Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nuget: parse .csproj and packages.config files #3607

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

nuget: parse .csproj and packages.config files #3607

wants to merge 2 commits into from

Conversation

schischi
Copy link
Contributor

Add support for 2 manifest files:

  • packages.config: XML file holding the list of package dependencies;
  • *.csproj: describe a project with dependencies (NuGet package references);

The manifest files do not contain a lot of info, but enough to build a package-url.

fixes #2392

@schischi
nuget: parse .csproj and packages.config files
a8e22ba 
Add support for 2 manifest files:
  - packages.config: XML file holding the list of package dependencies;
  - *.csproj: describe a project with dependencies (NuGet package references);

The manifest files do not contain a lot of info, but enough to build a package-url.

fixes aboutcode-org#2392

Signed-off-by: Adrien Schildknecht <adrs@fb.com>
@schischi
nuget: handle multiple item groups in .csproj files
8b0f985 
Complex csproj files have multiple ItemGroups, make sure we check all of them.

Signed-off-by: Adrien Schildknecht <adrs@fb.com>
@pombredanne
Copy link
Member

@schischi Thanks you ++
This is needed and long overdue alright!
There also is another tool -- if .NET and C# are your poison of choice -- at https://github.com/nexB/nuget-inspector which is written in C# and is designed to also resolve .NET dependencies. It handles many if not all current and legacy manifests formats including all the *.*proj variants, packages.config and various more recent JSON files that dotnet, msbuild and Visual Studio dabble with. See https://github.com/nexB/nuget-inspector/blob/main/src/nuget-inspector/ProjectScanner.cs for some entry point.

It is much more involved and bigger than a plain parser as it uses the native NuGet and .NET libraries for better or worse.

The inspector also has an extensive test suite which may come handy for the staic analysis here.

@AyanSinhaMahapatra AyanSinhaMahapatra mentioned this pull request Dec 20, 2023
Open
@eeisegn
Copy link

eeisegn commented Nov 13, 2024

Is there a plan to merge this into the mainline?

AyanSinhaMahapatra
AyanSinhaMahapatra requested changes Nov 14, 2024
View reviewed changes
Copy link
Member

@AyanSinhaMahapatra AyanSinhaMahapatra left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@schischi thanks a lot! And sorry about the super late reply. 😅

Parsing of these manifests are actually supported at https://github.com/aboutcode-org/nuget-inspector (along with dependency resolution and getting package data for those), but it probably makes sense to have something minimal here too as nuget inspector would be harder to integrate in SCTK context. This is why we were not sure about merging this PR here as some efforts were ongoing and we want to avoid duplicate functionality as much as possible. But IMHO it makes sense to add this here otherwise.

Some updates are required before we merge this:

  1. we want to create a single package from a .csproj file (we get the package name from the filename: *.csproj) and populate dependencies too if they are present
  2. we want to create similarly a single package with no purl fields and only dependencies from packages.config files
  3. If we have a .csproj file and a packages.config file in the same directory we want to perform package assembly to merge the package data from these files (so we will get the name from the former and dependencies from the later for example)
  4. If the dependencies are pinned we want to also add a skinny package_data object at the resolved_package attribute inside each dependency

References:

  1. We have lots of examples at https://github.com/aboutcode-org/nuget-inspector/blob/main/tests/data/ both individual files and pairs of these two manifests.
  2. See also Add handler for packages.lock.json in nuget #3825 which we added for SCIO: Detect frozen .NuGet dependencies locked with deplock scancode.io#1263, these are fully resolved dependencies, and we basically want to have the same structure here.

@eeisegn thanks for the ping!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AyanSinhaMahapatra AyanSinhaMahapatra AyanSinhaMahapatra requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for extra visual studio and Nuget "manifests"
4 participants
@schischi @pombredanne @eeisegn @AyanSinhaMahapatra