Merge branch 'main' into main

Author: Fatherhood.Foundation

.github/workflows/snapshot-publish.yml

@@ -2,6 +2,8 @@ name: Publish snapshot of test scan
 
 env:
   CD_DETECTOR_EXPERIMENTS: 1
+  PipReportSkipFallbackOnFailure: "true"
+  PIP_INDEX_URL: "https://pypi.python.org/simple"
 
 on:
   push:

README.md

@@ -85,7 +85,7 @@ This is similar to Codespaces:
 1. Make sure you meet [the requirements](https://code.visualstudio.com/docs/remote/containers#_getting-started) and follow the installation steps for DevContainers in VS Code
 1. `git clone https://github.com/microsoft/component-detection`
 1. Open this repo in VS Code
-1. A notification should popup to reopen the workspace in the container. If it doesn't, open the [`Command Palette`](https://code.visualstudio.com/docs/getstarted/tips-and-tricks#_command-palette) and type `Remote-Containers: Reopen in Container`.
+1. A notification should popup to reopen the workspace in the container. If it doesn't, open the [`Command Palette`](https://code.visualstudio.com/docs/getstarted/tips-and-tricks#_command-palette) and type `Dev Containers: Reopen in Container`.
 
 ### Community Meetings
 

src/Microsoft.ComponentDetection.Contracts/FileComponentDetectorWithCleanup.cs

@@ -56,80 +56,80 @@ protected async Task WithCleanupAsync(
         // determining the files that exist as there will be no subsequent cleanup process.
         if (this.FileUtilityService == null
             || this.DirectoryUtilityService == null
-            || !this.TryGetCleanupFileDirectory(processRequest, out var fileParentDirectory))
+            || !this.TryGetCleanupFileDirectory(processRequest, out var fileParentDirectory)
+            || !cleanupCreatedFiles)
         {
             await process(processRequest, detectorArgs, cancellationToken).ConfigureAwait(false);
             return;
         }
 
         // Get the files and directories that match the cleanup pattern and exist before the process runs.
-        var (preExistingFiles, preExistingDirs) = this.DirectoryUtilityService.GetFilesAndDirectories(fileParentDirectory, this.CleanupPatterns, DefaultCleanDepth);
-        try
+        var (preSuccess, preExistingFiles, preExistingDirs) = this.TryGetFilesAndDirectories(fileParentDirectory, this.CleanupPatterns, DefaultCleanDepth);
+
+        await process(processRequest, detectorArgs, cancellationToken).ConfigureAwait(false);
+        if (!preSuccess)
         {
-            await process(processRequest, detectorArgs, cancellationToken).ConfigureAwait(false);
+            // return early if we failed to get the pre-existing files and directories, since no need for cleanup
+            return;
         }
-        finally
+
+        // Ensure that only one cleanup process is running at a time, helping to prevent conflicts
+        await this.cleanupSemaphore.WaitAsync(cancellationToken).ConfigureAwait(false);
+
+        try
         {
-            // Ensure that only one cleanup process is running at a time, helping to prevent conflicts
-            await this.cleanupSemaphore.WaitAsync(cancellationToken).ConfigureAwait(false);
+            // Clean up any new files or directories created during the scan that match the clean up patterns.
+            var (postSuccess, latestFiles, latestDirs) = this.TryGetFilesAndDirectories(fileParentDirectory, this.CleanupPatterns, DefaultCleanDepth);
+            if (!postSuccess)
+            {
+                // return early if we failed to get the latest files and directories, since we will not be able
+                // to determine what to clean up
+                return;
+            }
 
-            try
+            var createdFiles = latestFiles.Except(preExistingFiles).ToList();
+            var createdDirs = latestDirs.Except(preExistingDirs).ToList();
+
+            foreach (var createdDir in createdDirs)
             {
-                // Clean up any new files or directories created during the scan that match the clean up patterns.
-                // If the cleanupCreatedFiles flag is set to false, this will be a dry run and will just log the files that it would clean.
-                var dryRun = !cleanupCreatedFiles;
-                var dryRunStr = dryRun ? "[DRYRUN] " : string.Empty;
-                var (latestFiles, latestDirs) = this.DirectoryUtilityService.GetFilesAndDirectories(fileParentDirectory, this.CleanupPatterns, DefaultCleanDepth);
-                var createdFiles = latestFiles.Except(preExistingFiles).ToList();
-                var createdDirs = latestDirs.Except(preExistingDirs).ToList();
-
-                foreach (var createdDir in createdDirs)
+                if (createdDir is null || !this.DirectoryUtilityService.Exists(createdDir))
                 {
-                    if (createdDir is null || !this.DirectoryUtilityService.Exists(createdDir))
-                    {
-                        continue;
-                    }
-
-                    try
-                    {
-                        this.Logger.LogDebug("{DryRun}Cleaning up directory {Dir}", dryRunStr, createdDir);
-                        if (!dryRun)
-                        {
-                            this.DirectoryUtilityService.Delete(createdDir, true);
-                        }
-                    }
-                    catch (Exception e)
-                    {
-                        this.Logger.LogDebug(e, "{DryRun}Failed to delete directory {Dir}", dryRunStr, createdDir);
-                    }
+                    continue;
                 }
 
-                foreach (var createdFile in createdFiles)
+                try
+                {
+                    this.Logger.LogDebug("Cleaning up directory {Dir}", createdDir);
+                    this.DirectoryUtilityService.Delete(createdDir, true);
+                }
+                catch (Exception e)
                 {
-                    if (createdFile is null || !this.FileUtilityService.Exists(createdFile))
-                    {
-                        continue;
-                    }
-
-                    try
-                    {
-                        this.Logger.LogDebug("{DryRun}Cleaning up file {File}", dryRunStr, createdFile);
-                        if (!dryRun)
-                        {
-                            this.FileUtilityService.Delete(createdFile);
-                        }
-                    }
-                    catch (Exception e)
-                    {
-                        this.Logger.LogDebug(e, "{DryRun}Failed to delete file {File}", dryRunStr, createdFile);
-                    }
+                    this.Logger.LogDebug(e, "Failed to delete directory {Dir}", createdDir);
                 }
             }
-            finally
+
+            foreach (var createdFile in createdFiles)
             {
-                _ = this.cleanupSemaphore.Release();
+                if (createdFile is null || !this.FileUtilityService.Exists(createdFile))
+                {
+                    continue;
+                }
+
+                try
+                {
+                    this.Logger.LogDebug("Cleaning up file {File}", createdFile);
+                    this.FileUtilityService.Delete(createdFile);
+                }
+                catch (Exception e)
+                {
+                    this.Logger.LogDebug(e, "Failed to delete file {File}", createdFile);
+                }
             }
         }
+        finally
+        {
+            _ = this.cleanupSemaphore.Release();
+        }
     }
 
     protected override async Task OnFileFoundAsync(ProcessRequest processRequest, IDictionary<string, string> detectorArgs, bool cleanupCreatedFiles, CancellationToken cancellationToken = default) =>
@@ -151,4 +151,19 @@ private bool TryGetCleanupFileDirectory(ProcessRequest processRequest, out strin
 
         return false;
     }
+
+    private (bool Success, HashSet<string> Files, HashSet<string> Directories) TryGetFilesAndDirectories(string root, IList<string> patterns, int depth)
+    {
+        try
+        {
+            var (files, directories) = this.DirectoryUtilityService.GetFilesAndDirectories(root, patterns, depth);
+            return (true, files, directories);
+        }
+        catch (UnauthorizedAccessException e)
+        {
+            // log and return false if we are unauthorized to get files and directories
+            this.Logger.LogDebug(e, "Unauthorized to get files and directories for {Root}", root);
+            return (false, new HashSet<string>(), new HashSet<string>());
+        }
+    }
 }

src/Microsoft.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.cs

@@ -7,6 +7,8 @@ namespace Microsoft.ComponentDetection.Detectors.NuGet;
 using System.IO;
 using System.Linq;
 using global::NuGet.Frameworks;
+using global::NuGet.Packaging.Core;
+using global::NuGet.ProjectModel;
 using global::NuGet.Versioning;
 
 /// <summary>
@@ -73,7 +75,7 @@ internal static void Register(params FrameworkPackages[] toRegister)
         }
     }
 
-    public static FrameworkPackages[] GetFrameworkPackages(NuGetFramework framework, string[] frameworkReferences)
+    public static FrameworkPackages[] GetFrameworkPackages(NuGetFramework framework, string[] frameworkReferences, LockFileTarget lockFileTarget)
     {
         var frameworkPackages = new List<FrameworkPackages>();
 
@@ -102,9 +104,64 @@ public static FrameworkPackages[] GetFrameworkPackages(NuGetFramework framework,
             }
         }
 
+        frameworkPackages.AddRange(GetLegacyFrameworkPackagesFromPlatformPackages(framework, lockFileTarget));
+
         return frameworkPackages.ToArray();
     }
 
+    private static IEnumerable<FrameworkPackages> GetLegacyFrameworkPackagesFromPlatformPackages(NuGetFramework framework, LockFileTarget lockFileTarget)
+    {
+        if (framework.Framework == FrameworkConstants.FrameworkIdentifiers.NetCoreApp && framework.Version.Major < 3)
+        {
+            // For .NETCore 1.x (all frameworks) and 2.x (ASP.NET Core) the $(MicrosoftNETPlatformLibrary) property specified the framework package of the project.
+            // This package and all its dependencies were excluded from copy to the output directory for framework deepndent apps.
+            // See https://github.com/dotnet/sdk/blob/b3d6acae421815e90c74ddb631e426290348651c/src/Tasks/Microsoft.NET.Build.Tasks/ResolvePackageAssets.cs#L1882-L1898
+            // We can't know from the assets file what the value of MicrosoftNETPlatformLibrary was, nor if an app was self-contained or not.
+            // To avoid false positives, and since these frameworks are no longer supported, we'll just assume that all platform packages are framework,
+            // and that the app is framework-dependent.
+            // This is consistent with the old behavior of the old NuGet Detector.
+            var lookup = lockFileTarget.Libraries.ToDictionary(l => l.Name, l => l, StringComparer.OrdinalIgnoreCase);
+            string[] platformPackageNames = [
+                FrameworkNames.NetCoreApp,           // Default platform package for .NET Core 1.x and 2.x    https://github.com/dotnet/sdk/blob/516dcf4a3bcf52ac3dce2452ea15ddd5cf057300/src/Tasks/Microsoft.NET.Build.Tasks/targets/Microsoft.NET.Sdk.targets#L519
+                FrameworkNames.AspNetCoreApp,        // ASP.NET platform package for .NET Core 2.x            https://github.com/dotnet/aspnetcore/blob/ac66280fe9024bdd686354e342fcdfb3409597f7/src/Microsoft.AspNetCore.App/build/netcoreapp2.1/Microsoft.AspNetCore.App.targets#L10
+                "Microsoft.AspNetCore.All",          // Alternate ASP.NET platform package for .NET Core 2.x  https://github.com/dotnet/aspnetcore/blob/ac66280fe9024bdd686354e342fcdfb3409597f7/src/Microsoft.AspNetCore.All/build/netcoreapp2.1/Microsoft.AspNetCore.All.targets#L10
+
+                // ASP.NET did not have platform package / shared framework for .NET Core 1.x - it was app-local only
+            ];
+
+            foreach (var platformPackageName in platformPackageNames)
+            {
+                if (lookup.TryGetValue(platformPackageName, out var platformLibrary))
+                {
+                    var frameworkPackagesFromPlatformPackage = new FrameworkPackages(framework, platformPackageName);
+
+                    frameworkPackagesFromPlatformPackage.Packages.Add(platformLibrary.Name, platformLibrary.Version);
+
+                    CollectDependencies(platformLibrary.Dependencies);
+
+                    yield return frameworkPackagesFromPlatformPackage;
+
+                    // recursively include dependencies, so long as they were not upgraded by some other reference
+                    void CollectDependencies(IEnumerable<PackageDependency> dependencies)
+                    {
+                        foreach (var dependency in dependencies)
+                        {
+                            if (lookup.TryGetValue(dependency.Id, out var library) &&
+                                library.Version.Equals(dependency.VersionRange.MinVersion))
+                            {
+                                // if this is the first time we add the package, add its dependencies as well
+                                if (frameworkPackagesFromPlatformPackage.Packages.TryAdd(library.Name, library.Version))
+                                {
+                                    CollectDependencies(library.Dependencies);
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
     private static FrameworkPackages LoadFrameworkPackagesFromPack(NuGetFramework framework, string frameworkName)
     {
         if (framework is null || framework.Framework != FrameworkConstants.FrameworkIdentifiers.NetCoreApp)