[K9VULN-9602] Remove hard requirement for packages.lock.json when scanning .csproj files#84
Conversation
… which is followed by other attributes
Go test coverage reportTotal test coverage: 91.0% (4078/4480) Test coverage has changed in the current files, with 6 lines missing coverage. |
| func TestParse(t *testing.T) { | ||
| t.Parallel() | ||
|
|
||
| ecosystems := lockfile.KnownEcosystems() |
There was a problem hiding this comment.
I deleted this method as it was only existing in tests, and moved it here
| @@ -1,25 +0,0 @@ | |||
| package lockfile | |||
There was a problem hiding this comment.
this was only used in tests
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="Downloader" Version="3.*" /> | ||
| <PackageReference Include="MaterialDesignThemes" Version="5.1.0" /> |
There was a problem hiding this comment.
I modified this fixture because I realized that we were previously wrongly reporting the location for versions in csproj.
For this given example, we would have been reporting the location of: version == "5.1.0" PrivateAssets="All"
There was a problem hiding this comment.
and not version == "5.1.0"
| models.FilePosition | ||
| } | ||
|
|
||
| func (itemGroup *ItemGroup) UnmarshalXML(decoder *xml.Decoder, start xml.StartElement) error { |
There was a problem hiding this comment.
those methods and the shared logic were moved to the parse-nuget-csproj.go
| content, err := io.ReadAll(sourcefile) | ||
| func (m NugetCsprojMatcher) Match(sourceFile DepFile, packages []PackageDetails) error { | ||
| // Extract all package details from the csproj file using the extractor | ||
| extractedPackages, err := NuGetCsprojExtractor{}.Extract(sourceFile) |
There was a problem hiding this comment.
we are reusing the logic from parse-nuget-csproj.go
|
|
||
| // extractPackageVersionLocation extracts the file position of a package version from a block of lines | ||
| func extractPackageVersionLocation(block []string, lineStart int, filename string) *models.FilePosition { | ||
| versionLocation := fileposition.ExtractDelimitedRegexpPositionInBlock(block, "[^\"]*", lineStart, "Version=\"", "\"") |
There was a problem hiding this comment.
the fix of the version location reported is here. It used to be:
versionLocation := fileposition.ExtractDelimitedRegexpPositionInBlock(block, ".*", lineStart, "Version=\"", "\"")and now it is:
versionLocation := fileposition.ExtractDelimitedRegexpPositionInBlock(block, "[^\"]*", lineStart, "Version=\"", "\"")but, because .* is greedy, it would match too much
| @@ -1,151 +0,0 @@ | |||
| package lockfile | |||
There was a problem hiding this comment.
this file declared methods which weren't used. So dropped it and I had to update the references in tests for it.
pkg/lockfile/extract_test.go
Outdated
| t.Parallel() | ||
|
|
||
| lockfiles := []string{ | ||
| "*.csproj", |
pkg/models/lockfile.go
Outdated
| GradleLockfile = "gradle.lockfile" | ||
| GradleVerificationXML = "gradle/verification-metadata.xml" | ||
| MixLock = "mix.lock" | ||
| NugetCsProjFile = "*.csproj" |
marcwieserdev
left a comment
marcwieserdev
left a comment
There was a problem hiding this comment.
Thanks for your live review and for the local compare tool ! 👏
piloulacdog
force-pushed
the
pierrelouis.lacorte/K9VULN-9602-csproj-do-not-require-lockfile
branch
from
68137fc to
34c6a57
Compare
piloulacdog
deleted the
pierrelouis.lacorte/K9VULN-9602-csproj-do-not-require-lockfile
branch
2 participants
🚀 Motivation
Enable the SBOM generator to scan .NET repositories that only contain
*.csprojfiles without requiringpackages.lock.json, allowing us to start reporting libraries in repositories with incomplete dependency information.📝 Summary
This PR implements Phase 1 of the RFC to remove the hard requirement for packages.lock.json when scanning .NET projects:
parser-nuget-csprojThe implementation prioritizes maintaining full backward compatibility with existing .NET repositories that use packages.lock.json while enabling basic scanning for .csproj-only repositories.
🧪 Testing
🚧 Staging validation
🆘 Recovery
Notes for on-call - select only one:
📚 Documentation