Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGet (packages.lock.json) parser. #14

Merged
merged 13 commits into from
Oct 28, 2020
Merged

NuGet (packages.lock.json) parser. #14

merged 13 commits into from
Oct 28, 2020

Conversation

Johannestegner
Copy link
Contributor

@Johannestegner Johannestegner commented Oct 14, 2020
edited
Loading

This pull request includes a parser which parses lockfiles created by nuget/dotnet when using a lockfile.
NuGet does not force (or auto) create a lock file, so a *.csproj file parser might also be a good idea, as a fallback.

As a first stage, this should be good enough though.

@Johannestegner
Initial NuGet parser files, implemented test cases for three package …
d8d79d6 
…sources.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner Johannestegner mentioned this pull request Oct 14, 2020
Closed
@Johannestegner
Implemented parser, updated testcase to remove duplicated entries.
8687b6e 
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner Johannestegner changed the title WIP: NuGet parser WIP: NuGet (packages.lock.json) parser. Oct 14, 2020
@Johannestegner Johannestegner marked this pull request as ready for review October 14, 2020 12:55
@Johannestegner Johannestegner changed the title WIP: NuGet (packages.lock.json) parser. NuGet (packages.lock.json) parser. Oct 14, 2020
@Johannestegner Johannestegner mentioned this pull request Oct 14, 2020
Merged
@Johannestegner
Copy link
Contributor Author

Reference: Issue with feature request can be found here aquasecurity/trivy#681

@Johannestegner Johannestegner mentioned this pull request Oct 14, 2020
Merged
@simar7
Copy link
Member

simar7 commented Oct 16, 2020

thanks for the PR @Johannestegner – I'll be taking a look at it and making comments as I go through it.

@simar7 simar7 self-requested a review October 16, 2020 20:01
simar7
simar7 reviewed Oct 16, 2020
View reviewed changes
simar7
simar7 reviewed Oct 16, 2020
View reviewed changes
simar7
simar7 reviewed Oct 16, 2020
View reviewed changes
@Johannestegner
test(nuget): Added a test for multiple versions of the same package.
d56ae5b 
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Cleanup of nuget parser (removal of comments which are not really nee…
5c64ef0 
…ded).

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Removed JSON mapping from nuget dependency struct (not needed as it's…
3c89ba1 
… a read not write operation).

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Copy link
Contributor Author

Thank you for the review @simar7 ! Fixed the issues you mentioned, let me know if there is anything else you wish me to fix! :)

@simar7 simar7 requested review from knqyf263 and simar7 October 19, 2020 22:08
simar7
simar7 approved these changes Oct 19, 2020
View reviewed changes
Copy link
Member

@simar7 simar7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm – @knqyf263 would you like to take a second look before we merge?

@Johannestegner
Copy link
Contributor Author

Not sure yet, but depending on how the version should be handled in Trivy (aquasecurity/trivy#686 (comment)) I guess that this part should use a similar approach to convert the version.
This could of course be done later on, but might want to do it in a one off :)

@Johannestegner
Copy link
Contributor Author

Actually, I guess this should not be used in the dependency parser, but rather when checking in Trivy or similar.
I will add a test case for legacy packages though, so that it's in the codebase.

@Johannestegner
Added a test for legacy nuget packages (x.x.x.x - not semver versions).
faa8d40 
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
knqyf263
knqyf263 reviewed Oct 25, 2020
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

@Johannestegner
Replaced old nuget test-files with new, generated from netcore image …
f92317c 
…(added comments on generation steps).

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Fixed nuget parsing algorithm to work the same way nuget works intern…
62a96fa 
…ally with package resolving.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Changed name of 'Dependencies' to 'Targets' in LockFile struct for nu…
091ff50 
…get parser.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Wraped error in nuget parser with xerrors.
321ced0 
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Updated nuget testdata for legacy packages and removed second loop fo…
303265c 
…r sub-packages, as they are added in top-level as Transitive type.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Copy link
Contributor Author

Let me know if you want me to squash some (or all) commits :)

@knqyf263
Copy link
Collaborator

I'll squash all commits when merging this PR, so you don't have to care about it. We should keep the history in the PR.

@knqyf263
Copy link
Collaborator

I left one more comment, but it looks almost good! Thank you, again!

@Johannestegner
Replaced the complex file with a even more complex file (multi target…
98edfcf 
…!), updated parse to again use version.

Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
@Johannestegner
Copy link
Contributor Author

I left one more comment, but it looks almost good! Thank you, again!

Good catch!

Updated the parser to use name + version again (tried with the code in an earlier note, but it didn't work out at all as I expected! hehe).
I removed the complex file/test and replaced it with a multi which contains targets for net4.0;netstandard2.0;netstandard1.0;net35;net2.0. Took me quite a while to find a package which required different dependencies!
Now I think it is working just as it should! :)

@knqyf263
Copy link
Collaborator

Thank you for adding multiple targets file! I've refactored a bit. It looks good to me now.

@knqyf263 knqyf263 merged commit 889d4a9 into aquasecurity:master Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Johannestegner @simar7 @knqyf263