Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Add support for Nuget restore #4157

Merged
merged 18 commits into from
Jul 10, 2024
Merged

✨ Add support for Nuget restore #4157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
4302af6
Nuget lock file support
balteravishay Jun 7, 2024
4c7e4f4
:seedling: Bump github.com/google/osv-scanner from 1.7.3 to 1.7.4 (#4…
dependabot[bot] Jun 4, 2024
4af6463
🐛 Use direct endpoint instead of search to find repository URL from n…
aklevans Jun 5, 2024
a8cb31d
:seedling: Bump golang.org/x/text from 0.15.0 to 0.16.0 (#4142)
dependabot[bot] Jun 5, 2024
ead508d
:seedling: Bump github.com/rhysd/actionlint from 1.7.0 to 1.7.1 (#4138)
dependabot[bot] Jun 5, 2024
12f1ca5
:seedling: Bump github.com/bradleyfalzon/ghinstallation/v2 (#4137)
dependabot[bot] Jun 5, 2024
8de4b87
:warning: remove dependencydiff functionality (#4146)
spencerschrock Jun 6, 2024
290cd06
:seedling: Bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 (#4148)
dependabot[bot] Jun 6, 2024
2d3b251
:seedling: Bump github.com/onsi/ginkgo/v2 in /tools (#4149)
dependabot[bot] Jun 6, 2024
eeadb43
:sparkles: announce where results are written (#4132)
raboof Jun 6, 2024
d01d57d
:bug: fix Unlicense detection (#4145)
spencerschrock Jun 6, 2024
a609128
fix lint
balteravishay Jun 7, 2024
8501824
✨ probe: releases with verified provenance (#4141)
raghavkaul Jun 7, 2024
9e66eb2
fix shell download
balteravishay Jun 12, 2024
bb8f301
Merge branch 'main' into avbalter/support-dotnet-lock
balteravishay Jun 12, 2024
6decb95
Merge branch 'main' into avbalter/support-dotnet-lock
balteravishay Jun 13, 2024
dde4f24
Revert "fix shell download"
spencerschrock Jul 10, 2024
d47c79d
Merge branch 'main' into avbalter/support-dotnet-lock
spencerschrock Jul 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions checks/raw/pinned_dependencies_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ func TestGithubWorkflowPkgManagerPinning(t *testing.T) {
{
name: "npm packages without verification",
filename: "./testdata/.github/workflows/github-workflow-pkg-managers.yaml",
unpinned: 49,
unpinned: 52,
},
{
name: "Can't identify OS but doesn't crash",
Expand Down Expand Up @@ -1409,7 +1409,7 @@ func TestDockerfileScriptDownload(t *testing.T) {
{
name: "pkg managers",
filename: "./testdata/Dockerfile-pkg-managers",
unpinned: 60,
unpinned: 63,
},
{
name: "download with some python",
Expand Down
113 changes: 103 additions & 10 deletions checks/raw/shell_download_validate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -764,19 +764,19 @@ func isUnpinnedNugetCliInstall(cmd []string) bool {
return unpinnedDependency
}

func isDotNetCliInstall(cmd []string) bool {
func isDotNetCliAdd(cmd []string) bool {
// Search for command of type dotnet add <PROJECT> package <PACKAGE_NAME>
if len(cmd) < 4 {
return false
}
// Search for dotnet add <PROJECT> package <PACKAGE_NAME>
// Search for dotnet add [PROJECT] package <PACKAGE_NAME>
// where package command can be either the second or the third word
return (isBinaryName("dotnet", cmd[0]) || isBinaryName("dotnet.exe", cmd[0])) &&
strings.EqualFold(cmd[1], "add") &&
(strings.EqualFold(cmd[2], "package") || strings.EqualFold(cmd[3], "package"))
}

func isUnpinnedDotNetCliInstall(cmd []string) bool {
func isUnpinnedDotNetCliAdd(cmd []string) bool {
unpinnedDependency := true
for i := 3; i < len(cmd); i++ {
// look for version flag
Expand All @@ -789,22 +789,114 @@ func isUnpinnedDotNetCliInstall(cmd []string) bool {
return unpinnedDependency
}

func isNugetDownload(cmd []string) bool {
return isDotNetCliInstall(cmd) || isNugetCliInstall(cmd)
func isNuget(cmd []string) bool {
return isDotNetCliAdd(cmd) ||
isNugetCliInstall(cmd) ||
isDotNetCliRestore(cmd) ||
isNugetCliRestore(cmd) ||
isMsBuildRestore(cmd)
}

func isNugetUnpinnedDownload(cmd []string) bool {
if isDotNetCliInstall(cmd) && isUnpinnedDotNetCliInstall(cmd) {
func isNugetUnpinned(cmd []string) bool {
if isDotNetCliAdd(cmd) && isUnpinnedDotNetCliAdd(cmd) {
return true
}

if isNugetCliInstall(cmd) && isUnpinnedNugetCliInstall(cmd) {
return true
}

if isDotNetCliRestore(cmd) && isUnpinnedDotNetCliRestore(cmd) {
return true
}

if isNugetCliRestore(cmd) && isUnpinnedNugetCliRestore(cmd) {
return true
}

if isMsBuildRestore(cmd) && isUnpinnedMsBuildCliRestore(cmd) {
return true
}

return false
}

func isNugetCliRestore(cmd []string) bool {
// Search for command of type nuget restore
if len(cmd) < 2 {
return false
}
// Search for nuget restore
return (isBinaryName("nuget", cmd[0]) || isBinaryName("nuget.exe", cmd[0])) &&
strings.EqualFold(cmd[1], "restore")
}

func isDotNetCliRestore(cmd []string) bool {
// Search for command of type dotnet restore
if len(cmd) < 2 {
return false
}
// Search for dotnet restore
return (isBinaryName("dotnet", cmd[0]) || isBinaryName("dotnet.exe", cmd[0])) &&
strings.EqualFold(cmd[1], "restore")
}

func isMsBuildRestore(cmd []string) bool {
// Search for command of type msbuild /t:restore
if len(cmd) < 2 {
return false
}
// Search for msbuild /t:restore
if isBinaryName("msbuild", cmd[0]) || isBinaryName("msbuild.exe", cmd[0]) {
for i := 1; i < len(cmd); i++ {
// look for /t:restore flag
if strings.EqualFold(cmd[i], "/t:restore") {
return true
}
}
}
return false
}

func isUnpinnedNugetCliRestore(cmd []string) bool {
unpinnedDependency := true
for i := 2; i < len(cmd); i++ {
// look for LockedMode flag
// https://learn.microsoft.com/en-us/nuget/reference/cli-reference/cli-ref-restore
if strings.EqualFold(cmd[i], "-LockedMode") {
unpinnedDependency = false
break
}
}
return unpinnedDependency
}

func isUnpinnedDotNetCliRestore(cmd []string) bool {
unpinnedDependency := true
for i := 2; i < len(cmd); i++ {
// look for locked-mode flag
// https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-restore
if strings.EqualFold(cmd[i], "--locked-mode") {
unpinnedDependency = false
break
}
}
return unpinnedDependency
}

func isUnpinnedMsBuildCliRestore(cmd []string) bool {
unpinnedDependency := true
for i := 2; i < len(cmd); i++ {
// look for /p:RestoreLockedMode=true
// https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-restore
if strings.EqualFold(cmd[i], "/p:RestoreLockedMode=true") {
unpinnedDependency = false
break
}
}
return unpinnedDependency
}

func collectUnpinnedPackageManagerDownload(startLine, endLine uint, node syntax.Node,
cmd, pathfn string, r *checker.PinningDependenciesData,
) {
Expand Down Expand Up @@ -900,8 +992,8 @@ func collectUnpinnedPackageManagerDownload(startLine, endLine uint, node syntax.
return
}

// Nuget install.
if isNugetDownload(c) {
// Nuget install and restore
if isNuget(c) {
r.Dependencies = append(r.Dependencies,
checker.Dependency{
Location: &checker.File{
Expand All @@ -911,13 +1003,14 @@ func collectUnpinnedPackageManagerDownload(startLine, endLine uint, node syntax.
EndOffset: endLine,
Snippet: cmd,
},
Pinned: asBoolPointer(!isNugetUnpinnedDownload(c)),
Pinned: asBoolPointer(!isNugetUnpinned(c)),
Type: checker.DependencyUseTypeNugetCommand,
},
)

return
}

// TODO(laurent): add other package managers.
}

Expand Down