Sort target frameworks of NuGet lock files (!197) · Merge requests · GitLab.org / security-products / analyzers / gemnasium

Fabien Catteau requested to merge 328451-nuget-sort-target-frameworks into master Jun 07, 2021

What does this MR do?

Sort "targets" when processing NuGet lock files in order to get a deterministic list of dependencies.

When resolving dependencies and collecting dependencies, use a dependency map that maps a package name to the package version defined in the last target where this package has been seen.

The returned packages are unchanged.

NOTE: This is no more than a workaround and ideally Gemnasium would generate one dependency graph per NuGet target. This is out of scope though.

NOTE: Unfortunately there's no proper way to merge dependency graphs because a package with a given name and version can't be repeated in the returned packages.

What are the relevant issue numbers?

gitlab-org/gitlab#328451 (closed)

Does this MR meet the acceptance criteria?

Changelog entry added
~~Documentation created/updated for GitLab EE, if necessary~~
~~Documentation created/updated for this project, if necessary~~
~~Documentation reviewed by technical writer or follow-up review issue created~~
Tests added for this feature/bug
~~Job definition updated, if necessary~~
Conforms to the code review guidelines
Conforms to the Go guidelines
Security reports checked/validated by reviewer

Edited Jun 08, 2021 by Fabien Catteau

Sort target frameworks of NuGet lock files

What does this MR do?

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Merge request reports