c2546faf1e
* Add experimental NuGet detector for framework and dev dependencies This PR does 3 things. 1. Adds `TargetFramework` to NuGet package references. This can be useful when querying component data to understand if components are used in a place where a vulnerability applies. 2. Adds _framework package_ handling. The .NET SDK will do [conflict resolution](https://github.com/dotnet/sdk/tree/main/src/Tasks/Common/ConflictResolution) and drop assets from packages that overlap with the framework. NuGet is planning to do the same https://github.com/NuGet/Home/issues/7344 but until then, it's beneficial to have component detection duplicate some of this logic. When a package is identified as overlapping with the framework we'll treat it as a Development Dependency so that it might be auto-dismissed. - .NETFramework projects do not get this - .NETFramework does not participate in conflict resolution by default. Even when enabled framework assemblies can be bypassed using bindingRedirects, or avoiding references to them. Due this fragility it's not safe to apply framework package rules to .NETFramework. - packages.config usage is also excluded since it precludes SDK conflict resolution (and is also only used on .NETFramework projects). 3. Recognizes `ExcludeAssets="Runtime"` usage as a Development Dependencies, also any packages which don't contribute to "runtime" will be developement dependencies. I reused _Development Dependency_ rather than plumbing a new concept. I only mapped data for the `Microsoft.NETCore.App` - the default shared framework. We could consider doing the same for `Microsoft.ASPNETCore.App` and `Microsoft.WindowsDesktop.App` but we'd need to plumb the reference information out of the assets file - currently that's not read and I'm not aware of a supported NuGet API for reading it (though it is present under `project/frameworks/<framework>/frameworkReferences/<name>` .NET Core 1.x has no data since it was packages itself. I have a fallback for future frameworks to read the data from the targeting packs. * Address feedback |
||
|---|---|---|
| .. | ||
| Microsoft.ComponentDetection | ||
| Microsoft.ComponentDetection.Common | ||
| Microsoft.ComponentDetection.Contracts | ||
| Microsoft.ComponentDetection.Detectors | ||
| Microsoft.ComponentDetection.Orchestrator | ||
| Directory.Build.props | ||