Skip to content

Skip unsupported types when parsing Nuget lock files

Fabien Catteau requested to merge 353806-skip-nuget-project-ref into master

What does this MR do?

Skip unsupported types when parsing Nuget lock files.

Packages that are direct or transient dependencies of a Project node are still reported. However, the parser doesn't report direct dependencies of Project nodes as such. As a result, convert can't find the dependency path to a dependencies connect to Project nodes, and they appear as direct.

packages.lock.json
{
  "version": 1,
  "dependencies": {
    "net6.0": {
      "Swashbuckle.AspNetCore": {
        "type": "Direct",
        "requested": "[6.2.3, )",
        "resolved": "6.2.3",
        "contentHash": "cnzQDn0Le+hInsw2SYwlOhOCPXpYi/szcvnyqZJ12v+QyrLBwAmWXBg6RIyHB18s/mLeywC+Rg2O9ndz0IUNYQ==",
        "dependencies": {
          "Microsoft.Extensions.ApiDescription.Server": "3.0.0",
          "Swashbuckle.AspNetCore.Swagger": "6.2.3",
          "Swashbuckle.AspNetCore.SwaggerGen": "6.2.3",
          "Swashbuckle.AspNetCore.SwaggerUI": "6.2.3"
        }
      },
      "Microsoft.Extensions.ApiDescription.Server": {
        "type": "Transitive",
        "resolved": "3.0.0",
        "contentHash": "LH4OE/76F6sOCslif7+Xh3fS/wUUrE5ryeXAMcoCnuwOQGT5Smw0p57IgDh/pHgHaGz/e+AmEQb7pRgb++wt0w=="
      },
      "Microsoft.NETCore.Platforms": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "VyPlqzH2wavqquTcYpkIIAQ6WdenuKoFN0BdYBbCWsclXacSOHNQn66Gt4z5NBqEYW0FAPm5rlvki9ZiCij5xQ=="
      },
      "Microsoft.OpenApi": {
        "type": "Transitive",
        "resolved": "1.2.3",
        "contentHash": "Nug3rO+7Kl5/SBAadzSMAVgqDlfGjJZ0GenQrLywJ84XGKO0uRqkunz5Wyl0SDwcR71bAATXvSdbdzPrYRYKGw=="
      },
      "Microsoft.Win32.Registry": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "dDoKi0PnDz31yAyETfRntsLArTlVAVzUzCIvvEDsDsucrl33Dl8pIJG06ePTJTI3tGpeyHS9Cq7Foc/s4EeKcg==",
        "dependencies": {
          "System.Security.AccessControl": "5.0.0",
          "System.Security.Principal.Windows": "5.0.0"
        }
      },
      "Microsoft.Win32.SystemEvents": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "Bh6blKG8VAKvXiLe2L+sEsn62nc1Ij34MrNxepD2OCrS5cpCwQa9MeLyhVQPQ/R4Wlzwuy6wMK8hLb11QPDRsQ==",
        "dependencies": {
          "Microsoft.NETCore.Platforms": "5.0.0"
        }
      },
      "Pipelines.Sockets.Unofficial": {
        "type": "Transitive",
        "resolved": "2.2.0",
        "contentHash": "7hzHplEIVOGBl5zOQZGX/DiJDHjq+RVRVrYgDiqXb6RriqWAdacXxp+XO9WSrATCEXyNOUOQg9aqQArsjase/A==",
        "dependencies": {
          "Microsoft.ChakraCore": "1.11.18"
        }
      },
      "StackExchange.Redis": {
        "type": "Transitive",
        "resolved": "2.2.88",
        "contentHash": "JJi1jcO3/ZiamBhlsC/TR8aZmYf+nqpGzMi0HRRCy5wJkUPmMnRp0kBA6V84uhU8b531FHSdTDaFCAyCUJomjA==",
        "dependencies": {
          "Pipelines.Sockets.Unofficial": "2.2.0",
          "System.Diagnostics.PerformanceCounter": "5.0.0"
        }
      },
      "Swashbuckle.AspNetCore.Swagger": {
        "type": "Transitive",
        "resolved": "6.2.3",
        "contentHash": "qOF7j1sL0bWm8g/qqHVPCvkO3JlVvUIB8WfC98kSh6BT5y5DAnBNctfac7XR5EZf+eD7/WasvANncTqwZYfmWQ==",
        "dependencies": {
          "Microsoft.OpenApi": "1.2.3"
        }
      },
      "Swashbuckle.AspNetCore.SwaggerGen": {
        "type": "Transitive",
        "resolved": "6.2.3",
        "contentHash": "+Xq7WdMCCfcXlnbLJVFNgY8ITdP2TRYIlpbt6IKzDw5FwFxdi9lBfNDtcT+/wkKwX70iBBFmXldnnd02/VO72A==",
        "dependencies": {
          "Swashbuckle.AspNetCore.Swagger": "6.2.3"
        }
      },
      "Swashbuckle.AspNetCore.SwaggerUI": {
        "type": "Transitive",
        "resolved": "6.2.3",
        "contentHash": "bCRI87uKJVb4G+KURWm8LQrL64St04dEFZcF6gIM67Zc0Sr/N47EO83ybLMYOvfNdO1DCv8xwPcrz9J/VEhQ5g=="
      },
      "System.Configuration.ConfigurationManager": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "aM7cbfEfVNlEEOj3DsZP+2g9NRwbkyiAv2isQEzw7pnkDg9ekCU2m1cdJLM02Uq691OaCS91tooaxcEn8d0q5w==",
        "dependencies": {
          "System.Security.Cryptography.ProtectedData": "5.0.0",
          "System.Security.Permissions": "5.0.0"
        }
      },
      "System.Diagnostics.PerformanceCounter": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "kcQWWtGVC3MWMNXdMDWfrmIlFZZ2OdoeT6pSNVRtk9+Sa7jwdPiMlNwb0ZQcS7NRlT92pCfmjRtkSWUW3RAKwg==",
        "dependencies": {
          "Microsoft.NETCore.Platforms": "5.0.0",
          "Microsoft.Win32.Registry": "5.0.0",
          "System.Configuration.ConfigurationManager": "5.0.0",
          "System.Security.Principal.Windows": "5.0.0"
        }
      },
      "System.Drawing.Common": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "SztFwAnpfKC8+sEKXAFxCBWhKQaEd97EiOL7oZJZP56zbqnLpmxACWA8aGseaUExciuEAUuR9dY8f7HkTRAdnw==",
        "dependencies": {
          "Microsoft.Win32.SystemEvents": "5.0.0"
        }
      },
      "Microsoft.ChakraCore": {
        "type": "Transitive",
        "resolved": "1.11.18",
        "contentHash": "irMYm3vhVgRsYvHTU5b2gsT2CwT/SMM6LZFzuJjpIvT5Z4CshxNsaoBC1X/LltwuR3Opp8d6jOS/60WwOb7Q2Q=="
      },
      "System.Security.AccessControl": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "dagJ1mHZO3Ani8GH0PHpPEe/oYO+rVdbQjvjJkBRNQkX4t0r1iaeGn8+/ybkSLEan3/slM0t59SVdHzuHf2jmw==",
        "dependencies": {
          "Microsoft.NETCore.Platforms": "5.0.0",
          "System.Security.Principal.Windows": "5.0.0"
        }
      },
      "System.Security.Cryptography.ProtectedData": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "HGxMSAFAPLNoxBvSfW08vHde0F9uh7BjASwu6JF9JnXuEPhCY3YUqURn0+bQV/4UWeaqymmrHWV+Aw9riQCtCA=="
      },
      "System.Security.Permissions": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "uE8juAhEkp7KDBCdjDIE3H9R1HJuEHqeqX8nLX9gmYKWwsqk3T5qZlPx8qle5DPKimC/Fy3AFTdV7HamgCh9qQ==",
        "dependencies": {
          "System.Security.AccessControl": "5.0.0",
          "System.Windows.Extensions": "5.0.0"
        }
      },
      "System.Security.Principal.Windows": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "t0MGLukB5WAVU9bO3MGzvlGnyJPgUlcwerXn1kzBRjwLKixT96XV0Uza41W49gVd8zEMFu9vQEFlv0IOrytICA=="
      },
      "System.Windows.Extensions": {
        "type": "Transitive",
        "resolved": "5.0.0",
        "contentHash": "c1ho9WU9ZxMZawML+ssPKZfdnrg/OjR3pe0m9v8230z3acqphwvPJqzAkH54xRYm5ntZHGG1EPP3sux9H3qSPg==",
        "dependencies": {
          "System.Drawing.Common": "5.0.0"
        }
      },
      "veryprivatelib": {
        "type": "Project",
        "dependencies": {
          "StackExchange.Redis": "2.2.88"
        }
      }
    }
  }
}
Dependency Scanning report (excerpt)
{
  "version": "14.0.4",
  "vulnerabilities": [
    {
      "id": "d04a423f3bdaa43afbe109582761a8bff3f73fd330c4d91f204a7f08d38f122c",
      "category": "dependency_scanning",
      "name": "Memory Corruption",
      "message": "Memory Corruption in Microsoft.ChakraCore",
      "description": "A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.",
      "cve": "packages.lock.json:Microsoft.ChakraCore:gemnasium:03142d6a-d868-4db7-b613-ff911c74dc67",
      "severity": "High",
      "solution": "Upgrade to version 1.11.22 or above.",
      "scanner": {
        "id": "gemnasium",
        "name": "Gemnasium"
      },
      "location": {
        "file": "packages.lock.json",
        "dependency": {
          "iid": 16,
          "package": {
            "name": "Microsoft.ChakraCore"
          },
          "version": "1.11.18"
        }
      },
    }
  ],
  "dependency_files": [
    {
      "path": "packages.lock.json",
      "package_manager": "nuget",
      "dependencies": [
        {
          "iid": 16,
          "direct": true,
          "package": {
            "name": "Microsoft.ChakraCore"
          },
          "version": "1.11.18"
        },
        {
          "iid": 14,
          "package": {
            "name": "Microsoft.Extensions.ApiDescription.Server"
          },
          "version": "3.0.0"
        },
        {
          "iid": 18,
          "package": {
            "name": "Microsoft.NETCore.Platforms"
          },
          "version": "5.0.0"
        },
        {
          "iid": 6,
          "package": {
            "name": "Microsoft.OpenApi"
          },
          "version": "1.2.3"
        },
        {
          "iid": 9,
          "package": {
            "name": "Microsoft.Win32.Registry"
          },
          "version": "5.0.0"
        },
        {
          "iid": 10,
          "package": {
            "name": "Microsoft.Win32.SystemEvents"
          },
          "version": "5.0.0"
        },
        {
          "iid": 7,
          "package": {
            "name": "Pipelines.Sockets.Unofficial"
          },
          "version": "2.2.0"
        },
        {
          "iid": 8,
          "package": {
            "name": "StackExchange.Redis"
          },
          "version": "2.2.88"
        },
        {
          "iid": 13,
          "package": {
            "name": "Swashbuckle.AspNetCore"
          },
          "version": "6.2.3"
        },
        {
          "iid": 19,
          "package": {
            "name": "Swashbuckle.AspNetCore.Swagger"
          },
          "version": "6.2.3"
        },
        {
          "iid": 15,
          "package": {
            "name": "Swashbuckle.AspNetCore.SwaggerGen"
          },
          "version": "6.2.3"
        },
        {
          "iid": 1,
          "package": {
            "name": "Swashbuckle.AspNetCore.SwaggerUI"
          },
          "version": "6.2.3"
        },
        {
          "iid": 2,
          "package": {
            "name": "System.Configuration.ConfigurationManager"
          },
          "version": "5.0.0"
        },
        {
          "iid": 20,
          "package": {
            "name": "System.Diagnostics.PerformanceCounter"
          },
          "version": "5.0.0"
        },
        {
          "iid": 12,
          "package": {
            "name": "System.Drawing.Common"
          },
          "version": "5.0.0"
        },
        {
          "iid": 17,
          "package": {
            "name": "System.Security.AccessControl"
          },
          "version": "5.0.0"
        },
        {
          "iid": 3,
          "package": {
            "name": "System.Security.Cryptography.ProtectedData"
          },
          "version": "5.0.0"
        },
        {
          "iid": 11,
          "package": {
            "name": "System.Security.Permissions"
          },
          "version": "5.0.0"
        },
        {
          "iid": 4,
          "package": {
            "name": "System.Security.Principal.Windows"
          },
          "version": "5.0.0"
        },
        {
          "iid": 5,
          "package": {
            "name": "System.Windows.Extensions"
          },
          "version": "5.0.0"
        }
      ]
    }
  ]
}

Direct nodes are still reported as such. convert accurately reports the dependency path to Transient dependency connected to Direct node; there's no regression.

What are the relevant issue numbers?

gitlab-org/gitlab#345144 (closed)

Does this MR meet the acceptance criteria?

Edited by Fabien Catteau

Merge request reports