fossa-cli icon indicating copy to clipboard operation
fossa-cli copied to clipboard

Published 20 hours ago verified publisher icon fossas

NuGet strategy consolidation

Open JeffreyHuynh1 opened this issue 6 months ago • 0 comments

Overview

All of the CLI’s nuget strategies run everytime fossa analyze is run. This causes duplicate information to be uploaded on almost every run. The worst part of this is that one of the strategies analyzes a lockfile with determined versions and the other analyzes a manifest with versions that may not be present in the final build.

From Nugets website

The project.json file maintains a list of packages used in a project, known as a package management format. It supersedes packages.config but is in turn superseded by PackageReference with NuGet 4.0+.

https://fossa.com/blog/managing-dependencies-net-csproj-packagesconfig/

Acceptance criteria

  • Nuget analysis strategies are not all run and utilize fallbacks to ensure that duplicate dependencies are not uploaded.

  • Implementation decisions here do not prevent https://fossa.atlassian.net/browse/ANE-702 from being implemented.

  • Consolidate analysis for project.assets.json and package reference files because they have the same entry point, .csproj files. The other strategies can remain the same and be ran independently.

Documentation is updated to display what the fallback order is.

Testing plan

  • Refactored existing test to work with the consolidation and it's working as it did previously.

Risks

[Question] - Was looking into writing an integration test to test the case where we have both .csproj files (triggers PackageReference strategy) and project.assets.json files, that way we can test out the consolidation changes in this pr. After looking at our integration tests, it looks like we test against open source repos , the issue with project.assets.json files is that they are not typically included in open source repos as they are generated automatically by the .NET SDK during the restore process. We also didn't have an existing integration test for the project.assets.json strategy either. I feel like we should still have a test for this but am unsure on the best way to go about it. Should I just clone a repo, generate a project.assets.json file and push those changes to a new repo so that we can test against for our tests?

Metrics

References

Checklist

  • [ ] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • [x] If this PR introduced a user-visible change, I added documentation into docs/.
  • [x] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • [x] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
  • [x] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • [x] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

JeffreyHuynh1 avatar Aug 21 '24 00:08 JeffreyHuynh1