From b262389ab279052989fb42513a45f0b7e4e6fd15 Mon Sep 17 00:00:00 2001
From: Jacky Cheung <jackycheung2806@gmail.com>
Date: Wed, 5 Jun 2024 15:13:57 +0300
Subject: [PATCH] feat: adding -p:RestoreLockedMode=true argument (#206)

* feat: adding -p:RestoreLockedMode=true argument

---------

Co-authored-by: Kaspar Lyngsie <kaspar.moss@snyk.io>
---
 lib/nuget-parser/cli/dotnet.ts |  4 +++
 test/cli/dotnet.spec.ts        | 66 ++++++++++++++++++++++++++++++++++
 2 files changed, 70 insertions(+)

diff --git a/lib/nuget-parser/cli/dotnet.ts b/lib/nuget-parser/cli/dotnet.ts
index 83bce18f..0814b45e 100644
--- a/lib/nuget-parser/cli/dotnet.ts
+++ b/lib/nuget-parser/cli/dotnet.ts
@@ -113,6 +113,10 @@ export async function publish(
     args.push(targetFramework);
   }
 
+  // See https://devblogs.microsoft.com/nuget/enable-repeatable-package-restores-using-a-lock-file/
+  // Forces the usage of the lockfile for PackageReference packages to ensure that the locked versions are published
+  args.push('-p:RestoreLockedMode=true');
+
   // Define a temporary output dir to use for detecting .dlls to use for runtime version assembly detection.
   const tempDir = fs.mkdtempSync(
     path.join(os.tmpdir(), `snyk-nuget-plugin-publish-csharp-`),
diff --git a/test/cli/dotnet.spec.ts b/test/cli/dotnet.spec.ts
index 885d81f5..3303cbfe 100644
--- a/test/cli/dotnet.spec.ts
+++ b/test/cli/dotnet.spec.ts
@@ -98,6 +98,72 @@ class TestFixture {
     expect(contents).toContain('dotnet_6_and_7.deps.json');
   });
 
+  it('publishes correctly when a .NET project includes a lockfile', async () => {
+    const fixtures: types.DotNetFile[] = [
+      {
+        name: 'program.cs',
+        contents: `
+using System;
+class TestFixture {
+    static public void Main(String[] args)
+    {
+      var client = new System.Net.Http.HttpClient();
+      Console.WriteLine("Hello, World!");
+    }
+}
+`,
+      },
+      {
+        name: 'testproject.csproj',
+        contents: `
+        <Project Sdk="Microsoft.NET.Sdk">
+
+        <PropertyGroup>
+          <OutputType>Exe</OutputType>
+          <TargetFramework>net7.0</TargetFramework>
+          <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
+          <RuntimeIdentifiers>linux-x64;win-x64</RuntimeIdentifiers>
+        </PropertyGroup>
+      
+        <ItemGroup>
+          <PackageReference Include="Newtonsoft.Json" Version="12.*" />
+         </ItemGroup>
+      
+      </Project>
+      `,
+      },
+      {
+        name: 'packages.lock.json',
+        contents: `
+        {
+          "version": 1,
+          "dependencies": {
+            "net7.0": {
+              "Newtonsoft.Json": {
+                "type": "Direct",
+                "requested": "[12.*, )",
+                "resolved": "12.0.3",
+                "contentHash": "6mgjfnRB4jKMlzHSl+VD+oUc1IebOZabkbyWj2RiTgWwYPPuaK1H97G1sHqGwPlS5npiF5Q0OrxN1wni2n5QWg=="
+              }
+            },
+            "net7.0/linux-x64": {},
+            "net7.0/win-x64": {}
+          }
+        }
+`,
+      },
+    ];
+    projectDirs['publishWithLockfile'] = codeGenerator.generate(
+      'fixtures',
+      fixtures,
+    );
+
+    const publishDir = await dotnet.publish(projectDirs['publishWithLockfile']);
+
+    const contents = fs.readdirSync(publishDir);
+    expect(contents).toContain('testproject.deps.json');
+  });
+
   it.each([
     {
       shortName: 'net6.0',