c3a281fc34
Update dotnet monorepo
2024-11-01 22:09:35 +00:00
c2546faf1e
Add experimental NuGet detector for framework and dev dependencies ( #1285 )
...
* Add experimental NuGet detector for framework and dev dependencies
This PR does 3 things.
1. Adds `TargetFramework` to NuGet package references. This can be useful when querying component data to understand if components are used in a place where a vulnerability applies.
2. Adds _framework package_ handling. The .NET SDK will do [conflict resolution](https://github.com/dotnet/sdk/tree/main/src/Tasks/Common/ConflictResolution ) and drop assets from packages that overlap with the framework. NuGet is planning to do the same https://github.com/NuGet/Home/issues/7344 but until then, it's beneficial to have component detection duplicate some of this logic. When a package is identified as overlapping with the framework we'll treat it as a Development Dependency so that it might be auto-dismissed.
- .NETFramework projects do not get this - .NETFramework does not participate in conflict resolution by default. Even when enabled framework assemblies can be bypassed using bindingRedirects, or avoiding references to them. Due this fragility it's not safe to apply framework package rules to .NETFramework.
- packages.config usage is also excluded since it precludes SDK conflict resolution (and is also only used on .NETFramework projects).
3. Recognizes `ExcludeAssets="Runtime"` usage as a Development Dependencies, also any packages which don't contribute to "runtime" will be developement dependencies.
I reused _Development Dependency_ rather than plumbing a new concept.
I only mapped data for the `Microsoft.NETCore.App` - the default shared framework. We could consider doing the same for `Microsoft.ASPNETCore.App` and `Microsoft.WindowsDesktop.App` but we'd need to plumb the reference information out of the assets file - currently that's not read and I'm not aware of a supported NuGet API for reading it (though it is present under `project/frameworks/<framework>/frameworkReferences/<name>`
.NET Core 1.x has no data since it was packages itself. I have a fallback for future frameworks to read the data from the targeting packs.
* Address feedback
2024-10-31 11:52:23 -07:00
a0e15204f2
Update nuget known limitations ( #1295 )
...
Previous limitations was written before new nuget detector was rolled out. This clarifies some of the points and removes the indication that the new detector hasn't rolled out yet.
2024-10-31 11:29:37 -04:00
4e42112c9d
Add python to snapshot publish action ( #1293 )
2024-10-28 22:59:08 +00:00
179e5c0818
Update dependency FluentAssertions to 6.12.1 ( #1288 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-10-28 15:24:50 -07:00
d105d099a6
Pin actions/setup-python action to 0b93645 ( #1287 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-10-28 15:24:27 -07:00
682ffe161c
Update actions/setup-dotnet action to v4.1.0 ( #1289 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-10-28 15:23:52 -07:00
5e2687061a
Update mstest monorepo to 3.6.1 ( #1292 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-10-28 15:23:38 -07:00
31c53a7a9f
Update dependency Valleysoft.DockerfileModel to 1.2.0 ( #1291 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-10-28 15:23:08 -07:00
d282a23a8e
Update dependency Serilog.Sinks.Async to v2 ( #1165 )
...
* Update dependency Serilog.Sinks.Async to v2
* Update Serilog version to resolve build issue
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Fernando Rojo <ferojo@microsoft.com>
2024-10-28 13:52:13 -07:00
c586aa8c86
Bump ossf/scorecard-action from 2.3.3 to 2.4.0 ( #1211 )
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.3.3 to 2.4.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](dc50aa9510...62b2cac7ed
2024-10-28 12:15:29 -07:00
b055b623df
Bump cryptography ( #1242 )
...
Bumps [cryptography](https://github.com/pyca/cryptography ) from 42.0.4 to 43.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/42.0.4...43.0.1 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-28 12:15:09 -07:00
7261dda023
Bump express ( #1247 )
...
Bumps [express](https://github.com/expressjs/express ) from 4.17.2 to 4.20.0.
- [Release notes](https://github.com/expressjs/express/releases )
- [Changelog](https://github.com/expressjs/express/blob/master/History.md )
- [Commits](https://github.com/expressjs/express/compare/4.17.2...4.20.0 )
---
updated-dependencies:
- dependency-name: express
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-28 12:13:56 -07:00
c6a618a315
Bump codecov/codecov-action from 4.5.0 to 4.6.0 ( #1274 )
...
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action ) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/codecov/codecov-action/releases )
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md )
- [Commits](e28ff129e5...b9fd7d16f6
2024-10-28 12:13:34 -07:00
2eef840a6f
Bump shogo82148/actions-upload-release-asset from 1.7.5 to 1.7.8 ( #1280 )
...
Bumps [shogo82148/actions-upload-release-asset](https://github.com/shogo82148/actions-upload-release-asset ) from 1.7.5 to 1.7.8.
- [Release notes](https://github.com/shogo82148/actions-upload-release-asset/releases )
- [Commits](8f032eff02...8482bd7696
2024-10-28 12:13:07 -07:00
abc7f015b9
Bump github/codeql-action from 3.25.12 to 3.27.0 ( #1281 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.12 to 3.27.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4fa2a79536...662472033e
2024-10-28 12:12:40 -07:00
96957b667f
Bump actions/checkout from 4.2.1 to 4.2.2 ( #1282 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.1 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](eef61447b9...11bd71901b
2024-10-28 12:11:54 -07:00
402a932bc4
Bump Caching.Memory nupkg to fix Security alerts ( #1279 )
...
* Bump Caching.Memory nupkg to fix Security alerts
2024-10-17 22:38:09 -07:00
ae287518d4
Handle Go Replace Exceptions ( #1273 )
...
* handle version exceptions
* adding log warning
* adding module names
---------
Co-authored-by: Amitla Vannikumar <avannikumar@microsoft.com>
2024-10-14 15:40:48 -07:00
96cc922b48
Bump actions/checkout from 4.1.7 to 4.2.1 ( #1265 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.7 to 4.2.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](692973e3d9...eef61447b9
2024-10-14 12:40:57 -07:00
f47dbc0fb3
Bump actions/upload-artifact from 4.3.4 to 4.4.3 ( #1270 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.3.4 to 4.4.3.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](0b2256b8c0...b4b15b8c7c
2024-10-14 12:22:22 -07:00
319c39f739
Add Go Telemetry ( #1269 )
...
* add go telemetry exception message
* bumping text json version
---------
Co-authored-by: Amitla Vannikumar <avannikumar@microsoft.com>
2024-10-10 17:42:32 +00:00
950576a2ec
Move Go Replace Detector to Prod ( #1272 )
...
* move goreplace from experiments to prod
* json version
* go replace detector
* require string
---------
Co-authored-by: Amitla Vannikumar <avannikumar@microsoft.com>
2024-10-10 10:18:53 -07:00
ed4488a297
Add support for cleaning up files created by tool ( #1259 )
...
* add feature that removes some python files that are created during pip install report dry run
* move to more central file detector
* add tests and fix bugs
* remove extra dir
* fix dotnet 8 styling
* semaphore to only run a single cleanup process at a time for a given detector
* add test
* add test
* refactor to abstract file and directory operations out to allow for unit tests with a mocked file system
* break out the cleanup changes to its own abstract class
* pr feedback
* rename vars and fix tests
* torevert: quick console log for test
* revert log and add file to source control
* os agnostic test file paths
* update snapshot verify, and bump report version
* add python to verification pipeline
* adding back setup file
2024-10-03 16:49:36 -04:00
15c96f4776
Add ARM64 Runtimes ( #1255 )
...
* Add arm64 RIDs
* Simplify release YAML
* Update release.yml
* Update Microsoft.ComponentDetection.csproj
2024-10-01 09:09:11 -07:00
79ff9edf32
Adding Support for Relative Paths Go Replace Detector ( #1254 )
...
* adding go tests
* upgrade version
* unused using statement
* nit changes
* nit
* make tests more generic
* simplifying conditional statements
* simplifying
---------
Co-authored-by: Amitla Vannikumar <avannikumar@microsoft.com>
2024-09-30 15:55:47 -07:00
809f458c4a
Update Component Detection to .NET v8 ( #1249 )
...
* Initial NET 8 changes
* Resolve formatting errors, fix tests
* Fix debug log condition
* Rollback SDK version
* Update csproj refs
* Fix integration test build failures
* Potential test fix
* Set up .NET 6
* Update test csproj
2024-09-27 13:41:06 -07:00
836085312c
Add additional removal indicator ( #1245 )
...
* add additional removal indicator
* remove param
* pr feedback
2024-09-19 13:53:19 -04:00
7528c8f4fd
Revert non-PR .NET 8 commits
2024-09-16 09:27:20 -07:00
48299d735d
Fix debug log condition
2024-09-16 09:23:32 -07:00
bb9945e5ac
Resolve formatting errors, fix tests
2024-09-16 09:20:15 -07:00
7bb2afae00
Initial NET 8 changes
2024-09-10 12:57:23 -07:00
1d1e13bfa7
update packages to fix pack ( #1234 )
2024-08-23 15:27:44 -04:00
9297f055e6
Pauldorsch/fix invalid version bug ( #1232 )
...
* catch exceptions thrown from manual dependency scanning
* handle argument exceptions thrown, skipping those packages
* whitespace
* pr feedback
2024-08-22 10:07:36 -04:00
2dcd512bfa
Use MSTest meta package ( #1215 )
...
* Use MSTest meta package
This enables running MSTest Analyzers on test code to help avoid common test problems.
* Fix code coverage
* Fixes
Upgrade to latest and fix unnecessary type param
* Fix tests
* PR feedback
* Fix CC
2024-08-22 08:03:39 -04:00
00edc78bf5
Pauldorsch/pipreport version fix ( #1229 )
...
* check for valid python versions before adding to the dependency graph
* bump version
* compiled regex
2024-08-19 12:49:12 -04:00
edf0c8dc6e
Fix bug where pipreport used index-urls from requirements.txt ( #1227 )
...
* fix bug where pipreport used index urls in requirements.txt
* update tests
* docs
* add --no-input to pip install, so we do not hang waiting for user input
* pr feedback: performance and cleanup
* bump version
2024-08-19 14:28:52 +00:00
f27fe8e98e
Add support to persist pip reports ( #1224 )
...
* add support to persist pip report
* pr feedback
2024-08-12 21:22:00 +00:00
924c4ea498
Pauldorsch/fix support python m pip (unit tests) ( #1223 )
...
* add support for python -m pip
* update pip command service to accept python exe
* swap so we use pip as default
* fixing remote build
* fix tests
* add unit tests
2024-08-08 17:06:32 -04:00
84e9308790
Pauldorsch/fix support python m pip ( #1222 )
...
* add support for python -m pip
* update pip command service to accept python exe
* swap so we use pip as default
* fixing remote build
* fix tests
2024-08-08 16:30:12 -04:00
3d161b08b2
graduate pipreport ( #1219 )
2024-08-06 16:44:26 -04:00
80146ce1b9
Add logs to MvnCLI and use dictionaries to improve perf on large repos ( #1213 )
...
* Add logs to MvnCLI and use dictionaries to improve perf on large repos
* Add cancellation token to MvnCLI command
2024-07-30 15:56:59 -07:00
80cff26bd7
Fix security alert ( #1208 )
...
* Fix security alert
2024-07-22 09:01:08 -07:00
f0f16b4643
remove azure artifacts publish step ( #1206 )
2024-07-19 19:56:55 -04:00
f4d84a84e8
Pauldorsch/bugfix invalid pipreport files ( #1205 )
...
* ignore pregenerated pipreports that don't cover the correct set of dependencies
* add validation to the pre-generated pipreport to prevent underdetection for overridden reports
* dispose of telemetry object
* move re-used code to a common utility method
2024-07-19 16:09:52 -04:00
13744eeec1
Promote VCPKG detector to enabled by default ( #1203 )
2024-07-17 10:50:26 -07:00
024e2a57ce
PipReport back to experimental, add pre-generated PipReport parsing ( #1201 )
...
* revert experiment graduation, bump threads, and enable fast deps
* put reqs back
* add ability for pip to detect pregenerated reports with a specific naming scheme
* better directory handling
* improve logging
2024-07-16 15:49:35 -04:00
dd3f531747
Bump github/codeql-action from 3.25.11 to 3.25.12 ( #1202 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.11 to 3.25.12.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b611370bb5...4fa2a79536
2024-07-16 09:31:43 -07:00
3f18b478eb
Bump actions/setup-dotnet from 4.0.0 to 4.0.1 ( #1197 )
...
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet ) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/actions/setup-dotnet/releases )
- [Commits](4d6c8fcf3c...6bd8b7f777
2024-07-16 09:31:18 -07:00
99e6d43884
Create vcpkg.md ( #1195 )
...
* Create vcpkg.md
---------
Co-authored-by: Greg Villicana <58237075+grvillic@users.noreply.github.com>
2024-07-15 16:29:15 -07:00
renovate[bot]
Eric StJohn
Paul Dorsch
Fernando Rojo
dependabot[bot]
Greg Villicana
Amitla Vannikumar
Coby Allred
cobya
stan-sz
Robert Schumacher