Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add cataloger for NuGet packages #3484

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: add cataloger for NuGet packages #3484

wants to merge 7 commits into from

Conversation

Kemosabert
Copy link

@Kemosabert Kemosabert commented Nov 27, 2024
edited
Loading

Description

This PR adds a cataloger for NuGet lockfiles in the form of packages.lock.json files.

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@Kemosabert Kemosabert force-pushed the feat/add-dotnet-packages-lock-cataloger branch from 2fa3de5 to bf60621 Compare December 3, 2024 09:01
spiffcs
spiffcs reviewed Dec 3, 2024
View reviewed changes
Copy link
Contributor

@spiffcs spiffcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @Kemosabert! I hope you don't mind I added some questions to get a better handle on the package lock specification.

syft/pkg/cataloger/dotnet/parse_dotnet_packages_lock.go Show resolved Hide resolved
syft/pkg/cataloger/dotnet/parse_dotnet_packages_lock.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/parse_dotnet_packages_lock.go Outdated
for name, dep := range allDependencies {
parentPkg, ok := pkgMap[name]
if !ok {
log.Debugf("unable to find package in map: %s", name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might need a better abstraction for this debug message to be helpful. Which map? What does the pkgMap represent? Are allDependencies only inclusive of dotNetPkgs or can they be other types?

Apologies for all the question on this review. Is there a good reference or specification document I can look at for the lockfile so it's easier to maybe build a mental model of what we're cataloging here? That might aid in the review and help me understand if the relationships being created are correct.

From what I am reading the lockfile is:

dependencies[topPackages]map[subPackages]metadata

where topPackages and subPackages can be > 1

Is pkg map just inclusive of topPackages?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went mainly off off this document here: https://github.com/NuGet/Home/wiki/Enable-repeatable-package-restore-using-lock-file and looking at lockfiles that I could generate myself with examples.

I updated the debug message and the logic as well. The test packages.lock.json file is one I generated using dotnet commands and includes a few examples of how it handles conflicting dependencies and versions.

syft/pkg/cataloger/dotnet/test-fixtures/packages.lock.json Show resolved Hide resolved
@Kemosabert
Copy link
Author

@spiffcs would you mind to have another look at this when you have some time, happy to hear more suggestions/feedback 👍

@spiffcs
Copy link
Contributor

spiffcs commented Dec 23, 2024

Thanks @Kemosabert - I'm traveling this afternoon, but put this back at the top to add some commits for the SA/Unit tests that are failing. The changes look good and I appreciate the link to documentation showing what you followed for implementation!

@spiffcs spiffcs self-assigned this Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@spiffcs spiffcs

Labels
None yet
Projects
OSS
Status: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support cataloging NuGet packages
2 participants
@Kemosabert @spiffcs