add MSBuild binary log (.binlog) component detector #1250
Conversation
brettfo
force-pushed
the
msbuild-binlog
branch
3 times, most recently
from
99ffda7
to
2f8d76a
Compare
brettfo
force-pushed
the
msbuild-binlog
branch
from
2f8d76a
to
135fdd2
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1250 +/- ##
=======================================
+ Coverage 88.9% 89.0% +0.1%
=======================================
Files 359 362 +3
Lines 27672 28250 +578
Branches 1784 1836 +52
=======================================
+ Hits 24613 25165 +552
- Misses 2674 2695 +21
- Partials 385 390 +5 ☔ View full report in Codecov by Sentry. |
src/Microsoft.ComponentDetection.Detectors/nuget/NuGetMSBuildBinaryLogComponentDetector.cs
Show resolved
Hide resolved
src/Microsoft.ComponentDetection.Detectors/nuget/NuGetMSBuildBinaryLogComponentDetector.cs
Outdated
Show resolved
Hide resolved
| if (!topLevelDependencies.TryGetValue(projectEvaluation.ProjectFile, out var topLevel)) | ||
| { | ||
| topLevel = new(StringComparer.OrdinalIgnoreCase); | ||
| topLevelDependencies[projectEvaluation.ProjectFile] = topLevel; |
There was a problem hiding this comment.
one project file may be evaluated and built several times, you'll often see several evaluations per .csproj. Should we pick the best evaluation somehow or is it fine to do for each evaluation? Restore does an eval, then the build does another eval, and each target framework is a separate eval. We probably want a union of all evaluations?
There was a problem hiding this comment.
I'll experiment a bit to see if I can find inaccurate results, but generally we really only care about the item groups that NuGet populates like @(RuntimeCopyLocalItems) and I think that only happens during the Restore evaluation.
There was a problem hiding this comment.
The restore evaluation is going to be pretty useless (it gets packages downloaded but doesn't produce any of the related items). You will definitely need to do all of the inner-build evaluations so that you get the superset of references, e.g.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFrameworks>net8.0;net472</TargetFrameworks>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Newtonsoft.Json" Version="13.0.3"
Condition=" '$(TargetFramework)' == 'net8.0' " />
<PackageReference Include="System.Text.Json" Version="8.0.4"
Condition=" '$(TargetFramework)' == 'net472' " />
</ItemGroup>
</Project>| topLevelDependencies[projectEvaluation.ProjectFile] = topLevel; | ||
| } | ||
|
|
||
| if (doRemoveOperation) |
There was a problem hiding this comment.
a bit worried that you might be getting additem/removeitem from different evaluations in an interleaved way, and since they key by the project path this might get confused.
On the other hand it shouldn't happen because the binlog is a tree, and you're walking the tree linearly, so in theory each evaluation should be processed sequentially one after another.
There was a problem hiding this comment.
What might be an indication that the traversal is bad? If I try to process RemoveItem but the item isn't already present? Or is that something that MSBuild won't allow?
There was a problem hiding this comment.
yes I guess, but as I said, maybe I'm just being paranoid
| projectDependencies[packageName] = packageVersion; | ||
| } | ||
|
|
||
| project = project.GetNearestParent<Project>(); |
There was a problem hiding this comment.
hmm, why are you walking up the project chain? I don't think these items flow to the calling project?
There was a problem hiding this comment.
I found I needed this to track transitive dependencies. E.g., if library.csproj has <PackageReference Include="Some.Package" /> and unitTests.csproj has <ProjectReference Include="..\library\library.csproj" /> this will add Some.Package first to library.csproj and then crawl up the chain to unitTests.csproj so that the dependency is properly reported for both projects. The only oddity with this (and I may have to special case it) is the .sln file also appears in a Project node, but I do seem to be getting the proper hierarchy.
There was a problem hiding this comment.
I don't think I understand this. unitTests.csproj should have Some.Package in its assets file and pull assets out of it in its ResolvePackageAssets. Can you share a log or project setup where this is necessary?
|
As an alternative, you could also see how I think your approach is fine too (?) @jeffkl as an expert FYI, in case he wants to take a quick look |
|
actually we could diff the results of binlogtool listnuget with these results, and see if there are any discrepancies. Would be like an oracle! |
I explicitly don't want the contents of |
|
I see, makes sense! 👍🏻 |
brettfo
force-pushed
the
msbuild-binlog
branch
from
1ce5859
to
910caa4
Compare
|
For those interested, I ran the package
This PR: The difference being that the SDK ( |
| if (!topLevelDependencies.TryGetValue(projectEvaluation.ProjectFile, out var topLevel)) | ||
| { | ||
| topLevel = new(StringComparer.OrdinalIgnoreCase); | ||
| topLevelDependencies[projectEvaluation.ProjectFile] = topLevel; |
There was a problem hiding this comment.
The restore evaluation is going to be pretty useless (it gets packages downloaded but doesn't produce any of the related items). You will definitely need to do all of the inner-build evaluations so that you get the superset of references, e.g.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFrameworks>net8.0;net472</TargetFrameworks>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Newtonsoft.Json" Version="13.0.3"
Condition=" '$(TargetFramework)' == 'net8.0' " />
<PackageReference Include="System.Text.Json" Version="8.0.4"
Condition=" '$(TargetFramework)' == 'net472' " />
</ItemGroup>
</Project>
src/Microsoft.ComponentDetection.Detectors/nuget/NuGetMSBuildBinaryLogComponentDetector.cs
Show resolved
Hide resolved
|
|
||
| if (doRemoveOperation) | ||
| { | ||
| topLevel.Remove(packageName); |
There was a problem hiding this comment.
Specifically I think this is going to cause problems if one TF of a project references a thing and the other gets it removed by framework unification.
There was a problem hiding this comment.
Do you have an example of this? I'd like to add a test to make sure we don't remove anything that shouldn't be removed.
| projectDependencies[packageName] = packageVersion; | ||
| } | ||
|
|
||
| project = project.GetNearestParent<Project>(); |
There was a problem hiding this comment.
I don't think I understand this. unitTests.csproj should have Some.Package in its assets file and pull assets out of it in its ResolvePackageAssets. Can you share a log or project setup where this is necessary?
| <PackageVersion Include="MSTest.TestFramework" Version="3.5.1" /> | ||
| <PackageVersion Include="MSTest.Analyzers" Version="3.5.1" /> | ||
| <PackageVersion Include="MSTest.TestAdapter" Version="3.5.1" /> | ||
| <PackageVersion Include="Microsoft.Build.Framework" Version="17.5.0" /> | ||
| <PackageVersion Include="Microsoft.Build.Locator" Version="1.6.1" /> |
There was a problem hiding this comment.
I have a concern here. Are you running as a standalone .NET 6 application currently? If so, you won't be able to load MSBuild from new SDKs. Have you tried on a machine that has only .NET 8 installed?
There was a problem hiding this comment.
This seems to work in the unit tests which should only have .NET6 installed (it's installing here and if I understand that action correctly, it uses global.json to determine what to install, so no .NET 8 on the CI machine)
There was a problem hiding this comment.
Right, the problem will be when you run the tool on a different machine which has only .NET 8 installed.
Adds a new NuGet component detector to scan MSBuild binary log (
*.binlog) files.There was one major reason to add this: the current NuGet component detector that scans
project.assets.jsonisn't always 100% accurate. This can happen when a given NuGet package has a transitive dependency on aSystem.*package, but the installed SDK has a newer version of that file that is replaced at build time.One common example: a project has
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="6.0.0" />. That package has a transitive dependency onSystem.Text.Json/6.0.0. No matter the SDK used to restore and build the project, theproject.assets.jsonfile will report that the packageSystem.Text.Json/6.0.0was used and implies that it'll be present at runtime. However, if the6.0.424SDK or newer was used to build, theSystem.Text.Json.dllfile from the6.0.0package is removed and replaced with a newerSystem.Text.Json.dllfrom the SDK's runtime package.To avoid reporting a false positive for a package that was replaced at build time (and therefore won't be present at runtime) the MSBuild binary log scanner was added.
If a binary log is generated with the
/blflag, every MSBuild event will be recorded. The new detector in this PR scans each event for the relevantAddItemandRemoveItemelements (corresponding to things like<SomeItemGroup Include="..." ... />and<SomeItemGroup Remove="..." ... />and uses that to build a 100% accurate dependency set.Most of the content of this PR is to support the tests to make them as reliable as possible through 2 different means:
.binlogfile for each test by running the appropriatedotnet build ...command. This ensures there are no large binary test assets added to this repo; they're simply generated as needed.Microsoft.NETCore.App.Ref,Microsoft.AspNetCore.App.Ref, andMicrosoft.WindowsDesktop.App.Ref.Future work
Track packages implicitly added by the SDK when publishing an app. In a quick local test, the package
Microsoft.NETCore.App.Host.win-x64was added to the following item groups:To fully prevent reporting false positives, it would be a good idea to merge the binary log detector and the
project.assets.jsondetector so that if a binary log is present and covers a given.csproj, only the binary log detector is used and fall back to the original detector otherwise. Without this work, the binary log detector will properly not reportSystem.Text.Json/6.0.0, but theproject.assets.jsondetector would, so the false positive will still appear.