Dependency Scanning fails when NuGet packages.lock.json contains ProjectReference nodes

Summary

Dependency Scanning job fails to scan a NuGet packages.lock.json when:

• It has nodes where the type is "Project" (project references).
• A project node is referenced in the dependencies of another project node.
• The names don't match because the case isn't the case.

In this case the analyzer fails with a cannot find nuget dependency error, because the project node referenced in dependencies has no match.

Example:

{
  "version": 1,
  "dependencies": {
    ".NETCoreApp,Version=v5.0": {
      "dep1": {
        "type": "Project",
        "dependencies": {
          "Dep2": "1.0.0"
        }
      },
      "dep2": {
        "type": "Project"
      }
    }
  }
}

Further details

Right now the file parser assumes that a packages.lock.json is made of Direct nodes or Transitive nodes. Project nodes are handled like Transitive nodes.

packages.lock.json defines 4 dependency types: Direct, Transitive, Project, and CentralTransitive.

Links:

• https://github.com/NuGet/NuGet.Client/blob/6.2.0.80/src/NuGet.Core/NuGet.ProjectModel/ProjectLockFile/PackageDependencyType.cs#L21
• https://github.com/NuGet/NuGet.Client/blob/6.2.0.80/src/NuGet.Core/NuGet.ProjectModel/ProjectLockFile/LockFileDependency.cs#L23
• https://github.com/NuGet/NuGet.Client/blob/6.2.0.80/src/NuGet.Core/NuGet.ProjectModel/ProjectLockFile/PackagesLockFileFormat.cs#L220

Example project

https://gitlab.com/kriwaaga-public/gitlab/gemnasium-dotnet-projectreference-bug/-/jobs/1769022564#L28

Steps to reproduce

Create a .NET project with a generated packages.lock.json file that contains references to other projects, and where the case is different.

What is the current bug behavior?

The gemnasium-dependency_scanning job fails:

$ /analyzer run
[INFO] [Gemnasium] [2021-10-21T14:35:51Z] ▶ GitLab Gemnasium analyzer v2.29.9
[INFO] [Gemnasium] [2021-10-21T14:35:53Z] ▶ Using commit xxxxx
 of vulnerability database
[FATA] [Gemnasium] [2021-10-21T14:35:53Z] ▶ cannot find nuget dependency: Example.Project.A

What is the expected correct behavior?

Scanning job doesn't fail.

Possible fixes

• Change the NuGet lock file parser to exclude ProjectReference entries, that is entries where the type is Project.
• Don't skip Project nodes, but make ignore the case when resolving their dependencies.

Implementation plan

• Change the NuGet lock file parser
  • Process Project nodes as direct dependencies.
  • Ignore case when resolving package names.
  • Cover this in parser unit tests.
• Release new version.