Add support for Nuget lockfiles

microsoft · Apr 6, 2023 · d43701e · d43701e
1 parent 497fe2a
commit d43701e
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/src/Microsoft.ComponentDetection.Detectors/nuget/NuGetComponentDetector.cs b/src/Microsoft.ComponentDetection.Detectors/nuget/NuGetComponentDetector.cs
@@ -5,6 +5,7 @@ namespace Microsoft.ComponentDetection.Detectors.NuGet;
 using System.IO;
 using System.Linq;
 using System.Reactive.Linq;
+using System.Text.Json;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using System.Xml;
@@ -20,6 +21,7 @@ public class NuGetComponentDetector : FileComponentDetector
     private static readonly IEnumerable<string> LowConfidencePackages = new[] { "Newtonsoft.Json" };
 
     public const string NugetConfigFileName = "nuget.config";
+    public const string NugetLockfileName = "packages.lock.json";
 
     private readonly IList<string> repositoryPathKeyNames = new List<string> { "repositorypath", "globalpackagesfolder" };
 
@@ -37,7 +39,15 @@ public NuGetComponentDetector(
 
     public override IEnumerable<string> Categories => new[] { Enum.GetName(typeof(DetectorClass), DetectorClass.NuGet) };
 
-    public override IList<string> SearchPatterns { get; } = new List<string> { "*.nupkg", "*.nuspec", NugetConfigFileName, "paket.lock" };
+    public override IList<string> SearchPatterns { get; }
+        = new List<string>
+        {
+            "*.nupkg",
+            "*.nuspec",
+            NugetConfigFileName,
+            NugetLockfileName,
+            "paket.lock",
+        };
 
     public override IEnumerable<ComponentType> SupportedComponentTypes { get; } = new[] { ComponentType.NuGet };
 
@@ -105,6 +115,12 @@ private async Task ProcessFileAsync(ProcessRequest processRequest)
             else if ("paket.lock".Equals(stream.Pattern, StringComparison.OrdinalIgnoreCase))
             {
                 this.ParsePaketLock(processRequest);
+                return;
+            }
+            else if (NugetLockfileName.Equals(stream.Pattern, StringComparison.OrdinalIgnoreCase))
+            {
+                await this.ParseNugetLockfileAsync(processRequest);
+                return;
             }
             else
             {
@@ -174,6 +190,29 @@ private void ParsePaketLock(ProcessRequest processRequest)
         }
     }
 
+    private async Task ParseNugetLockfileAsync(ProcessRequest processRequest)
+    {
+        var singleFileComponentRecorder = processRequest.SingleFileComponentRecorder;
+        var stream = processRequest.ComponentStream;
+
+        var lockfile = await JsonSerializer.DeserializeAsync<NugetLockfileShape>(stream.Stream);
+        if (lockfile.Version != 1)
+        {
+            // only version 1 is supported
+            singleFileComponentRecorder.RegisterPackageParseFailure(stream.Location);
+            return;
+        }
+
+        foreach (var framework in lockfile.Dependencies.Values)
+        {
+            foreach (var (name, value) in framework)
+            {
+                var component = new NuGetComponent(name, value.Resolved);
+                singleFileComponentRecorder.RegisterUsage(new DetectedComponent(component));
+            }
+        }
+    }
+
     private IList<DirectoryInfo> GetRepositoryPathsFromNugetConfig(IComponentStream componentStream)
     {
         var potentialPaths = new List<string>();

diff --git a/src/Microsoft.ComponentDetection.Detectors/nuget/NuGetLockfileShape.cs b/src/Microsoft.ComponentDetection.Detectors/nuget/NuGetLockfileShape.cs
@@ -0,0 +1,17 @@
+namespace Microsoft.ComponentDetection.Detectors.NuGet;
+
+using System.Collections.Generic;
+
+internal class NugetLockfileShape
+{
+    public int Version { get; set; }
+
+    public Dictionary<string, Dictionary<string, PackageShape>> Dependencies { get; set; }
+
+    public class PackageShape
+    {
+        public string Type { get; set; }
+
+        public string Resolved { get; set; }
+    }
+}