Support for polyglot monorepos?

[davidkeaveny]

I have a repository that contains a mix of ReactJS and .NET Core applications (which use central package management, with a Directory.Packages.props file in the root folder). When I run the v0.0.2 tool against the repo, it reports on the NPM packages referenced from package.json, but doesn't report on any .NET packages.

My GitHub workflow is:

name: sbom

on:
  pull_request:
    types: [opened, synchronize, reopened]
    branches:
      - main

jobs:
  dependency-submission:
    name: Analysing dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source
        uses: actions/checkout@v4
      - name: Detect components
        uses: advanced-security/[email protected]

It will then produce an output like this:

[05:30:10 INF] Finding components...
[05:30:10 INF] Starting enumeration of /home/runner/work/my-app/my-solution
[05:30:10 INF] Enumerated 1021 files and 259 directories in 00:00:00.0510196
[05:30:11 INF] No instructions received to scan docker images.
[05:30:11 INF] PipReport: No valid pip version found on system. 22.2.0 or greater is required. Pip installation report detection will not run.
                               Detection Summary                                
┌───────────────────┬───────────────────┬───────────────────┬──────────────────┐
│ Component         │ Detection Time    │ # Components      │ # Explicitly     │
│ Detector Id       │                   │ Found             │ Referenced       │
├───────────────────┼───────────────────┼───────────────────┼──────────────────┤
│ CocoaPods         │ 0.2 seconds       │ 0                 │ 0                │
│ Go                │ 0.2 seconds       │ 0                 │ 0                │
│ GoWithReplace     │ 0.2 seconds       │ 0                 │ 0                │
│ (Beta)            │                   │                   │                  │
│ Gradle            │ 0.18 seconds      │ 0                 │ 0                │
│ Ivy (Beta)        │ 0.98 seconds      │ 0                 │ 0                │
│ Linux             │ 0.82 seconds      │ 0                 │ 0                │
│ MvnCli            │ 1 seconds         │ 0                 │ 0                │
│ Npm               │ 0.46 seconds      │ 1                 │ 0                │
│ NpmLockfile3      │ 0.36 seconds      │ 0                 │ 0                │
│ NpmWithRoots      │ 0.45 seconds      │ 607               │ 54               │
│ NuGet             │ 0.24 seconds      │ 0                 │ 0                │
│ NuGetPackagesConf │ 0.22 seconds      │ 0                 │ 0                │
│ ig                │                   │                   │                  │
│ NuGetProjectCentr │ 0.21 seconds      │ 0                 │ 0                │
│ ic                │                   │                   │                  │
│ PipReport         │ 1.3 seconds       │ 0                 │ 0                │
│ Pnpm              │ 0.2 seconds       │ 0                 │ 0                │
│ Poetry (Beta)     │ 0.2 seconds       │ 0                 │ 0                │
│ Ruby              │ 0.2 seconds       │ 0                 │ 0                │
│ RustCli           │ 0.2 seconds       │ 0                 │ 0                │
│ RustCrateDetector │ 0.2 seconds       │ 0                 │ 0                │
│ Vcpkg             │ 0.2 seconds       │ 0                 │ 0                │
│ Yarn              │ 0.19 seconds      │ 0                 │ 0                │
│ ───────────────── │ ───────────────── │ ───────────────── │ ──────────────── │
│ Total             │ 1.5 seconds       │ 608               │ 54               │
└───────────────────┴───────────────────┴───────────────────┴──────────────────┘

I've tried setting filePath to a folder which contains only a .NET project, but it makes no difference, the project isn't scanned and no NuGet packages are reported.

[jhutchings1]

@davidkeaveny This issue might be a better one to take to the upstream microsoft/component-detection repository? I'm not sure why it's failing to detect your .NET projects, but they should be able to say more. cc: @JamieMagee

[davidkeaveny]

I updated to v0.0.3, and tweaked my workflow as follows:

name: sbom

on:
  pull_request:
    types: [opened, synchronize, reopened]
    branches:
      - main

jobs:
  dependency-submission:
    name: Analysing dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source
        uses: actions/checkout@v4
      - name: Detect components
        uses: advanced-security/[email protected]
        with:
          directoryExclusionList: "**/tests/**,**/docs/**,**/devops/**"
          detectorsFilter: "NpmWithRoots,NuGet"

And this gives me the expected results:

┌─────────────────────┬───────────────────┬───────────────────┬──────────────────┐
│ Component           │ Detection Time    │ # Components      │ # Explicitly     │
│ Detector Id         │                   │ Found             │ Referenced       │
├─────────────────────┼───────────────────┼───────────────────┼──────────────────┤
│ NpmWithRoots        │ 0.45 seconds      │ 588               │ 54               │
│ NuGet               │ 0.2 seconds       │ 0                 │ 0                │
│ NuGetPackagesConfig │ 0.17 seconds      │ 0                 │ 0                │
│ NuGetProjectCentric │ 0.17 seconds      │ 0                 │ 0                │
│ ─────────────────── │ ───────────────── │ ───────────────── │ ──────────────── │
│ Total               │ 1.9 seconds       │ 589               │                  │
└─────────────────────┴───────────────────┴───────────────────┴──────────────────┘

(snipping out unimportant entries).

So I don't know if it's adding the explicit detectorFilters or the updated versions, but things are now working as expected.