Dependency Scanning fails when NuGet packages.lock.json contains ProjectReference nodes
Summary
Dependency Scanning job fails to scan a NuGet packages.lock.json
when:
- It has nodes where the
type
is"Project"
(project references). - A project node is referenced in the
dependencies
of another project node. - The names don't match because the case isn't the case.
In this case the analyzer fails with a cannot find nuget dependency
error, because the project node referenced in dependencies
has no match.
Example:
{
"version": 1,
"dependencies": {
".NETCoreApp,Version=v5.0": {
"dep1": {
"type": "Project",
"dependencies": {
"Dep2": "1.0.0"
}
},
"dep2": {
"type": "Project"
}
}
}
}
Further details
Right now the file parser assumes that a packages.lock.json
is made of Direct
nodes or Transitive
nodes. Project
nodes are handled like Transitive
nodes.
packages.lock.json
defines 4 dependency types: Direct
, Transitive
, Project
, and CentralTransitive
.
Links:
- https://github.com/NuGet/NuGet.Client/blob/6.2.0.80/src/NuGet.Core/NuGet.ProjectModel/ProjectLockFile/PackageDependencyType.cs#L21
- https://github.com/NuGet/NuGet.Client/blob/6.2.0.80/src/NuGet.Core/NuGet.ProjectModel/ProjectLockFile/LockFileDependency.cs#L23
- https://github.com/NuGet/NuGet.Client/blob/6.2.0.80/src/NuGet.Core/NuGet.ProjectModel/ProjectLockFile/PackagesLockFileFormat.cs#L220
Example project
Steps to reproduce
Create a .NET project with a generated packages.lock.json
file that contains references to other projects, and where the case is different.
What is the current bug behavior?
The gemnasium-dependency_scanning
job fails:
$ /analyzer run
[INFO] [Gemnasium] [2021-10-21T14:35:51Z] ▶ GitLab Gemnasium analyzer v2.29.9
[INFO] [Gemnasium] [2021-10-21T14:35:53Z] ▶ Using commit xxxxx
of vulnerability database
[FATA] [Gemnasium] [2021-10-21T14:35:53Z] ▶ cannot find nuget dependency: Example.Project.A
What is the expected correct behavior?
Scanning job doesn't fail.
Possible fixes
- Change the NuGet lock file parser to exclude
ProjectReference
entries, that is entries where thetype
isProject
. - Don't skip
Project
nodes, but make ignore the case when resolving theirdependencies
.
Implementation plan
-
Change the NuGet lock file parser - Process
Project
nodes as direct dependencies. - Ignore case when resolving package names.
- Cover this in parser unit tests.
- Process
-
Release new version.
Edited by Fabien Catteau