From 52ebd32ec537c467ee70011cb360b10b2878f48b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 20 Sep 2023 13:40:47 +0600 Subject: [PATCH 1/6] add nuspec files support --- docs/docs/coverage/language/dotnet.md | 21 ++- .../analyzer/language/dotnet/nuget/nuget.go | 78 +++++++--- .../language/dotnet/nuget/nuget_test.go | 134 +++++++++++++----- .../analyzer/language/dotnet/nuget/nuspec.go | 81 +++++++++++ .../testdata/{ => config}/packages.config | 0 .../testdata/{ => lock}/packages.lock.json | 0 .../12.0.3/newtonsoft.json.nuspec | 42 ++++++ .../6.0.4/newtonsoft.json.nuspec | 16 +++ .../5.7.0/nuget.frameworks.nuspec | 23 +++ .../nuget/testdata/{ => sad}/invalid.txt | 0 10 files changed, 343 insertions(+), 52 deletions(-) create mode 100644 pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go rename pkg/fanal/analyzer/language/dotnet/nuget/testdata/{ => config}/packages.config (100%) rename pkg/fanal/analyzer/language/dotnet/nuget/testdata/{ => lock}/packages.lock.json (100%) create mode 100755 pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.nuspec create mode 100755 pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/6.0.4/newtonsoft.json.nuspec create mode 100755 pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/nuget.frameworks/5.7.0/nuget.frameworks.nuspec rename pkg/fanal/analyzer/language/dotnet/nuget/testdata/{ => sad}/invalid.txt (100%) diff --git a/docs/docs/coverage/language/dotnet.md b/docs/docs/coverage/language/dotnet.md index b8373612972c..d24249e7a9d3 100644 --- a/docs/docs/coverage/language/dotnet.md +++ b/docs/docs/coverage/language/dotnet.md @@ -7,7 +7,7 @@ The following scanners are supported. | Artifact | SBOM | Vulnerability | License | |-----------|:----:|:-------------:|:-------:| | .Net Core | ✓ | ✓ | - | -| NuGet | ✓ | ✓ | - | +| NuGet | ✓ | ✓ | ✓ | The following table provides an outline of the features Trivy offers. @@ -17,18 +17,31 @@ The following table provides an outline of the features Trivy offers. | NuGet | packages.config | ✓ | Excluded | - | - | | NuGet | packages.lock.json | ✓ | Included | ✓ | ✓ | -### *.deps.json +## *.deps.json Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report. -### packages.config +## packages.config Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files. -### packages.lock.json +### license detection +`packages.config` files don't have information about the licenses used. +Trivy uses [*.nuspec][nuspec] files from [global packages folder][global-packages] to detect licenses. +!!! note + The `licenseUrl` field is [deprecated][license-url]. Trivy doesn't parse this field and only checks the [license] field (license `expression` only). +Currently only the default path and `NUGET_PACKAGES` environment variable are supported. + +## packages.lock.json Don't forgot to [enable][enable-lock] lock files in your project. !!! tip Please make sure your lock file is up-to-date after modifying dependencies. +### license detection +Same as [packages.config](#license-detection) [enable-lock]: https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-the-lock-file [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies +[nuspec]: https://learn.microsoft.com/en-us/nuget/reference/nuspec +[global-packages]: https://learn.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders +[license]: https://learn.microsoft.com/en-us/nuget/reference/nuspec#license +[license-url]: https://learn.microsoft.com/en-us/nuget/reference/nuspec#licenseurl diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go index 99ee8c0c012f..ab5201fd12d7 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go @@ -2,59 +2,105 @@ package nuget import ( "context" + "errors" + "io" + "io/fs" "os" "path/filepath" + "sort" "golang.org/x/exp/slices" - "golang.org/x/xerrors" "github.com/aquasecurity/go-dep-parser/pkg/nuget/config" "github.com/aquasecurity/go-dep-parser/pkg/nuget/lock" + godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" "github.com/aquasecurity/trivy/pkg/fanal/types" + "github.com/aquasecurity/trivy/pkg/utils/fsutils" ) func init() { - analyzer.RegisterAnalyzer(&nugetLibraryAnalyzer{}) + analyzer.RegisterPostAnalyzer(types.NuGet, newNugetLibraryAnalyzer) } const ( - version = 2 + version = 3 lockFile = types.NuGetPkgsLock configFile = types.NuGetPkgsConfig ) var requiredFiles = []string{lockFile, configFile} -type nugetLibraryAnalyzer struct{} +type nugetLibraryAnalyzer struct { + lockParser godeptypes.Parser + configParser godeptypes.Parser + licenseParser nuspecParser +} -func (a nugetLibraryAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { - // Set the default parser - parser := lock.NewParser() +func newNugetLibraryAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) { + return &nugetLibraryAnalyzer{ + lockParser: lock.NewParser(), + configParser: config.NewParser(), + licenseParser: newNuspecParser(), + }, nil +} - targetFile := filepath.Base(input.FilePath) - if targetFile == configFile { - parser = config.NewParser() +func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) { + var apps []types.Application + + required := func(path string, d fs.DirEntry) bool { + fileName := filepath.Base(path) + return slices.Contains(requiredFiles, fileName) } - res, err := language.Analyze(types.NuGet, input.FilePath, input.Content, parser) + err := fsutils.WalkDir(input.FS, ".", required, func(path string, d fs.DirEntry, r io.Reader) error { + // Set the default parser + parser := a.lockParser + + targetFile := filepath.Base(path) + if targetFile == configFile { + parser = a.configParser + } + + app, err := language.Parse(types.NuGet, path, r, parser) + if err != nil { + return xerrors.Errorf("NuGet parse error: %w", err) + } + + for i, lib := range app.Libraries { + license, err := a.licenseParser.findLicense(lib.Name, lib.Version) + if err != nil { + if !errors.Is(err, fs.ErrNotExist) { + return xerrors.Errorf("find license error: %w", err) + } + } + app.Libraries[i].Licenses = license + } + + sort.Sort(app.Libraries) + apps = append(apps, *app) + return nil + }) if err != nil { - return nil, xerrors.Errorf("NuGet analysis error: %w", err) + return nil, xerrors.Errorf("walk error: %w", err) } - return res, nil + + return &analyzer.AnalysisResult{ + Applications: apps, + }, nil } -func (a nugetLibraryAnalyzer) Required(filePath string, _ os.FileInfo) bool { +func (a *nugetLibraryAnalyzer) Required(filePath string, _ os.FileInfo) bool { fileName := filepath.Base(filePath) return slices.Contains(requiredFiles, fileName) } -func (a nugetLibraryAnalyzer) Type() analyzer.Type { +func (a *nugetLibraryAnalyzer) Type() analyzer.Type { return analyzer.TypeNuget } -func (a nugetLibraryAnalyzer) Version() int { +func (a *nugetLibraryAnalyzer) Version() int { return version } diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go index 72ea517c96fa..539ae9bb96d9 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go @@ -3,7 +3,6 @@ package nuget import ( "context" "os" - "sort" "testing" "github.com/stretchr/testify/assert" @@ -15,19 +14,22 @@ import ( func Test_nugetibraryAnalyzer_Analyze(t *testing.T) { tests := []struct { - name string - inputFile string - want *analyzer.AnalysisResult - wantErr string + name string + dir string + env map[string]string + want *analyzer.AnalysisResult }{ { - name: "happy path config file", - inputFile: "testdata/packages.config", + name: "happy path config file.", + dir: "testdata/config", + env: map[string]string{ + "NUGET_PACKAGES": "testdata/repository/.nuget/packages", + }, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { Type: types.NuGet, - FilePath: "testdata/packages.config", + FilePath: "packages.config", Libraries: types.Packages{ { Name: "Microsoft.AspNet.WebApi", @@ -43,13 +45,57 @@ func Test_nugetibraryAnalyzer_Analyze(t *testing.T) { }, }, { - name: "happy path lock file", - inputFile: "testdata/packages.lock.json", + name: "happy path lock file.", + dir: "testdata/lock", + env: map[string]string{ + "HOME": "testdata/repository", + }, + want: &analyzer.AnalysisResult{ + Applications: []types.Application{ + { + Type: types.NuGet, + FilePath: "packages.lock.json", + Libraries: types.Packages{ + { + ID: "Newtonsoft.Json@12.0.3", + Name: "Newtonsoft.Json", + Version: "12.0.3", + Locations: []types.Location{ + { + StartLine: 5, + EndLine: 10, + }, + }, + Licenses: []string{"MIT"}, + }, + { + ID: "NuGet.Frameworks@5.7.0", + Name: "NuGet.Frameworks", + Version: "5.7.0", + Locations: []types.Location{ + { + StartLine: 11, + EndLine: 19, + }, + }, + DependsOn: []string{"Newtonsoft.Json@12.0.3"}, + }, + }, + }, + }, + }, + }, + { + name: "happy path lock file. `NUGET_PACKAGES` env is used", + dir: "testdata/lock", + env: map[string]string{ + "NUGET_PACKAGES": "testdata/repository/.nuget/packages", + }, want: &analyzer.AnalysisResult{ Applications: []types.Application{ { Type: types.NuGet, - FilePath: "testdata/packages.lock.json", + FilePath: "packages.lock.json", Libraries: types.Packages{ { ID: "Newtonsoft.Json@12.0.3", @@ -61,6 +107,7 @@ func Test_nugetibraryAnalyzer_Analyze(t *testing.T) { EndLine: 10, }, }, + Licenses: []string{"MIT"}, }, { ID: "NuGet.Frameworks@5.7.0", @@ -80,35 +127,58 @@ func Test_nugetibraryAnalyzer_Analyze(t *testing.T) { }, }, { - name: "sad path", - inputFile: "testdata/invalid.txt", - wantErr: "NuGet analysis error", + name: "happy path lock file. `.nuget` directory doesn't exist", + dir: "testdata/lock", + env: map[string]string{ + "HOME": "testdata/invalid", + }, + want: &analyzer.AnalysisResult{ + Applications: []types.Application{ + { + Type: types.NuGet, + FilePath: "packages.lock.json", + Libraries: types.Packages{ + { + ID: "Newtonsoft.Json@12.0.3", + Name: "Newtonsoft.Json", + Version: "12.0.3", + Locations: []types.Location{ + { + StartLine: 5, + EndLine: 10, + }, + }, + }, + { + ID: "NuGet.Frameworks@5.7.0", + Name: "NuGet.Frameworks", + Version: "5.7.0", + Locations: []types.Location{ + { + StartLine: 11, + EndLine: 19, + }, + }, + DependsOn: []string{"Newtonsoft.Json@12.0.3"}, + }, + }, + }, + }, + }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - f, err := os.Open(tt.inputFile) + for env, path := range tt.env { + t.Setenv(env, path) + } + a, err := newNugetLibraryAnalyzer(analyzer.AnalyzerOptions{}) require.NoError(t, err) - defer f.Close() - a := nugetLibraryAnalyzer{} - ctx := context.Background() - got, err := a.Analyze(ctx, analyzer.AnalysisInput{ - FilePath: tt.inputFile, - Content: f, + got, err := a.PostAnalyze(context.Background(), analyzer.PostAnalysisInput{ + FS: os.DirFS(tt.dir), }) - if tt.wantErr != "" { - require.NotNil(t, err) - assert.Contains(t, err.Error(), tt.wantErr) - return - } - - // Sort libraries for consistency - for _, app := range got.Applications { - sort.Sort(app.Libraries) - } - assert.NoError(t, err) assert.Equal(t, tt.want, got) }) diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go new file mode 100644 index 000000000000..2a13b7f75234 --- /dev/null +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go @@ -0,0 +1,81 @@ +package nuget + +import ( + "encoding/xml" + "fmt" + "os" + "path/filepath" + "strings" + + "golang.org/x/xerrors" + + "github.com/aquasecurity/trivy/pkg/log" + "github.com/aquasecurity/trivy/pkg/utils/fsutils" +) + +const nuspecExt = "nuspec" + +// https://learn.microsoft.com/en-us/nuget/reference/nuspec +type Package struct { + Metadata Metadata `xml:"metadata"` +} + +type Metadata struct { + License License `xml:"license"` +} + +type License struct { + Text string `xml:",chardata"` + Type string `xml:"type,attr"` +} + +type nuspecParser struct { + packagesDir string // dir with all local packages +} + +func newNuspecParser() nuspecParser { + // https: //learn.microsoft.com/en-us/nuget/reference/cli-reference/cli-ref-environment-variables + packagesDir := os.Getenv("NUGET_PACKAGES") + if packagesDir == "" { + packagesDir = filepath.Join(os.Getenv("HOME"), ".nuget", "packages") + } + + if !fsutils.DirExists(packagesDir) { + log.Logger.Debugf("The nuget packages directory couldn't be found. License search disabled") + return nuspecParser{} + } + + return nuspecParser{ + packagesDir: packagesDir, + } +} + +func (p nuspecParser) findLicense(name, version string) ([]string, error) { + if p.packagesDir == "" { + return nil, nil + } + + // package path uses lowercase letters only + name = strings.ToLower(name) + version = strings.ToLower(version) + + nuspecFileName := fmt.Sprintf("%s.%s", name, nuspecExt) + path := filepath.Join(p.packagesDir, name, version, nuspecFileName) + + f, err := os.Open(path) + if err != nil { + return nil, xerrors.Errorf("unable to open %q file: %w", path, err) + } + defer func() { _ = f.Close() }() + + var pkg Package + if err = xml.NewDecoder(f).Decode(&pkg); err != nil { + return nil, xerrors.Errorf("unable to decode %q file: %w", path, err) + } + + if license := pkg.Metadata.License; license.Type == "expression" && license.Text != "" { + return []string{license.Text}, nil + } + + return nil, nil +} diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/testdata/packages.config b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/config/packages.config similarity index 100% rename from pkg/fanal/analyzer/language/dotnet/nuget/testdata/packages.config rename to pkg/fanal/analyzer/language/dotnet/nuget/testdata/config/packages.config diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/testdata/packages.lock.json b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/lock/packages.lock.json similarity index 100% rename from pkg/fanal/analyzer/language/dotnet/nuget/testdata/packages.lock.json rename to pkg/fanal/analyzer/language/dotnet/nuget/testdata/lock/packages.lock.json diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.nuspec b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.nuspec new file mode 100755 index 000000000000..c215566e4e41 --- /dev/null +++ b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/12.0.3/newtonsoft.json.nuspec @@ -0,0 +1,42 @@ + + + + Newtonsoft.Json + 12.0.3 + Json.NET + James Newton-King + James Newton-King + false + MIT + https://licenses.nuget.org/MIT + packageIcon.png + https://www.newtonsoft.com/json + Json.NET is a popular high-performance JSON framework for .NET + Copyright © James Newton-King 2008 + json + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/6.0.4/newtonsoft.json.nuspec b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/6.0.4/newtonsoft.json.nuspec new file mode 100755 index 000000000000..4f361ab9c2d5 --- /dev/null +++ b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/newtonsoft.json/6.0.4/newtonsoft.json.nuspec @@ -0,0 +1,16 @@ + + + + Newtonsoft.Json + 6.0.4 + Json.NET + James Newton-King + James Newton-King + https://raw.github.com/JamesNK/Newtonsoft.Json/master/LICENSE.md + http://james.newtonking.com/json + false + Json.NET is a popular high-performance JSON framework for .NET + en-US + json + + \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/nuget.frameworks/5.7.0/nuget.frameworks.nuspec b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/nuget.frameworks/5.7.0/nuget.frameworks.nuspec new file mode 100755 index 000000000000..21ad4997758e --- /dev/null +++ b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/repository/.nuget/packages/nuget.frameworks/5.7.0/nuget.frameworks.nuspec @@ -0,0 +1,23 @@ + + + + NuGet.Frameworks + 5.7.0+b804bf4ba62c0b47c77bbf3e22e196b57cd7a556 + Microsoft + Microsoft + true + LICENSE.txt + https://aka.ms/nugetprj + https://raw.githubusercontent.com/NuGet/Media/master/Images/MainLogo/256x256/nuget_256.png + NuGet's understanding of target frameworks. + © Microsoft Corporation. All rights reserved. + nuget + true + + + + + + + + \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/testdata/invalid.txt b/pkg/fanal/analyzer/language/dotnet/nuget/testdata/sad/invalid.txt similarity index 100% rename from pkg/fanal/analyzer/language/dotnet/nuget/testdata/invalid.txt rename to pkg/fanal/analyzer/language/dotnet/nuget/testdata/sad/invalid.txt From 07d4a3ccc7995aea19273e42674cbb3ec2df1910 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 21 Sep 2023 08:40:52 +0600 Subject: [PATCH 2/6] docs: docs, log messages, comments refactoring --- docs/docs/coverage/language/dotnet.md | 2 +- pkg/fanal/analyzer/language/dotnet/nuget/nuget.go | 4 ++-- pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go | 2 +- pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go | 6 ++++-- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/docs/coverage/language/dotnet.md b/docs/docs/coverage/language/dotnet.md index d24249e7a9d3..c5251b4ab20e 100644 --- a/docs/docs/coverage/language/dotnet.md +++ b/docs/docs/coverage/language/dotnet.md @@ -27,7 +27,7 @@ Trivy only finds dependency names and versions from `packages.config` files. To `packages.config` files don't have information about the licenses used. Trivy uses [*.nuspec][nuspec] files from [global packages folder][global-packages] to detect licenses. !!! note - The `licenseUrl` field is [deprecated][license-url]. Trivy doesn't parse this field and only checks the [license] field (license `expression` only). + The `licenseUrl` field is [deprecated][license-url]. Trivy doesn't parse this field and only checks the [license] field (license `expression` type only). Currently only the default path and `NUGET_PACKAGES` environment variable are supported. ## packages.lock.json diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go index ab5201fd12d7..46d8258bd82c 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go @@ -73,7 +73,7 @@ func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.Pos license, err := a.licenseParser.findLicense(lib.Name, lib.Version) if err != nil { if !errors.Is(err, fs.ErrNotExist) { - return xerrors.Errorf("find license error: %w", err) + return xerrors.Errorf("license find error: %w", err) } } app.Libraries[i].Licenses = license @@ -84,7 +84,7 @@ func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.Pos return nil }) if err != nil { - return nil, xerrors.Errorf("walk error: %w", err) + return nil, xerrors.Errorf("NuGet walk error: %w", err) } return &analyzer.AnalysisResult{ diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go index 539ae9bb96d9..7dae7368e115 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go @@ -23,7 +23,7 @@ func Test_nugetibraryAnalyzer_Analyze(t *testing.T) { name: "happy path config file.", dir: "testdata/config", env: map[string]string{ - "NUGET_PACKAGES": "testdata/repository/.nuget/packages", + "HOME": "testdata/repository", }, want: &analyzer.AnalysisResult{ Applications: []types.Application{ diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go index 2a13b7f75234..7ed5f1a5d2cf 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go @@ -30,11 +30,11 @@ type License struct { } type nuspecParser struct { - packagesDir string // dir with all local packages + packagesDir string // global packages folder - https: //learn.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders } func newNuspecParser() nuspecParser { - // https: //learn.microsoft.com/en-us/nuget/reference/cli-reference/cli-ref-environment-variables + // https: //learn.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders packagesDir := os.Getenv("NUGET_PACKAGES") if packagesDir == "" { packagesDir = filepath.Join(os.Getenv("HOME"), ".nuget", "packages") @@ -56,6 +56,8 @@ func (p nuspecParser) findLicense(name, version string) ([]string, error) { } // package path uses lowercase letters only + // e.g. `$HOME/.nuget/packages/newtonsoft.json/13.0.3/newtonsoft.json.nuspec` + // for `Newtonsoft.Json` v13.0.3 name = strings.ToLower(name) version = strings.ToLower(version) From 1fa542fb9cee146a2fca66509a5a4fad9e334a4d Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 21 Sep 2023 08:49:41 +0600 Subject: [PATCH 3/6] save found licences to use next time --- pkg/fanal/analyzer/language/dotnet/nuget/nuget.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go index 46d8258bd82c..e64cd9a12bc1 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go @@ -49,6 +49,7 @@ func newNugetLibraryAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) { var apps []types.Application + foundLicenses := make(map[string][]string) required := func(path string, d fs.DirEntry) bool { fileName := filepath.Base(path) @@ -70,12 +71,17 @@ func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.Pos } for i, lib := range app.Libraries { - license, err := a.licenseParser.findLicense(lib.Name, lib.Version) - if err != nil { - if !errors.Is(err, fs.ErrNotExist) { - return xerrors.Errorf("license find error: %w", err) + license, ok := foundLicenses[lib.ID] + if !ok { + license, err = a.licenseParser.findLicense(lib.Name, lib.Version) + if err != nil { + if !errors.Is(err, fs.ErrNotExist) { + return xerrors.Errorf("license find error: %w", err) + } } + foundLicenses[lib.ID] = license } + app.Libraries[i].Licenses = license } From 21eb6d8da68afe6da8836df3174453cc2b0becfe Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 21 Sep 2023 08:55:14 +0600 Subject: [PATCH 4/6] refactor --- pkg/fanal/analyzer/language/dotnet/nuget/nuget.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go index e64cd9a12bc1..30b551a8b4e9 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go @@ -51,9 +51,10 @@ func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.Pos var apps []types.Application foundLicenses := make(map[string][]string) + // We saved only config and lock files in the FS, + // so we need to parse all saved files required := func(path string, d fs.DirEntry) bool { - fileName := filepath.Base(path) - return slices.Contains(requiredFiles, fileName) + return true } err := fsutils.WalkDir(input.FS, ".", required, func(path string, d fs.DirEntry, r io.Reader) error { From 1d0fed1336f1501c5d1f3d1b453be7fc47fa1ba9 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 27 Sep 2023 15:25:31 +0600 Subject: [PATCH 5/6] refactor --- pkg/fanal/analyzer/language/dotnet/nuget/nuget.go | 8 +++----- pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go | 7 +++---- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go index 30b551a8b4e9..4044aef835ab 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go @@ -22,7 +22,7 @@ import ( ) func init() { - analyzer.RegisterPostAnalyzer(types.NuGet, newNugetLibraryAnalyzer) + analyzer.RegisterPostAnalyzer(analyzer.TypeGoMod, newNugetLibraryAnalyzer) } const ( @@ -75,10 +75,8 @@ func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.Pos license, ok := foundLicenses[lib.ID] if !ok { license, err = a.licenseParser.findLicense(lib.Name, lib.Version) - if err != nil { - if !errors.Is(err, fs.ErrNotExist) { - return xerrors.Errorf("license find error: %w", err) - } + if err != nil && !errors.Is(err, fs.ErrNotExist) { + return xerrors.Errorf("license find error: %w", err) } foundLicenses[lib.ID] = license } diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go index 7ed5f1a5d2cf..edefec61ed16 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go @@ -75,9 +75,8 @@ func (p nuspecParser) findLicense(name, version string) ([]string, error) { return nil, xerrors.Errorf("unable to decode %q file: %w", path, err) } - if license := pkg.Metadata.License; license.Type == "expression" && license.Text != "" { - return []string{license.Text}, nil + if license := pkg.Metadata.License; license.Type != "expression" || license.Text == "" { + return nil, nil } - - return nil, nil + return []string{pkg.Metadata.License.Text}, nil } From d45fb32eebb00c6594f884948213cb01da934966 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 27 Sep 2023 15:36:08 +0600 Subject: [PATCH 6/6] fix typo --- pkg/fanal/analyzer/language/dotnet/nuget/nuget.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go index 4044aef835ab..045241db73d6 100644 --- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go +++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go @@ -22,7 +22,7 @@ import ( ) func init() { - analyzer.RegisterPostAnalyzer(analyzer.TypeGoMod, newNugetLibraryAnalyzer) + analyzer.RegisterPostAnalyzer(analyzer.TypeNuget, newNugetLibraryAnalyzer) } const (