.NET License Scanning Deficiencies
Summary
.NET projects that are scanned by the license scanner have the following deficiencies:
- Dependencies of listed project dependencies are not reported.
- The detected license for all dependencies are always marked as
unknown
.
Steps to reproduce
Run this test.
Example Project
What is the current bug behavior?
The license scan will detect dependencies listed in the packages.config
, .nuget
, vendor/*.nupkg
and specify the license url if it is discovered in the .nuspec
file. The scan makes no attempt to analyze the license listed in the url or make use of the //package/metadata/license element which is available in the latest version of the nuspec definition
What is the expected correct behavior?
I expect that license scan detection would detect the listed project dependencies as well as the dependencies of those dependencies etc.
Relevant logs and/or screenshots
E.g.
The following packages.config
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="NHibernate" version="5.2.6" />
</packages>
Should detect, at a minimum, the following dependencies and associated licenses.
|| Failures:
||
|| 1) .NET Framework when a project has a dependency that has it's own dependencies is expected to contain exactly "LGPL-2.1", "Apache-2.0", and "BSD-3-Clause"
|| Failure/Error: specify { expect(runner.scan[:licenses].map { |x| x[:id] }.uniq).to match_array(['LGPL-2.1', 'Apache-2.0', 'BSD-3-Clause']) }
||
|| expected collection contained: ["Apache-2.0", "BSD-3-Clause", "LGPL-2.1"]
|| actual collection contained: ["unknown"]
|| the missing elements were: ["Apache-2.0", "BSD-3-Clause", "LGPL-2.1"]
|| the extra elements were: ["unknown"]
|| # ./spec/integration/dotnet/nuget_spec.rb:94:in `block (3 levels) in <top (required)>'
||
|| 2) .NET Framework when a project has a dependency that has it's own dependencies is expected to contain exactly "Iesi.Collections", "Remotion.Linq", "Remotion.Linq.EagerFetching", "Antlr3.Runtime", and "NHibernate"
|| Failure/Error:
|| expect(runner.scan[:dependencies].map { |x| x[:name] }).to match_array([
|| 'Iesi.Collections',
|| 'Remotion.Linq',
|| 'Remotion.Linq.EagerFetching',
|| "Antlr3.Runtime",
|| "NHibernate",
|| ])
||
|| expected collection contained: ["Antlr3.Runtime", "Iesi.Collections", "NHibernate", "Remotion.Linq", "Remotion.Linq.EagerFetching"]
|| actual collection contained: ["NHibernate"]
|| the missing elements were: ["Antlr3.Runtime", "Iesi.Collections", "Remotion.Linq", "Remotion.Linq.EagerFetching"]
|| # ./spec/integration/dotnet/nuget_spec.rb:96:in `block (3 levels) in <top (required)>'
Output of checks
This bug happens on GitLab.com.
Possible fixes
Instead of using the licenseUrl
as the listed license, prefer attempting to analyze the license file by downloading the file to perform analysis on it. link
Include dependencies of dependencies in the scan link, instead of just the ones listed in the packages.config
.
Also, consider parsing the csproj
//PackageReference
for the full list of dependencies. For missing dependencies considering pulling the nuspec
definition from the nuget api
Consider supporting the same file parsers that is listed here.
Implementation Plan
-
Install all packages for a nuget project to a known location. -
Exclude development/test dependencies from nuget restore step. -
Scan for all the *.nupkg
files in the vendored location. -
Add a dependency entry for each *.nupkg
file discovered in vendored location instead of parsing the*.csproj
<package>
references.