Skip to content

[K9VULN-9996] Support centralized package version management in .NET projects#93

Merged
piloulacdog merged 5 commits intomainfrom
pierrelouis.lacorte/K9VULN-9996-centralized-package-versions-support
Dec 17, 2025
Merged

[K9VULN-9996] Support centralized package version management in .NET projects#93
piloulacdog merged 5 commits intomainfrom
pierrelouis.lacorte/K9VULN-9996-centralized-package-versions-support

Conversation

@piloulacdog
Copy link
Copy Markdown
Contributor

@piloulacdog piloulacdog commented Dec 15, 2025
edited
Loading

👀 The two main commit of logic are:

  1. 97c26fb
  2. f5e8b29

🚀 Motivation

.NET repositories can centralize dependency version management using shared .props files (such as Directory.Packages.props, Directory.Build.props, or custom .props files). These files define PackageVersion or property values that are consumed by individual .csproj files through <Import Project="..."> directives. This ticket implements support for resolving package versions from these centralized configuration files, enabling accurate SBOM generation for modern .NET projects that use Central Package Management (CPM).

📝 Summary

This PR adds support for centralized package version management in .NET projects by:

  1. Discovering centralized .props files: Implemented logic to discover Directory.Build.props, Directory.Packages.props, and custom .props files through both explicit imports in .csproj files and MSBuild convention-based detection (searching parent directories).
  2. Only use ManagePackageVersionsCentrally versions if <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally> is present
  3. Add support for multiple Directory.Build.props files

🧪 Testing

  • New tests were added for new logic.
  • Existing tests were updated for new logic, and not only so that they pass!
  • Benchmark results prove that performance is the same or better.

🚧 Staging validation

  • Tested locally against all .NET repository and it demonstrated success
Screenshot 2025-12-16 at 17 00 06

📚 Documentation

Document Link or Detail
RFC RFC
Incident N/A
Jira Ticket K9VULN-9996

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 15, 2025
edited
Loading

Go test coverage report

Total test coverage: 90.2% (4269/4732)

Test coverage has changed in the current files, with 11 lines missing coverage.
file: uncovered: current coverage: base coverage:
pkg/lockfile/dotnet/parse-nuget-csproj.go 8 95.9% (188/196) 96.3% (154/160)
pkg/lockfile/dotnet/xml-parser.go 3 91.4% (32/35) 92.3% (24/26)

@piloulacdog piloulacdog force-pushed the pierrelouis.lacorte/K9VULN-9996-centralized-package-versions-support branch 2 times, most recently from 8989376 to 2036480 Compare December 15, 2025 12:19
@piloulacdog piloulacdog marked this pull request as ready for review December 15, 2025 12:24
@piloulacdog piloulacdog requested a review from a team as a code owner December 15, 2025 12:24
@piloulacdog piloulacdog force-pushed the pierrelouis.lacorte/K9VULN-9996-centralized-package-versions-support branch from 2036480 to f5e8b29 Compare December 15, 2025 15:22
jbcibois-ddhq
jbcibois-ddhq approved these changes Dec 17, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@jbcibois-ddhq jbcibois-ddhq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@piloulacdog piloulacdog merged commit b55b7f1 into main Dec 17, 2025
10 checks passed
@piloulacdog piloulacdog deleted the pierrelouis.lacorte/K9VULN-9996-centralized-package-versions-support branch December 17, 2025 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbcibois-ddhq jbcibois-ddhq jbcibois-ddhq approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@piloulacdog @jbcibois-ddhq