From 0f8900ccd9d27b666dd2b719e036ec522bf3f069 Mon Sep 17 00:00:00 2001
From: Sjoerd Langkemper <sjoerd-github@linuxonly.nl>
Date: Mon, 8 Aug 2022 11:35:29 +0200
Subject: [PATCH 1/3] feat(nuget): Parse deps specified as PackageReference in
 .csproj files

C# project files, with the extension .csproj, are XML files that can specify project dependencies in `<PackageReference>` tags.

See also:
* https://github.com/aquasecurity/trivy/issues/2668
* https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files
---
 pkg/nuget/csproj/parse.go                     | 52 +++++++++++++++++
 pkg/nuget/csproj/parse_test.go                | 58 +++++++++++++++++++
 .../csproj/testdata/dev_dependency.csproj     | 12 ++++
 .../csproj/testdata/malformed_xml.csproj      | 10 ++++
 pkg/nuget/csproj/testdata/packages.csproj     | 16 +++++
 5 files changed, 148 insertions(+)
 create mode 100644 pkg/nuget/csproj/parse.go
 create mode 100644 pkg/nuget/csproj/parse_test.go
 create mode 100644 pkg/nuget/csproj/testdata/dev_dependency.csproj
 create mode 100644 pkg/nuget/csproj/testdata/malformed_xml.csproj
 create mode 100644 pkg/nuget/csproj/testdata/packages.csproj

diff --git a/pkg/nuget/csproj/parse.go b/pkg/nuget/csproj/parse.go
new file mode 100644
index 00000000..b693f507
--- /dev/null
+++ b/pkg/nuget/csproj/parse.go
@@ -0,0 +1,52 @@
+package csproj
+
+import (
+	"encoding/xml"
+
+	"golang.org/x/xerrors"
+
+	dio "github.com/aquasecurity/go-dep-parser/pkg/io"
+	"github.com/aquasecurity/go-dep-parser/pkg/types"
+	"github.com/aquasecurity/go-dep-parser/pkg/utils"
+)
+
+type cfgPackageReference struct {
+	XMLName       xml.Name `xml:"PackageReference"`
+	Version       string   `xml:"Version,attr"`
+	Include       string   `xml:"Include,attr"`
+	PrivateAssets string   `xml:"PrivateAssets"`
+}
+
+type config struct {
+	XMLName  xml.Name              `xml:"Project"`
+	Packages []cfgPackageReference `xml:"ItemGroup>PackageReference"`
+}
+
+type Parser struct{}
+
+func NewParser() types.Parser {
+	return &Parser{}
+}
+
+func (p *Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency, error) {
+	var cfgData config
+	if err := xml.NewDecoder(r).Decode(&cfgData); err != nil {
+		return nil, nil, xerrors.Errorf("failed to decode .csproj file: %w", err)
+	}
+
+	libs := make([]types.Library, 0)
+	for _, pkg := range cfgData.Packages {
+		if pkg.Include == "" || pkg.PrivateAssets != "" {
+			continue
+		}
+
+		lib := types.Library{
+			Name:    pkg.Include,
+			Version: pkg.Version,
+		}
+
+		libs = append(libs, lib)
+	}
+
+	return utils.UniqueLibraries(libs), nil, nil
+}
diff --git a/pkg/nuget/csproj/parse_test.go b/pkg/nuget/csproj/parse_test.go
new file mode 100644
index 00000000..a713cce7
--- /dev/null
+++ b/pkg/nuget/csproj/parse_test.go
@@ -0,0 +1,58 @@
+package csproj_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/go-dep-parser/pkg/nuget/csproj"
+	"github.com/aquasecurity/go-dep-parser/pkg/types"
+)
+
+func TestParse(t *testing.T) {
+	tests := []struct {
+		name      string // Test input file
+		inputFile string
+		want      []types.Library
+		wantErr   string
+	}{
+		{
+			name:      "csproj",
+			inputFile: "testdata/packages.csproj",
+			want: []types.Library{
+				{Name: "Newtonsoft.Json", Version: "6.0.4"},
+				{Name: "Microsoft.AspNet.WebApi", Version: "5.2.2"},
+			},
+		},
+		{
+			name:      "with development dependency",
+			inputFile: "testdata/dev_dependency.csproj",
+			want: []types.Library{
+				{Name: "Newtonsoft.Json", Version: "8.0.3"},
+			},
+		},
+		{
+			name:      "sad path",
+			inputFile: "testdata/malformed_xml.csproj",
+			wantErr:   "failed to decode .csproj file: XML syntax error on line 11: unexpected EOF",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			f, err := os.Open(tt.inputFile)
+			require.NoError(t, err)
+
+			got, _, err := csproj.NewParser().Parse(f)
+			if tt.wantErr != "" {
+				require.NotNil(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, tt.want, got)
+		})
+	}
+}
diff --git a/pkg/nuget/csproj/testdata/dev_dependency.csproj b/pkg/nuget/csproj/testdata/dev_dependency.csproj
new file mode 100644
index 00000000..e2d6effc
--- /dev/null
+++ b/pkg/nuget/csproj/testdata/dev_dependency.csproj
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <TargetFramework>net46</TargetFramework>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Net.Compilers" Version="1.0.0">
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Newtonsoft.Json" Version="8.0.3" />
+  </ItemGroup>
+</Project>
diff --git a/pkg/nuget/csproj/testdata/malformed_xml.csproj b/pkg/nuget/csproj/testdata/malformed_xml.csproj
new file mode 100644
index 00000000..764f0cb5
--- /dev/null
+++ b/pkg/nuget/csproj/testdata/malformed_xml.csproj
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <TargetFramework>net46</TargetFramework>
+  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Net.Compilers" Version="1.0.0">
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Newtonsoft.Json" Version="8.0.3" />
diff --git a/pkg/nuget/csproj/testdata/packages.csproj b/pkg/nuget/csproj/testdata/packages.csproj
new file mode 100644
index 00000000..191cd6be
--- /dev/null
+++ b/pkg/nuget/csproj/testdata/packages.csproj
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <TargetFramework>net45</TargetFramework>
+  </PropertyGroup>
+  <ItemGroup>
+    <!-- other ItemGroup elements can lack PackageReference elements -->
+  </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNet.WebApi" Version="5.2.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="6.0.4" />
+  </ItemGroup>
+  <ItemGroup>
+    <!-- other ItemGroup elements can lack PackageReference elements -->
+  </ItemGroup>
+</Project>

From 19101cb55eac62a955c3a1f2a032f8cb107fb18d Mon Sep 17 00:00:00 2001
From: Sjoerd Langkemper <sjoerd-github@linuxonly.nl>
Date: Fri, 12 Aug 2022 11:35:39 +0200
Subject: [PATCH 2/3] Be more specific about which dependencies we exclude

PrivateAssets=all, ExcludeAssets=all, ExcludeAssets=runtime. There are more combinations possible, but these seem to be the most common values to indicate dependencies that are either not transitive, only available at compile time, or not available at all.

PrivateAssets and ExcludeAssets can be specified in either an attribute or a tag, where the tag takes precedence. Values are separated by semicolons and case insensitive.
---
 pkg/nuget/csproj/parse.go                     | 39 ++++++++++++++++---
 pkg/nuget/csproj/parse_test.go                |  5 +++
 .../csproj/testdata/dev_dependency.csproj     | 33 +++++++++++++++-
 3 files changed, 71 insertions(+), 6 deletions(-)

diff --git a/pkg/nuget/csproj/parse.go b/pkg/nuget/csproj/parse.go
index b693f507..1d229661 100644
--- a/pkg/nuget/csproj/parse.go
+++ b/pkg/nuget/csproj/parse.go
@@ -2,6 +2,7 @@ package csproj
 
 import (
 	"encoding/xml"
+	"strings"
 
 	"golang.org/x/xerrors"
 
@@ -11,10 +12,13 @@ import (
 )
 
 type cfgPackageReference struct {
-	XMLName       xml.Name `xml:"PackageReference"`
-	Version       string   `xml:"Version,attr"`
-	Include       string   `xml:"Include,attr"`
-	PrivateAssets string   `xml:"PrivateAssets"`
+	XMLName           xml.Name `xml:"PackageReference"`
+	Version           string   `xml:"Version,attr"`
+	Include           string   `xml:"Include,attr"`
+	PrivateAssetsTag  string   `xml:"PrivateAssets"`
+	PrivateAssetsAttr string   `xml:"PrivateAssets,attr"`
+	ExcludeAssetsTag  string   `xml:"ExcludeAssets"`
+	ExcludeAssetsAttr string   `xml:"ExcludeAssets,attr"`
 }
 
 type config struct {
@@ -36,7 +40,7 @@ func (p *Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency,
 
 	libs := make([]types.Library, 0)
 	for _, pkg := range cfgData.Packages {
-		if pkg.Include == "" || pkg.PrivateAssets != "" {
+		if pkg.Include == "" || isDevDependency(pkg) {
 			continue
 		}
 
@@ -50,3 +54,28 @@ func (p *Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency,
 
 	return utils.UniqueLibraries(libs), nil, nil
 }
+
+func isDevDependency(pkg cfgPackageReference) bool {
+	var privateAssets = tagOrAttribute(pkg.PrivateAssetsTag, pkg.PrivateAssetsAttr)
+	var excludeAssets = tagOrAttribute(pkg.ExcludeAssetsTag, pkg.ExcludeAssetsAttr)
+	return assetListContains(privateAssets, "all") || assetListContains(excludeAssets, "all") || assetListContains(excludeAssets, "runtime")
+}
+
+func assetListContains(assets []string, needle string) bool {
+	for _, v := range assets {
+		if strings.EqualFold(v, needle) {
+			return true
+		}
+	}
+	return false
+}
+
+func tagOrAttribute(tag string, attr string) []string {
+	var strvalue = "";
+	if (tag != "") {
+		strvalue = tag
+	} else {
+		strvalue = attr
+	}
+	return strings.Split(strvalue, ";")
+}
diff --git a/pkg/nuget/csproj/parse_test.go b/pkg/nuget/csproj/parse_test.go
index a713cce7..e2ff4546 100644
--- a/pkg/nuget/csproj/parse_test.go
+++ b/pkg/nuget/csproj/parse_test.go
@@ -30,6 +30,11 @@ func TestParse(t *testing.T) {
 			name:      "with development dependency",
 			inputFile: "testdata/dev_dependency.csproj",
 			want: []types.Library{
+				{Name: "PrivateAssets.Tag.None", Version: "1.0.0"},
+				{Name: "PrivateAssets.Conflicting.Tag.Attribute", Version: "1.0.0"},
+				{Name: "ExcludeAssets.Tag.ContentFiles", Version: "1.0.0"},
+				{Name: "ExcludeAssets.Tag.None", Version: "1.0.0"},
+				{Name: "ExcludeAssets.Conflicting.Tag.Attribute", Version: "1.0.0"},
 				{Name: "Newtonsoft.Json", Version: "8.0.3"},
 			},
 		},
diff --git a/pkg/nuget/csproj/testdata/dev_dependency.csproj b/pkg/nuget/csproj/testdata/dev_dependency.csproj
index e2d6effc..a07fdd85 100644
--- a/pkg/nuget/csproj/testdata/dev_dependency.csproj
+++ b/pkg/nuget/csproj/testdata/dev_dependency.csproj
@@ -4,9 +4,40 @@
     <TargetFramework>net46</TargetFramework>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Net.Compilers" Version="1.0.0">
+    <!-- PrivateAssets=all indicates a development dependency, and we exclude those -->
+    <PackageReference Include="PrivateAssets.Tag.All" Version="1.0.0">
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
+    <PackageReference Include="PrivateAssets.Tag.None" Version="1.0.0">
+      <PrivateAssets>none</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="PrivateAssets.Attribute.All" Version="1.0.0" PrivateAssets="All" />
+    <PackageReference Include="PrivateAssets.Conflicting.Tag.Attribute" Version="1.0.0" PrivateAssets="All">
+      <PrivateAssets>None</PrivateAssets>
+    </PackageReference>
+
+    <!-- ExcludeAssets=all / runtime indicates a compile-time dependency, and we exclude those -->
+    <PackageReference Include="ExcludeAssets.Tag.All" Version="1.0.0">
+      <ExcludeAssets>all</ExcludeAssets>
+    </PackageReference>
+    <PackageReference Include="ExcludeAssets.Tag.Runtime" Version="1.0.0">
+      <ExcludeAssets>runtime</ExcludeAssets>
+    </PackageReference>
+    <PackageReference Include="ExcludeAssets.Tag.RuntimeAndMore" Version="1.0.0">
+      <ExcludeAssets>contentFiles;runtime;native</ExcludeAssets>
+    </PackageReference>
+    <PackageReference Include="ExcludeAssets.Tag.ContentFiles" Version="1.0.0">
+      <ExcludeAssets>contentFiles</ExcludeAssets>
+    </PackageReference>
+    <PackageReference Include="ExcludeAssets.Tag.None" Version="1.0.0">
+      <ExcludeAssets>none</ExcludeAssets>
+    </PackageReference>
+    <PackageReference Include="ExcludeAssets.Attribute.All" Version="1.0.0" ExcludeAssets="All" />
+    <PackageReference Include="ExcludeAssets.Conflicting.Tag.Attribute" Version="1.0.0" ExcludeAssets="All">
+      <ExcludeAssets>None</ExcludeAssets>
+    </PackageReference>
+
+    <!-- Normal dependency -->
     <PackageReference Include="Newtonsoft.Json" Version="8.0.3" />
   </ItemGroup>
 </Project>

From 2e57fbafe8d43d821a3a94a3d7f8aeb2c3877f95 Mon Sep 17 00:00:00 2001
From: Sjoerd Langkemper <sjoerd-github@linuxonly.nl>
Date: Fri, 12 Aug 2022 11:53:35 +0200
Subject: [PATCH 3/3] Reduce floating versions by stripping .*

A floating version specifies a range of versions, such as `1.2.*`. This can't be parsed as an actual version. We strip all `.*` at the end, and reduce to a version such as `1.2`. This is not very accurate. Version 1.2 of a package may not even exist. However, I think it is acceptable for trivy when comparing actual versions with vulnerable versions. When packages before 1.2.5 contain a vulnerability, we want to flag 1.2.* as potentially vulnerable.
---
 pkg/nuget/csproj/parse.go                 | 4 +++-
 pkg/nuget/csproj/parse_test.go            | 1 +
 pkg/nuget/csproj/testdata/packages.csproj | 1 +
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkg/nuget/csproj/parse.go b/pkg/nuget/csproj/parse.go
index 1d229661..0de91574 100644
--- a/pkg/nuget/csproj/parse.go
+++ b/pkg/nuget/csproj/parse.go
@@ -44,9 +44,11 @@ func (p *Parser) Parse(r dio.ReadSeekerAt) ([]types.Library, []types.Dependency,
 			continue
 		}
 
+		var versionNotFloating = strings.TrimRight(pkg.Version, ".*")
+
 		lib := types.Library{
 			Name:    pkg.Include,
-			Version: pkg.Version,
+			Version: versionNotFloating,
 		}
 
 		libs = append(libs, lib)
diff --git a/pkg/nuget/csproj/parse_test.go b/pkg/nuget/csproj/parse_test.go
index e2ff4546..aeedc7d0 100644
--- a/pkg/nuget/csproj/parse_test.go
+++ b/pkg/nuget/csproj/parse_test.go
@@ -24,6 +24,7 @@ func TestParse(t *testing.T) {
 			want: []types.Library{
 				{Name: "Newtonsoft.Json", Version: "6.0.4"},
 				{Name: "Microsoft.AspNet.WebApi", Version: "5.2.2"},
+				{Name: "Floating.Version", Version: "1.2"},
 			},
 		},
 		{
diff --git a/pkg/nuget/csproj/testdata/packages.csproj b/pkg/nuget/csproj/testdata/packages.csproj
index 191cd6be..b7370a3c 100644
--- a/pkg/nuget/csproj/testdata/packages.csproj
+++ b/pkg/nuget/csproj/testdata/packages.csproj
@@ -9,6 +9,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNet.WebApi" Version="5.2.2" />
     <PackageReference Include="Newtonsoft.Json" Version="6.0.4" />
+    <PackageReference Include="Floating.Version" Version="1.2.*" />
   </ItemGroup>
   <ItemGroup>
     <!-- other ItemGroup elements can lack PackageReference elements -->