Skip to content

Fix inconsistent RequestedBy Paths for .NET Dependencies #3279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bhanurp merged 6 commits into from
Dec 19, 2025
Merged

Fix inconsistent RequestedBy Paths for .NET Dependencies #3279

bhanurp merged 6 commits into from
Dec 19, 2025

Conversation

@bhanurp
Copy link
Contributor

@bhanurp bhanurp commented Dec 17, 2025
edited
Loading

  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • The pull request is targeting the master branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....

Description:

Fix inconsistent RequestedBy Paths for .NET Dependencies

Summary

This PR fixes a bug where direct dependency attribution for .NET projects was inconsistent across multiple runs of jf audit or Frogbot. The "Direct Dependency" column and impact paths would change unpredictably, even with the same project and source code.

Root Cause

The root cause was non-deterministic Go map iteration order in the dependency resolution code. When a dependency appeared as both direct AND transitive (e.g., Newtonsoft.Json is a direct dependency and also a transitive dependency of NuGet.Core), the RequestedBy paths would be populated in random order across runs, causing:

Inconsistent direct dependency attribution - A dependency could flip between "direct" and "transitive" across runs
Flaky vulnerability reports - Impact paths would change between scans
Non-reproducible build-info - Same project producing different outputs

Depends on

jfrog/build-info-go#349

@bhanurp bhanurp added the bug Something isn't working label Dec 17, 2025
@bhanurp bhanurp mentioned this pull request Dec 17, 2025
Merged
5 tasks
@bhanurp bhanurp added the safe to test Approve running integration tests on a pull request label Dec 17, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025

👍 Frogbot scanned this pull request and did not find any new security issues.

@bhanurp bhanurp added safe to test Approve running integration tests on a pull request and removed safe to test Approve running integration tests on a pull request labels Dec 18, 2025
@bhanurp bhanurp marked this pull request as ready for review December 18, 2025 18:46
@bhanurp bhanurp merged commit d784314 into jfrog:master Dec 19, 2025
71 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jan 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@itsmeleela itsmeleela itsmeleela approved these changes

@agrasth agrasth agrasth approved these changes

@fluxxBot fluxxBot Awaiting requested review from fluxxBot

@nitinp19 nitinp19 Awaiting requested review from nitinp19

Assignees

No one assigned

Labels

bug Something isn't working safe to test Approve running integration tests on a pull request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bhanurp @itsmeleela @agrasth