Skip unsupported types when parsing Nuget lock files
What does this MR do?
Skip unsupported types when parsing Nuget lock files.
Packages that are direct or transient dependencies of a Project
node are still reported. However, the parser doesn't report direct dependencies of Project
nodes as such. As a result, convert
can't find the dependency path to a dependencies connect to Project
nodes, and they appear as direct
.
packages.lock.json
{
"version": 1,
"dependencies": {
"net6.0": {
"Swashbuckle.AspNetCore": {
"type": "Direct",
"requested": "[6.2.3, )",
"resolved": "6.2.3",
"contentHash": "cnzQDn0Le+hInsw2SYwlOhOCPXpYi/szcvnyqZJ12v+QyrLBwAmWXBg6RIyHB18s/mLeywC+Rg2O9ndz0IUNYQ==",
"dependencies": {
"Microsoft.Extensions.ApiDescription.Server": "3.0.0",
"Swashbuckle.AspNetCore.Swagger": "6.2.3",
"Swashbuckle.AspNetCore.SwaggerGen": "6.2.3",
"Swashbuckle.AspNetCore.SwaggerUI": "6.2.3"
}
},
"Microsoft.Extensions.ApiDescription.Server": {
"type": "Transitive",
"resolved": "3.0.0",
"contentHash": "LH4OE/76F6sOCslif7+Xh3fS/wUUrE5ryeXAMcoCnuwOQGT5Smw0p57IgDh/pHgHaGz/e+AmEQb7pRgb++wt0w=="
},
"Microsoft.NETCore.Platforms": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "VyPlqzH2wavqquTcYpkIIAQ6WdenuKoFN0BdYBbCWsclXacSOHNQn66Gt4z5NBqEYW0FAPm5rlvki9ZiCij5xQ=="
},
"Microsoft.OpenApi": {
"type": "Transitive",
"resolved": "1.2.3",
"contentHash": "Nug3rO+7Kl5/SBAadzSMAVgqDlfGjJZ0GenQrLywJ84XGKO0uRqkunz5Wyl0SDwcR71bAATXvSdbdzPrYRYKGw=="
},
"Microsoft.Win32.Registry": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "dDoKi0PnDz31yAyETfRntsLArTlVAVzUzCIvvEDsDsucrl33Dl8pIJG06ePTJTI3tGpeyHS9Cq7Foc/s4EeKcg==",
"dependencies": {
"System.Security.AccessControl": "5.0.0",
"System.Security.Principal.Windows": "5.0.0"
}
},
"Microsoft.Win32.SystemEvents": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "Bh6blKG8VAKvXiLe2L+sEsn62nc1Ij34MrNxepD2OCrS5cpCwQa9MeLyhVQPQ/R4Wlzwuy6wMK8hLb11QPDRsQ==",
"dependencies": {
"Microsoft.NETCore.Platforms": "5.0.0"
}
},
"Pipelines.Sockets.Unofficial": {
"type": "Transitive",
"resolved": "2.2.0",
"contentHash": "7hzHplEIVOGBl5zOQZGX/DiJDHjq+RVRVrYgDiqXb6RriqWAdacXxp+XO9WSrATCEXyNOUOQg9aqQArsjase/A==",
"dependencies": {
"Microsoft.ChakraCore": "1.11.18"
}
},
"StackExchange.Redis": {
"type": "Transitive",
"resolved": "2.2.88",
"contentHash": "JJi1jcO3/ZiamBhlsC/TR8aZmYf+nqpGzMi0HRRCy5wJkUPmMnRp0kBA6V84uhU8b531FHSdTDaFCAyCUJomjA==",
"dependencies": {
"Pipelines.Sockets.Unofficial": "2.2.0",
"System.Diagnostics.PerformanceCounter": "5.0.0"
}
},
"Swashbuckle.AspNetCore.Swagger": {
"type": "Transitive",
"resolved": "6.2.3",
"contentHash": "qOF7j1sL0bWm8g/qqHVPCvkO3JlVvUIB8WfC98kSh6BT5y5DAnBNctfac7XR5EZf+eD7/WasvANncTqwZYfmWQ==",
"dependencies": {
"Microsoft.OpenApi": "1.2.3"
}
},
"Swashbuckle.AspNetCore.SwaggerGen": {
"type": "Transitive",
"resolved": "6.2.3",
"contentHash": "+Xq7WdMCCfcXlnbLJVFNgY8ITdP2TRYIlpbt6IKzDw5FwFxdi9lBfNDtcT+/wkKwX70iBBFmXldnnd02/VO72A==",
"dependencies": {
"Swashbuckle.AspNetCore.Swagger": "6.2.3"
}
},
"Swashbuckle.AspNetCore.SwaggerUI": {
"type": "Transitive",
"resolved": "6.2.3",
"contentHash": "bCRI87uKJVb4G+KURWm8LQrL64St04dEFZcF6gIM67Zc0Sr/N47EO83ybLMYOvfNdO1DCv8xwPcrz9J/VEhQ5g=="
},
"System.Configuration.ConfigurationManager": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "aM7cbfEfVNlEEOj3DsZP+2g9NRwbkyiAv2isQEzw7pnkDg9ekCU2m1cdJLM02Uq691OaCS91tooaxcEn8d0q5w==",
"dependencies": {
"System.Security.Cryptography.ProtectedData": "5.0.0",
"System.Security.Permissions": "5.0.0"
}
},
"System.Diagnostics.PerformanceCounter": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "kcQWWtGVC3MWMNXdMDWfrmIlFZZ2OdoeT6pSNVRtk9+Sa7jwdPiMlNwb0ZQcS7NRlT92pCfmjRtkSWUW3RAKwg==",
"dependencies": {
"Microsoft.NETCore.Platforms": "5.0.0",
"Microsoft.Win32.Registry": "5.0.0",
"System.Configuration.ConfigurationManager": "5.0.0",
"System.Security.Principal.Windows": "5.0.0"
}
},
"System.Drawing.Common": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "SztFwAnpfKC8+sEKXAFxCBWhKQaEd97EiOL7oZJZP56zbqnLpmxACWA8aGseaUExciuEAUuR9dY8f7HkTRAdnw==",
"dependencies": {
"Microsoft.Win32.SystemEvents": "5.0.0"
}
},
"Microsoft.ChakraCore": {
"type": "Transitive",
"resolved": "1.11.18",
"contentHash": "irMYm3vhVgRsYvHTU5b2gsT2CwT/SMM6LZFzuJjpIvT5Z4CshxNsaoBC1X/LltwuR3Opp8d6jOS/60WwOb7Q2Q=="
},
"System.Security.AccessControl": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "dagJ1mHZO3Ani8GH0PHpPEe/oYO+rVdbQjvjJkBRNQkX4t0r1iaeGn8+/ybkSLEan3/slM0t59SVdHzuHf2jmw==",
"dependencies": {
"Microsoft.NETCore.Platforms": "5.0.0",
"System.Security.Principal.Windows": "5.0.0"
}
},
"System.Security.Cryptography.ProtectedData": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "HGxMSAFAPLNoxBvSfW08vHde0F9uh7BjASwu6JF9JnXuEPhCY3YUqURn0+bQV/4UWeaqymmrHWV+Aw9riQCtCA=="
},
"System.Security.Permissions": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "uE8juAhEkp7KDBCdjDIE3H9R1HJuEHqeqX8nLX9gmYKWwsqk3T5qZlPx8qle5DPKimC/Fy3AFTdV7HamgCh9qQ==",
"dependencies": {
"System.Security.AccessControl": "5.0.0",
"System.Windows.Extensions": "5.0.0"
}
},
"System.Security.Principal.Windows": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "t0MGLukB5WAVU9bO3MGzvlGnyJPgUlcwerXn1kzBRjwLKixT96XV0Uza41W49gVd8zEMFu9vQEFlv0IOrytICA=="
},
"System.Windows.Extensions": {
"type": "Transitive",
"resolved": "5.0.0",
"contentHash": "c1ho9WU9ZxMZawML+ssPKZfdnrg/OjR3pe0m9v8230z3acqphwvPJqzAkH54xRYm5ntZHGG1EPP3sux9H3qSPg==",
"dependencies": {
"System.Drawing.Common": "5.0.0"
}
},
"veryprivatelib": {
"type": "Project",
"dependencies": {
"StackExchange.Redis": "2.2.88"
}
}
}
}
}
Dependency Scanning report (excerpt)
{
"version": "14.0.4",
"vulnerabilities": [
{
"id": "d04a423f3bdaa43afbe109582761a8bff3f73fd330c4d91f204a7f08d38f122c",
"category": "dependency_scanning",
"name": "Memory Corruption",
"message": "Memory Corruption in Microsoft.ChakraCore",
"description": "A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory, aka 'Microsoft Browser Memory Corruption Vulnerability'.",
"cve": "packages.lock.json:Microsoft.ChakraCore:gemnasium:03142d6a-d868-4db7-b613-ff911c74dc67",
"severity": "High",
"solution": "Upgrade to version 1.11.22 or above.",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"location": {
"file": "packages.lock.json",
"dependency": {
"iid": 16,
"package": {
"name": "Microsoft.ChakraCore"
},
"version": "1.11.18"
}
},
}
],
"dependency_files": [
{
"path": "packages.lock.json",
"package_manager": "nuget",
"dependencies": [
{
"iid": 16,
"direct": true,
"package": {
"name": "Microsoft.ChakraCore"
},
"version": "1.11.18"
},
{
"iid": 14,
"package": {
"name": "Microsoft.Extensions.ApiDescription.Server"
},
"version": "3.0.0"
},
{
"iid": 18,
"package": {
"name": "Microsoft.NETCore.Platforms"
},
"version": "5.0.0"
},
{
"iid": 6,
"package": {
"name": "Microsoft.OpenApi"
},
"version": "1.2.3"
},
{
"iid": 9,
"package": {
"name": "Microsoft.Win32.Registry"
},
"version": "5.0.0"
},
{
"iid": 10,
"package": {
"name": "Microsoft.Win32.SystemEvents"
},
"version": "5.0.0"
},
{
"iid": 7,
"package": {
"name": "Pipelines.Sockets.Unofficial"
},
"version": "2.2.0"
},
{
"iid": 8,
"package": {
"name": "StackExchange.Redis"
},
"version": "2.2.88"
},
{
"iid": 13,
"package": {
"name": "Swashbuckle.AspNetCore"
},
"version": "6.2.3"
},
{
"iid": 19,
"package": {
"name": "Swashbuckle.AspNetCore.Swagger"
},
"version": "6.2.3"
},
{
"iid": 15,
"package": {
"name": "Swashbuckle.AspNetCore.SwaggerGen"
},
"version": "6.2.3"
},
{
"iid": 1,
"package": {
"name": "Swashbuckle.AspNetCore.SwaggerUI"
},
"version": "6.2.3"
},
{
"iid": 2,
"package": {
"name": "System.Configuration.ConfigurationManager"
},
"version": "5.0.0"
},
{
"iid": 20,
"package": {
"name": "System.Diagnostics.PerformanceCounter"
},
"version": "5.0.0"
},
{
"iid": 12,
"package": {
"name": "System.Drawing.Common"
},
"version": "5.0.0"
},
{
"iid": 17,
"package": {
"name": "System.Security.AccessControl"
},
"version": "5.0.0"
},
{
"iid": 3,
"package": {
"name": "System.Security.Cryptography.ProtectedData"
},
"version": "5.0.0"
},
{
"iid": 11,
"package": {
"name": "System.Security.Permissions"
},
"version": "5.0.0"
},
{
"iid": 4,
"package": {
"name": "System.Security.Principal.Windows"
},
"version": "5.0.0"
},
{
"iid": 5,
"package": {
"name": "System.Windows.Extensions"
},
"version": "5.0.0"
}
]
}
]
}
Direct
nodes are still reported as such. convert
accurately reports the dependency path to Transient
dependency connected to Direct
node; there's no regression.
What are the relevant issue numbers?
gitlab-org/gitlab#345144 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Fabien Catteau