osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard

Published 20 hours ago verified publisher icon google

[pkg] implement NuGet ecosystem parser

Open shawnfunke opened this issue 2 years ago • 4 comments

Adds support to scan packages.lock.json files which are lock files for the NuGet ecosystem.

Closes #51

shawnfunke avatar Dec 22 '22 17:12 shawnfunke

Closes #51

shawnfunke avatar Dec 22 '22 17:12 shawnfunke

Would you mind putting the "Closes #51" in the PR description? linking doesn't work with comments, and I can't edit PR descriptions :)

G-Rath avatar Dec 22 '22 19:12 G-Rath

Sure, done!

shawnfunke avatar Dec 22 '22 19:12 shawnfunke

Thank you for your PR. The current committers are on vacation and we will review it early next year and then release as part of the the next minor release 1.0.x release.

inferno-chromium avatar Dec 23 '22 04:12 inferno-chromium

/gcbrun

oliverchang avatar Jan 04 '23 23:01 oliverchang

/gcbrun

oliverchang avatar Jan 05 '23 05:01 oliverchang

@oliverchang I thought about the version verification as well already, for now I've added a check to ensure it's version 1. This isn't optimal since the error the user sees now is: Attempted to scan lockfile but failed: /Users/shawnfunke/tmp/nuget/packages.lock.json, it doesn't tell the user that the lock file version is unsupported.

Also there should probably be dedicated utilities for the parsers since right now the NuGet and Go parser makes use of the pkgDetailsMapToSlice function which is located in the NPM parser file.

shawnfunke avatar Jan 05 '23 12:01 shawnfunke

/gcbrun

oliverchang avatar Jan 05 '23 22:01 oliverchang