Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/501 dependency tree for dotnet #532

Merged
merged 1 commit into from
Sep 8, 2023
Merged

Feature/501 dependency tree for dotnet #532

merged 1 commit into from
Sep 8, 2023

Conversation

cerrussell
Copy link
Contributor

@cerrussell cerrussell commented Sep 7, 2023
edited
Loading

Closes #501

Adds parsing of dependency info from package.assets.json targets, including target dependency dependencies.

@cerrussell cerrussell added the enhancement New feature or request label Sep 7, 2023
@cerrussell cerrussell marked this pull request as ready for review September 7, 2023 17:30
prabhu
prabhu reviewed Sep 7, 2023
View reviewed changes
index.js Show resolved Hide resolved
prabhu
prabhu reviewed Sep 7, 2023
View reviewed changes
utils.js Show resolved Hide resolved
prabhu
prabhu reviewed Sep 7, 2023
View reviewed changes
utils.js Show resolved Hide resolved
prabhu
prabhu reviewed Sep 7, 2023
View reviewed changes
utils.test.js Show resolved Hide resolved
@prabhu
Copy link
Collaborator

prabhu commented Sep 8, 2023

Hi. Could you rebase your branch and squash into a single commit?

git rebase -i `git merge-base origin master`

# change pick from second line onwards to s
# Fix commit message
git push origin feature/501-dependency-tree-for-dotnet -f

@cerrussell cerrussell force-pushed the feature/501-dependency-tree-for-dotnet branch 2 times, most recently from b6955fa to 2828667 Compare September 8, 2023 19:40
@prabhu prabhu force-pushed the feature/501-dependency-tree-for-dotnet branch from 2828667 to d42d16e Compare September 8, 2023 19:40
@cerrussell
Added dependency tree for dotnet.
de3b6fe 
Signed-off-by: Caroline Russell <caroline@appthreat.dev>

Fix eslint error.

Signed-off-by: Caroline Russell <caroline@appthreat.dev>
@cerrussell cerrussell force-pushed the feature/501-dependency-tree-for-dotnet branch from 99eaca1 to de3b6fe Compare September 8, 2023 20:20
@cerrussell cerrussell merged commit 1f4f334 into master Sep 8, 2023
@cerrussell cerrussell deleted the feature/501-dependency-tree-for-dotnet branch September 8, 2023 20:45
@noqcks
Copy link
Contributor

noqcks commented Sep 9, 2023
edited
Loading

Hi, I was just trying this out and wanted to know if this is expected behaviour.

My .csproj file

<Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup>
    <TargetFramework>net7.0</TargetFramework>
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Server.IIS" Version="2.2.6" />
  </ItemGroup>
</Project>

but the bom generated looks like this MyWebApp (top level pkg)

{
      "ref": "pkg:nuget/MyWebApp@1.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.AspNetCore.Authentication.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Authentication.Core@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Connections.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Hosting.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Hosting.Server.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Http@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Http.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Http.Extensions@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Http.Features@2.2.0",
        "pkg:nuget/Microsoft.AspNetCore.Server.IIS@2.2.6",
        "pkg:nuget/Microsoft.AspNetCore.WebUtilities@2.2.0",
        "pkg:nuget/Microsoft.Extensions.Configuration.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.Extensions.FileProviders.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.Extensions.Hosting.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@2.2.0",
        "pkg:nuget/Microsoft.Extensions.ObjectPool@2.2.0",
        "pkg:nuget/Microsoft.Extensions.Options@2.2.0",
        "pkg:nuget/Microsoft.Extensions.Primitives@2.2.0",
        "pkg:nuget/Microsoft.Net.Http.Headers@2.2.0",
        "pkg:nuget/Microsoft.NETCore.Platforms@2.0.0",
        "pkg:nuget/System.Buffers@4.5.0",
        "pkg:nuget/System.ComponentModel.Annotations@4.5.0",
        "pkg:nuget/System.IO.Pipelines@4.5.3",
        "pkg:nuget/System.Memory@4.5.1",
        "pkg:nuget/System.Runtime.CompilerServices.Unsafe@4.5.1",
        "pkg:nuget/System.Security.Principal.Windows@4.5.0",
        "pkg:nuget/System.Text.Encodings.Web@4.5.0"
      ]
    }

I would have assumed that the top level package to look like this so that you can understand which are direct and which are the transitive deps.

    {
      "ref": "pkg:nuget/MyWebApp@1.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.AspNetCore.Server.IIS@2.2.6"
      ]
    }

Is this expected behaviour? Thank you!

@prabhu
Copy link
Collaborator

prabhu commented Sep 9, 2023
edited
Loading

@noqcks We parse the projects.assets.json file to construct the tree. Could you check the dependencies section in that file? Also, would you be able to check with another independent tool, such as

https://github.com/bjorkstromm/depends

@noqcks
Copy link
Contributor

noqcks commented Sep 9, 2023
edited
Loading

Looking at the projects.assets.json file for my project, I see we can extract Microsoft.AspNetCore.Server.IIS as a direct package dependency.

  "projectFileDependencyGroups": {
    "net7.0": [
      "Microsoft.AspNetCore.Server.IIS >= 2.2.6"
    ]
  },
  "packageFolders": {
    "/Users/noqcks/.nuget/packages/": {}
  },

Looking at dotnet depends will surface them as well

image

I suppose what im looking for is a way to have a distinction between direct dependencies, and all dependencies for a .NET application. This PR only support the latter from what I can see.

Would be happy to create an issue and PR support for the former

@prabhu
Copy link
Collaborator

prabhu commented Sep 9, 2023

@noqcks, thank you. Sounds like a good proposal. @cerrussell, any thoughts on whether this is achievable?

@noqcks noqcks mentioned this pull request Sep 9, 2023
Merged
@noqcks
Copy link
Contributor

noqcks commented Sep 9, 2023

@prabhu I added a PR here for @cerrussell to review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prabhu prabhu prabhu left review comments

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dependency tree for dotnet
3 participants
@cerrussell @prabhu @noqcks