root, projectRootFolder, projectNamePrefix);
|
|
82
|
-
const projectNameFromManifestFile = (_c = (_b =
|
|
84
|
+
const projectNameFromManifestFile = (_c = (_b = projectAssets === null || projectAssets === void 0 ? void 0 : projectAssets.project) === null || _b === void 0 ? void 0 : _b.restore) === null || _c === void 0 ? void 0 : _c.projectName;
|
|
83
85
|
if (manifestType === types_1.ManifestType.DOTNET_CORE &&
|
|
84
86
|
useProjectNameFromAssetsFile) {
|
|
85
87
|
if (projectNameFromManifestFile) {
|
|
@@ -109,8 +111,10 @@ Will attempt to build dependency graph anyway, but the operation might fail.`);
|
|
|
109
111
|
// Run `dotnet publish` to create a self-contained publishable binary with included .dlls for assembly version inspection.
|
|
110
112
|
const publishDir = await dotnet.publish(projectRootFolder, decidedTargetFramework);
|
|
111
113
|
// Then inspect the dependency graph for the runtimepackage's assembly versions.
|
|
112
|
-
const
|
|
113
|
-
const
|
|
114
|
+
const depsFilePath = path.resolve(publishDir, `${projectNameFromManifestFile}.deps.json`);
|
|
115
|
+
const depsFile = fs.readFileSync(depsFilePath);
|
|
116
|
+
const publishedProjectDeps = JSON.parse(depsFile.toString('utf-8'));
|
|
117
|
+
const assemblyVersions = runtimeAssembly.generateRuntimeAssemblies(publishedProjectDeps);
|
|
114
118
|
// Parse the TargetFramework using Nuget.Frameworks itself, instead of trying to reinvent the wheel, thus ensuring
|
|
115
119
|
// we have maximum context to use later when building the depGraph.
|
|
116
120
|
const location = nugetFrameworksParser.generate();
|
|
@@ -120,7 +124,7 @@ Will attempt to build dependency graph anyway, but the operation might fail.`);
|
|
|
120
124
|
if (targetFrameworkInfo.IsUnsupported) {
|
|
121
125
|
throw new errors_1.InvalidManifestError(`dotnet was not able to parse the target framework ${decidedTargetFramework}, it was reported unsupported by the dotnet runtime`);
|
|
122
126
|
}
|
|
123
|
-
const depGraph = parser.depParser.parse(resolvedProjectName,
|
|
127
|
+
const depGraph = parser.depParser.parse(resolvedProjectName, projectAssets, publishedProjectDeps, assemblyVersions);
|
|
124
128
|
results.push({
|
|
125
129
|
dependencyGraph: depGraph,
|
|
126
130
|
targetFramework: decidedTargetFramework,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/nuget-parser/index.ts"],"names":[],"mappings":";;;AAAA,yBAAyB;AACzB,6BAA6B;AAC7B,wDAAwD;AACxD,qCAAqC;AACrC,iDAAiD;AACjD,iEAAiE;AACjE,sEAAsE;AACtE,2EAA2E;AAC3E,mEAAmE;AACnE,yEAAyE;AACzE,sCAA0E;AAC1E,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/nuget-parser/index.ts"],"names":[],"mappings":";;;AAAA,yBAAyB;AACzB,6BAA6B;AAC7B,wDAAwD;AACxD,qCAAqC;AACrC,iDAAiD;AACjD,iEAAiE;AACjE,sEAAsE;AACtE,2EAA2E;AAC3E,mEAAmE;AACnE,yEAAyE;AACzE,sCAA0E;AAC1E,mCAOiB;AACjB,uCAAuC;AACvC,yEAAyE;AACzE,sDAAsD;AAEtD,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAElC,MAAM,OAAO,GAAG;IACd,aAAa,EAAE;QACb,SAAS,EAAE,gBAAgB;QAC3B,iBAAiB,EAAE,IAAI;KACxB;IACD,gBAAgB,EAAE;QAChB,SAAS,EAAE,kBAAkB;QAC7B,iBAAiB,EAAE,IAAI;KACxB;IACD,iBAAiB,EAAE;QACjB,SAAS,EAAE,qBAAqB;QAChC,iBAAiB,EAAE,oBAAoB;KACxC;IACD,cAAc,EAAE;QACd,SAAS,EAAE,qBAAqB;QAChC,iBAAiB,EAAE,iBAAiB;KACrC;CACF,CAAC;AAEF,SAAS,iBAAiB,CAAC,cAAc,EAAE,iBAAiB;IAC1D,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,WAAW,CAClB,IAAa,EACb,iBAA0B,EAC1B,iBAA0B;IAE1B,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,iBAAiB,IAAI,EAAE,CAAC,CAAC;IACvE,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,GAAG,eAAe,CAAC;IAC7C,CAAC;IACD,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,eAAuB;IAC9C,IAAI,CAAC;QACH,KAAK,CAAC,sBAAsB,eAAe,EAAE,CAAC,CAAC;QAC/C,OAAO,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,MAAM,IAAI,gCAAuB,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,IAAwB,EACxB,UAA8B,EAC9B,YAA0B,EAC1B,4BAAqC,EACrC,iBAA0B,EAC1B,eAAwB;;IAExB,MAAM,QAAQ,GAAG,IAAI,IAAI,GAAG,CAAC;IAC7B,MAAM,cAAc,GAAG,UAAU,IAAI,GAAG,CAAC;IACzC,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,eAAe,CAAC,eAAe,CAAC,CAAC;IACrD,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IAElE,MAAM,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACzC,MAAM,aAAa,GACjB,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAEpD,IAAI,CAAC,CAAA,MAAA,aAAa,CAAC,OAAO,0CAAE,UAAU,CAAA,EAAE,CAAC;QACvC,MAAM,IAAI,gCAAuB,CAC/B,0DAA0D,cAAc,qDAAqD,CAC9H,CAAC;IACJ,CAAC;IAED,0GAA0G;IAC1G,wGAAwG;IACxG,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,GAAG,CAC3E,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CACrE,CAAC;IAEF,IAAI,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,gCAAuB,CAC/B,0CAA0C,iBAAiB,qDAAqD,CACjH,CAAC;IACJ,CAAC;IAED,IAAI,eAAe,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QACnE,OAAO,CAAC,GAAG,CAAC,6DAA6D,eAAe;gEAC5B,gBAAgB,CAAC,IAAI,CAC/E,GAAG,CACJ;6EACwE,CAAC,CAAC;IAC7E,CAAC;IAED,IAAI,mBAAmB,GAAG,WAAW,CACnC,IAAI,EACJ,iBAAiB,EACjB,iBAAiB,CAClB,CAAC;IAEF,MAAM,2BAA2B,GAC/B,MAAA,MAAA,aAAa,aAAb,aAAa,uBAAb,aAAa,CAAE,OAAO,0CAAE,OAAO,0CAAE,WAAW,CAAC;IAC/C,IACE,YAAY,KAAK,oBAAY,CAAC,WAAW;QACzC,4BAA4B,EAC5B,CAAC;QACD,IAAI,2BAA2B,EAAE,CAAC;YAChC,mBAAmB,GAAG,2BAA2B,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,KAAK,CACH,4FAA4F,mBAAmB,EAAE,CAClH,CAAC;QACJ,CAAC;IACH,CAAC;IACD,kGAAkG;IAClG,MAAM,uBAAuB,GAAG,eAAe;QAC7C,CAAC,CAAC,CAAC,eAAe,CAAC;QACnB,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE;YACpC,IAAI,CAAC,UAAU,CAAC,8BAA8B,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC1D,OAAO,CAAC,GAAG,CACT,qPAAqP,SAAS,iCAAiC,CAChS,CAAC;gBACF,OAAO,KAAK,CAAC;YACf,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IAEP,IAAI,uBAAuB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,6BAAoB,CAC5B,uEAAuE,CACxE,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,KAAK,MAAM,sBAAsB,IAAI,uBAAuB,EAAE,CAAC;QAC7D,6DAA6D;QAC7D,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC;QAExB,0HAA0H;QAC1H,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,OAAO,CACrC,iBAAiB,EACjB,sBAAsB,CACvB,CAAC;QAEF,gFAAgF;QAChF,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAC/B,UAAU,EACV,GAAG,2BAA2B,YAAY,CAC3C,CAAC;QAEF,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;QAC/C,MAAM,oBAAoB,GAAyB,IAAI,CAAC,KAAK,CAC3D,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC3B,CAAC;QAEF,MAAM,gBAAgB,GACpB,eAAe,CAAC,yBAAyB,CAAC,oBAAoB,CAAC,CAAC;QAElE,kHAAkH;QAClH,mEAAmE;QACnE,MAAM,QAAQ,GAAG,qBAAqB,CAAC,QAAQ,EAAE,CAAC;QAClD,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC/B,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,sBAAsB,CAAC,CAAC,CAAC;QACtE,MAAM,mBAAmB,GAAwB,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACtE,IAAI,mBAAmB,CAAC,aAAa,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAoB,CAC5B,qDAAqD,sBAAsB,qDAAqD,CACjI,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CACrC,mBAAmB,EACnB,aAAa,EACb,oBAAoB,EACpB,gBAAgB,CACjB,CAAC;QACF,OAAO,CAAC,IAAI,CAAC;YACX,eAAe,EAAE,QAAQ;YACzB,eAAe,EAAE,sBAAsB;SACxC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AArID,wDAqIC;AAEM,KAAK,UAAU,qBAAqB,CACzC,IAAwB,EACxB,UAA8B,EAC9B,kBAAsC,EACtC,YAA0B,EAC1B,4BAAqC,EACrC,iBAA0B;;IAE1B,MAAM,QAAQ,GAAG,IAAI,IAAI,GAAG,CAAC;IAC7B,MAAM,cAAc,GAAG,UAAU,IAAI,GAAG,CAAC;IACzC,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAC/D,MAAM,WAAW,GAAG,eAAe,CAAC,eAAe,CAAC,CAAC;IACrD,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;IAClE,MAAM,cAAc,GAAG,iBAAiB,CACtC,kBAAkB,EAClB,iBAAiB,CAClB,CAAC;IAEF,MAAM,IAAI,GAAG;QACX,YAAY,EAAE,EAAE;QAChB,IAAI,EAAE,EAAE;QACR,IAAI,EAAE,WAAW,CAAC,IAAI,EAAE,iBAAiB,EAAE,iBAAiB,CAAC;QAC7D,oBAAoB,EAAE,aAAa;QACnC,OAAO,EAAE,OAAO;KACjB,CAAC;IAEF,IAAI,gBAAmC,CAAC;IACxC,IAAI,CAAC;QACH,IAAI,YAAY,KAAK,oBAAY,CAAC,WAAW,EAAE,CAAC;YAC9C,gBAAgB;gBACd,YAAY,CAAC,+BAA+B,CAAC,iBAAiB,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,sEAAsE;YACtE,MAAM,0BAA0B,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;YACxE,gBAAgB,GAAG,YAAY,CAAC,+BAA+B,CAC7D,0BAA0B,CAC3B,CAAC;YAEF,+FAA+F;YAC/F,IAAI,gBAAgB,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACjC,+CAA+C;gBAC/C,IAAI,YAAY,KAAK,oBAAY,CAAC,eAAe,EAAE,CAAC;oBAClD,MAAM,sBAAsB,GAC1B,MAAM,oBAAoB,CAAC,yBAAyB,CAAC,WAAW,CAAC,CAAC;oBACpE,IAAI,sBAAsB,EAAE,CAAC;wBAC3B,gBAAgB,GAAG,CAAC,sBAAsB,CAAC,CAAC;oBAC9C,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,mDAAmD;IACnD,4FAA4F;IAC5F,MAAM,eAAe,GACnB,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IACzE,IAAI,CAAC,IAAI,GAAG;QACV,eAAe,EAAE,eAAe;KACjC,CAAC;IAEF,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;IAEzE,IACE,YAAY,KAAK,oBAAY,CAAC,WAAW;QACzC,4BAA4B,EAC5B,CAAC;QACD,MAAM,WAAW,GAAG,MAAA,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,OAAO,0CAAE,OAAO,0CAAE,WAAW,CAAC;QAE5D,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,KAAK,CACH,2FAA2F;gBACzF,IAAI,CAAC,IAAI,CACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAC3B,IAAI,EACJ,QAAQ,EACR,eAAe,EACf,cAAc,CACf,CAAC;AACJ,CAAC;AAvFD,sDAuFC"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
1
|
import * as depGraphLib from '@snyk/dep-graph';
|
|
2
|
-
import { AssemblyVersions, ProjectAssets,
|
|
2
|
+
import { AssemblyVersions, ProjectAssets, PublishedProjectDeps } from '../types';
|
|
3
3
|
export declare const FILTERED_DEPENDENCY_PREFIX: string[];
|
|
4
|
-
export declare function parse(projectName: string, projectAssets: ProjectAssets,
|
|
4
|
+
export declare function parse(projectName: string, projectAssets: ProjectAssets, publishedProjectDeps: PublishedProjectDeps, runtimeAssembly: AssemblyVersions): depGraphLib.DepGraph;
|
|
@@ -14,31 +14,6 @@ exports.FILTERED_DEPENDENCY_PREFIX = [
|
|
|
14
14
|
// dependencies are causing noise for the customers and are not of interested.
|
|
15
15
|
'runtime',
|
|
16
16
|
];
|
|
17
|
-
// The list of top level dependencies and transitive dependencies differ based on the target runtime we've defined.
|
|
18
|
-
// In the generated dependency file created by the `dotnet` CLI, this is organized by the target framework moniker (TFM).
|
|
19
|
-
// Unfortunately, Microsoft has changed the way it denominates their targets throughout the different versions,
|
|
20
|
-
// see: https://learn.microsoft.com/en-us/nuget/reference/target-frameworks#supported-frameworks.
|
|
21
|
-
// So the logic has to be unnecessarily complex, as we cannot just access the key in the target dictionary
|
|
22
|
-
// for versions different from the newest ones of .NET 5+.
|
|
23
|
-
// Even better, it changes between how it defines them inside project.frameworks and the root targets object interchangeably.
|
|
24
|
-
function findTargetFrameworkMonikerInManifest(targetFrameworkInfo, frameworks) {
|
|
25
|
-
const shortName = targetFrameworkInfo.ShortName;
|
|
26
|
-
const longName = targetFrameworkInfo.DotNetFrameworkName;
|
|
27
|
-
const parsedFrameworks = Object.keys(frameworks);
|
|
28
|
-
debug(`parsed the following frameworks in the manifest file: ${parsedFrameworks.join(',')}`);
|
|
29
|
-
// Try and find the "longName" (or DotNetFrameworkName) in the list of targets.
|
|
30
|
-
// The format is usually something like ".NETCoreApp,Version=v6.0". That seems to happen for older .NET target frameworks.
|
|
31
|
-
if (longName in frameworks) {
|
|
32
|
-
debug(`detected ${longName} in assets file, returning that`);
|
|
33
|
-
return longName;
|
|
34
|
-
}
|
|
35
|
-
// If that doesn't work, for newer versions of .NET core, they index the frameworks object by the 'shortname'.
|
|
36
|
-
if (shortName in frameworks) {
|
|
37
|
-
debug(`detected ${shortName} in assets file, returning that`);
|
|
38
|
-
return shortName;
|
|
39
|
-
}
|
|
40
|
-
throw new errors_1.FileNotProcessableError(`unable to find the determined target framework (${targetFrameworkInfo.ShortName}) in any of the available target frameworks: ${parsedFrameworks}`);
|
|
41
|
-
}
|
|
42
17
|
function recursivelyPopulateNodes(depGraphBuilder, targetDeps, node, runtimeAssembly, visited) {
|
|
43
18
|
const parentId = node.type === 'root' ? 'root-node' : `${node.name}@${node.version}`;
|
|
44
19
|
for (const depNode of Object.entries(node.dependencies || {})) {
|
|
@@ -80,39 +55,35 @@ function recursivelyPopulateNodes(depGraphBuilder, targetDeps, node, runtimeAsse
|
|
|
80
55
|
recursivelyPopulateNodes(depGraphBuilder, targetDeps, childNode, runtimeAssembly, localVisited);
|
|
81
56
|
}
|
|
82
57
|
}
|
|
83
|
-
function buildGraph(projectName, projectAssets,
|
|
58
|
+
function buildGraph(projectName, projectAssets, publishedProjectDeps, runtimeAssembly) {
|
|
84
59
|
const depGraphBuilder = new dep_graph_1.DepGraphBuilder({ name: 'nuget' }, {
|
|
85
60
|
name: projectName,
|
|
86
61
|
version: projectAssets.project.version,
|
|
87
62
|
});
|
|
88
|
-
|
|
89
|
-
|
|
63
|
+
// That's what `dotnet` wants to call this project. Which is not always the same as what Snyk wants to call it.
|
|
64
|
+
const restoreProjectName = `${projectAssets.project.restore.projectName}/${projectAssets.project.version}`;
|
|
65
|
+
// We publish to one RID and one only, so we can safely assume that the true dependencies will exist in this key.
|
|
66
|
+
// E.g. targets -> .NETCoreApp,Version=v8.0/osx-arm64
|
|
67
|
+
const runtimeTarget = publishedProjectDeps.runtimeTarget.name;
|
|
68
|
+
// Those dependencies are referenced in the 'targets' member in the same .deps file.
|
|
69
|
+
if (Object.keys(publishedProjectDeps.targets).length <= 0) {
|
|
70
|
+
throw new errors_1.InvalidManifestError('no target dependencies in found in published deps file (project.deps.json -> targets -> []), cannot continue without that');
|
|
90
71
|
}
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
// Potentially we're scanning a project that really has no dependencies
|
|
94
|
-
if (!projectAssets.project.frameworks[directDepsMoniker].dependencies) {
|
|
95
|
-
return depGraphBuilder.build();
|
|
72
|
+
if (!(runtimeTarget in publishedProjectDeps.targets)) {
|
|
73
|
+
throw new errors_1.InvalidManifestError(`no ${runtimeTarget} found in targets object, cannot continue without it`);
|
|
96
74
|
}
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
// The list of targets gets decorated differently depending on version of the TargetFramework, (.NET 5+ versions
|
|
100
|
-
// just have their key as the target (net6.0), but .NET Standard append a version, such as .NETStandard,Version=VN.N.N).
|
|
101
|
-
if (Object.keys(projectAssets.targets).length <= 0) {
|
|
102
|
-
throw new errors_1.InvalidManifestError('no target dependencies in found in assets file (project.assets.json -> targets -> []), cannot continue without that');
|
|
75
|
+
if (!(restoreProjectName in publishedProjectDeps.targets[runtimeTarget])) {
|
|
76
|
+
throw new errors_1.InvalidManifestError(`no ${restoreProjectName} found in ${runtimeTarget} object, cannot continue without it`);
|
|
103
77
|
}
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
// transitive dependency line can be targets -> .NETStandard,Version=v2.1.
|
|
107
|
-
const transitiveDepsMoniker = findTargetFrameworkMonikerInManifest(targetFrameworkInfo, projectAssets.targets);
|
|
108
|
-
const targetFrameworkDependencies = projectAssets.targets[transitiveDepsMoniker];
|
|
78
|
+
const topLevelDependencies = Object.keys(publishedProjectDeps.targets[runtimeTarget][restoreProjectName]
|
|
79
|
+
.dependencies);
|
|
109
80
|
// Iterate over all the dependencies found in the target dependency list, and build the depGraph based off of that.
|
|
110
|
-
const
|
|
81
|
+
const targetDependencies = Object.entries(publishedProjectDeps.targets[runtimeTarget]).reduce((acc, entry) => {
|
|
111
82
|
const [nameWithVersion, pkg] = entry;
|
|
112
83
|
return { ...acc, [nameWithVersion]: pkg };
|
|
113
84
|
}, {});
|
|
114
|
-
const topLevelDepPackages =
|
|
115
|
-
const nameWithVersion = Object.keys(
|
|
85
|
+
const topLevelDepPackages = topLevelDependencies.reduce((acc, topLevelDepName) => {
|
|
86
|
+
const nameWithVersion = Object.keys(targetDependencies).find((targetDep) =>
|
|
116
87
|
// Lowercase the comparison, as .csproj <PackageReference>s are not case-sensitive, and can be written however you like.
|
|
117
88
|
targetDep.toLowerCase().startsWith(topLevelDepName.toLowerCase()));
|
|
118
89
|
if (!nameWithVersion) {
|
|
@@ -125,12 +96,12 @@ function buildGraph(projectName, projectAssets, runtimeAssembly, targetFramework
|
|
|
125
96
|
type: 'root',
|
|
126
97
|
dependencies: topLevelDepPackages,
|
|
127
98
|
};
|
|
128
|
-
recursivelyPopulateNodes(depGraphBuilder,
|
|
99
|
+
recursivelyPopulateNodes(depGraphBuilder, targetDependencies, rootNode, runtimeAssembly);
|
|
129
100
|
return depGraphBuilder.build();
|
|
130
101
|
}
|
|
131
|
-
function parse(projectName, projectAssets,
|
|
102
|
+
function parse(projectName, projectAssets, publishedProjectDeps, runtimeAssembly) {
|
|
132
103
|
debug('Trying to parse .net core manifest with v2 depGraph builder');
|
|
133
|
-
const result = buildGraph(projectName, projectAssets,
|
|
104
|
+
const result = buildGraph(projectName, projectAssets, publishedProjectDeps, runtimeAssembly);
|
|
134
105
|
return result;
|
|
135
106
|
}
|
|
136
107
|
exports.parse = parse;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dotnet-core-v2-parser.js","sourceRoot":"","sources":["../../../lib/nuget-parser/parsers/dotnet-core-v2-parser.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,+CAAkD;
|
|
1
|
+
{"version":3,"file":"dotnet-core-v2-parser.js","sourceRoot":"","sources":["../../../lib/nuget-parser/parsers/dotnet-core-v2-parser.ts"],"names":[],"mappings":";;;AAAA,qCAAqC;AAErC,+CAAkD;AAMlD,yCAAoD;AAEpD,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAYlC,oDAAoD;AACvC,QAAA,0BAA0B,GAAG;IACxC,gHAAgH;IAChH,oHAAoH;IACpH,sHAAsH;IACtH,sHAAsH;IACtH,8EAA8E;IAC9E,SAAS;CACV,CAAC;AAEF,SAAS,wBAAwB,CAC/B,eAAgC,EAChC,UAAyC,EACzC,IAAmB,EACnB,eAAiC,EACjC,OAAqB;IAErB,MAAM,QAAQ,GACZ,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;IAEtE,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9D,MAAM,YAAY,GAAG,OAAO,IAAI,IAAI,GAAG,EAAU,CAAC;QAClD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAE3B,gHAAgH;QAChH,+FAA+F;QAC/F,IAAI,kCAA0B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YACzE,KAAK,CAAC,GAAG,IAAI,kDAAkD,CAAC,CAAC;YACjE,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG;YAChB,GAAG,UAAU,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI;YACJ,OAAO;SACR,CAAC;QAEF,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;QAEzD,4GAA4G;QAC5G,0FAA0F;QAC1F,IAAI,eAAe,GAAG,OAAO,CAAC;QAC9B,4GAA4G;QAC5G,sGAAsG;QACtG,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;QAC1B,IAAI,GAAG,IAAI,eAAe,EAAE,CAAC;YAC3B,eAAe,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAG,GAAG,OAAO,SAAS,CAAC;YACrC,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,QAAQ,EACR;gBACE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;aAC3B,CACF,CAAC;YACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/C,SAAS;QACX,CAAC;QAED,eAAe,CAAC,UAAU,CACxB,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,EAClD,OAAO,CACR,CAAC;QACF,eAAe,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAE1B,wBAAwB,CACtB,eAAe,EACf,UAAU,EACV,SAAS,EACT,eAAe,EACf,YAAY,CACb,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CACjB,WAAmB,EACnB,aAA4B,EAC5B,oBAA0C,EAC1C,eAAiC;IAEjC,MAAM,eAAe,GAAG,IAAI,2BAAe,CACzC,EAAE,IAAI,EAAE,OAAO,EAAE,EACjB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,OAAO;KACvC,CACF,CAAC;IAEF,+GAA+G;IAC/G,MAAM,kBAAkB,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,IAAI,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IAE3G,iHAAiH;IACjH,qDAAqD;IACrD,MAAM,aAAa,GAAG,oBAAoB,CAAC,aAAa,CAAC,IAAI,CAAC;IAE9D,oFAAoF;IACpF,IAAI,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,6BAAoB,CAC5B,2HAA2H,CAC5H,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,CAAC,aAAa,IAAI,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrD,MAAM,IAAI,6BAAoB,CAC5B,MAAM,aAAa,sDAAsD,CAC1E,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,CAAC,kBAAkB,IAAI,oBAAoB,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QACzE,MAAM,IAAI,6BAAoB,CAC5B,MAAM,kBAAkB,aAAa,aAAa,qCAAqC,CACxF,CAAC;IACJ,CAAC;IAED,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CACtC,oBAAoB,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,kBAAkB,CAAC;SAC5D,YAAY,CAChB,CAAC;IAEF,mHAAmH;IACnH,MAAM,kBAAkB,GAAkC,MAAM,CAAC,OAAO,CACtE,oBAAoB,CAAC,OAAO,CAAC,aAAa,CAAC,CAC5C,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;QACtB,MAAM,CAAC,eAAe,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;QACrC,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC;IAC5C,CAAC,EAAE,EAAE,CAAC,CAAC;IAEP,MAAM,mBAAmB,GAAG,oBAAoB,CAAC,MAAM,CACrD,CAAC,GAAG,EAAE,eAAe,EAAE,EAAE;QACvB,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAC1D,CAAC,SAAS,EAAE,EAAE;QACZ,wHAAwH;QACxH,SAAS,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC,CACpE,CAAC;QACF,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAoB,CAC5B,2EAA2E,CAC5E,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEnD,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC;IACrC,CAAC,EACD,EAAE,CACH,CAAC;IAEF,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,MAAM;QACZ,YAAY,EAAE,mBAAmB;KACjB,CAAC;IAEnB,wBAAwB,CACtB,eAAe,EACf,kBAAkB,EAClB,QAAQ,EACR,eAAe,CAChB,CAAC;IAEF,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC;AACjC,CAAC;AAED,SAAgB,KAAK,CACnB,WAAmB,EACnB,aAA4B,EAC5B,oBAA0C,EAC1C,eAAiC;IAEjC,KAAK,CAAC,6DAA6D,CAAC,CAAC;IAErE,MAAM,MAAM,GAAG,UAAU,CACvB,WAAW,EACX,aAAa,EACb,oBAAoB,EACpB,eAAe,CAChB,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAfD,sBAeC"}
|
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
import { AssemblyVersions } from './types';
|
|
2
|
-
export declare function generateRuntimeAssemblies(
|
|
1
|
+
import { AssemblyVersions, PublishedProjectDeps } from './types';
|
|
2
|
+
export declare function generateRuntimeAssemblies(deps: PublishedProjectDeps): AssemblyVersions;
|
|
@@ -2,7 +2,6 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.generateRuntimeAssemblies = void 0;
|
|
4
4
|
const errors = require("../errors/");
|
|
5
|
-
const fs = require("fs");
|
|
6
5
|
const lodash_1 = require("lodash");
|
|
7
6
|
const debugModule = require("debug");
|
|
8
7
|
const debug = debugModule('snyk');
|
|
@@ -16,10 +15,9 @@ const debug = debugModule('snyk');
|
|
|
16
15
|
// See https://natemcmaster.com/blog/2017/12/21/netcore-primitives/ for a good overview.
|
|
17
16
|
// And https://github.com/dotnet/sdk/blob/main/documentation/specs/runtime-configuration-file.md for the official
|
|
18
17
|
// explanation of what the `deps.json` file is doing that we are traversing.
|
|
19
|
-
function generateRuntimeAssemblies(
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
const deps = JSON.parse(depsFile.toString('utf-8'));
|
|
18
|
+
function generateRuntimeAssemblies(deps) {
|
|
19
|
+
const runtimeTargetName = deps.runtimeTarget.name;
|
|
20
|
+
debug(`extracting runtime assemblies from ${runtimeTargetName}`);
|
|
23
21
|
if (!deps.targets) {
|
|
24
22
|
throw new errors.FileNotProcessableError('could not find any targets in deps file');
|
|
25
23
|
}
|
|
@@ -79,7 +77,7 @@ function generateRuntimeAssemblies(filePath) {
|
|
|
79
77
|
if ((0, lodash_1.isEmpty)(runtimeAssemblyVersions)) {
|
|
80
78
|
throw new errors.FileNotProcessableError('collection of runtime assembly versions was empty, that should not happen');
|
|
81
79
|
}
|
|
82
|
-
debug(
|
|
80
|
+
debug(`finished extracting runtime assemblies from ${runtimeTargetName}`);
|
|
83
81
|
return runtimeAssemblyVersions;
|
|
84
82
|
}
|
|
85
83
|
exports.generateRuntimeAssemblies = generateRuntimeAssemblies;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runtime-assembly.js","sourceRoot":"","sources":["../../lib/nuget-parser/runtime-assembly.ts"],"names":[],"mappings":";;;AACA,qCAAqC;AACrC,
|
|
1
|
+
{"version":3,"file":"runtime-assembly.js","sourceRoot":"","sources":["../../lib/nuget-parser/runtime-assembly.ts"],"names":[],"mappings":";;;AACA,qCAAqC;AACrC,mCAAiC;AACjC,qCAAqC;AAErC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;AAWlC,oEAAoE;AACpE,yGAAyG;AACzG,6GAA6G;AAC7G,8GAA8G;AAC9G,yBAAyB;AACzB,kHAAkH;AAClH,wBAAwB;AACxB,wFAAwF;AACxF,iHAAiH;AACjH,4EAA4E;AAC5E,SAAgB,yBAAyB,CACvC,IAA0B;IAE1B,MAAM,iBAAiB,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;IAElD,KAAK,CAAC,sCAAsC,iBAAiB,EAAE,CAAC,CAAC;IAEjE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,yCAAyC,CAC1C,CAAC;IACJ,CAAC;IAED,wDAAwD;IACxD,sCAAsC;IACtC,wCAAwC;IACxC,WAAW;IACX,sJAAsJ;IACtJ,IAAI,uBAAuB,GAAqB,EAAE,CAAC;IACnD,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,EAAE,EAAE;QACzE,8GAA8G;QAC9G,IAAI,IAAA,gBAAO,EAAC,YAAY,CAAC,EAAE,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,+GAA+G;QAC/G,oFAAoF;QACpF,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACzD,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,CAC9B,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,sDAAsD,MAAM,aAAa,CAC1E,CAAC;QACJ,CAAC;QAED,0GAA0G;QAC1G,UAAU;QACV,oEAAoE;QACpE,uBAAuB;QACvB,kEAAkE;QAClE,aAAa;QACb,MAAM;QACN,uEAAuE;QACvE,IAAI,CAAC,CAAC,SAAS,IAAI,YAAY,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,0CAA0C,WAAW,aAAa,CACnE,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,CAAC;QAEtD,qFAAqF;QACrF,8CAA8C;QAC9C,kEAAkE;QAClE,iBAAiB;QACjB,gCAAgC;QAChC,sCAAsC;QACtC,wCAAwC;QACxC,SAAS;QACT,0CAA0C;QAC1C,uCAAuC;QACvC,2CAA2C;QAC3C,SAAS;QACT,SAAS;QACT,2FAA2F;QAC3F,qDAAqD;QACrD,uBAAuB,GAAG,MAAM,CAAC,OAAO,CAAC,QAAoB,CAAC,CAAC,MAAM,CACnE,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,EAAE;YACvB,6GAA6G;YAC7G,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtE,OAAO,GAAG,CAAC;QACb,CAAC,EACD,EAAE,CACH,CAAC;QAEF,6GAA6G;QAC7G,qCAAqC;QACrC,OAAO;IACT,CAAC,CAAC,CAAC;IAEH,IAAI,IAAA,gBAAO,EAAC,uBAAuB,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,MAAM,CAAC,uBAAuB,CACtC,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,+CAA+C,iBAAiB,EAAE,CAAC,CAAC;IAE1E,OAAO,uBAAuB,CAAC;AACjC,CAAC;AA3FD,8DA2FC"}
|
|
@@ -57,6 +57,11 @@ export interface ProjectAssets {
|
|
|
57
57
|
packageFolders: Record<string, any>;
|
|
58
58
|
project: Project;
|
|
59
59
|
}
|
|
60
|
+
export interface PublishedProjectDeps {
|
|
61
|
+
runtimeTarget: Record<string, any>;
|
|
62
|
+
targets: Record<string, any>;
|
|
63
|
+
libraries: Record<string, any>;
|
|
64
|
+
}
|
|
60
65
|
export type AssemblyVersions = Record<string, string>;
|
|
61
66
|
export interface DotNetFile {
|
|
62
67
|
name: string;
|
package/package.json
CHANGED