ort
ort copied to clipboard
oss-review-toolkit
Transitive NuGet dependencies are listed as root nodes in dependency graph
Describe the bug
When analyzing the dependencies of a NuGet project, the dependency_graph of the result specifies all dependencies as a root node of the graph, regardless of whether they are direct or transitive. This makes it impossible to identify which dependencies are actually direct dependencies of the project (to my knowledge).
For instance, I tested with the following .csproj file:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<RootNamespace>nuget_transitive_dependencies</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="9.0.4" />
<PackageReference Include="Azure.Storage.Blobs" Version="12.19.1 " />
<PackageReference Include="Serilog" Version="3.1.1" />
<PackageReference Include="KubernetesClient" Version="14.0.2" />
<PackageReference Include="Newtonsoft.Json" Version="12.0.3" />
<PackageReference Include="Azure.Identity" Version="1.11.3" />
</ItemGroup>
</Project>
The dependeny_graph should only have the six dependencies specified in the file as root nodes, but transitive dependencies are also listed as such: analyzer-result.yaml.txt (file ending changed because GitHub does not allow uploading YAML).
I also attempted using the nuget-inspector directly and produced the following result: nuget-inspector-result.json. From my understanding, it does not provide any information on the graph structure of the dependencies.
I understand that #3825 clearly states that the nuget package manager plugin does not yet support the dependency graph format. Is the behaviour described above expected due to this or should the root nodes be listed correctly? I tried to dig into the ORT source code but failed to identify where the root nodes are defined.
To Reproduce
- Create a
.csprojfile with the content listed above. - Perform the analysis with the ORT.
- Transitive dependencies are listed as root nodes of the
dependency_graph.
Expected behavior
Only direct dependencies are specified as root nodes of the dependency graphs so that I can clearly identify them.
Console / log output
The ORT produces the following console output:
$ docker run --rm -v /nuget-transitive-dependencies/:/repo/ ghcr.io/oss-review-toolkit/ort:60.0.0-086.sha.06c5ec2 analyze --input-dir /repo/ --
output-dir /repo/
Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
______________________________
/ \_______ \__ ___/ The OSS Review Toolkit, version 60.0.0-086.sha.
| | | | _/ | | built with JDK 21.0.7+6-LTS, running under Java
| | | | | \ | | Executing 'analyze' as 'ort' on Linux
\________/ |____|___/ |____| with 8 CPUs and a maximum of 1954 MiB of memory
Environment variables:
HOME = /home/ort
JAVA_HOME = /opt/java/openjdk
ANDROID_HOME = /opt/android-sdk
Looking for ORT configuration in the following file:
/home/ort/.ort/config/config.yml (does not exist)
Looking for analyzer-specific configuration in the following files and directories:
/repo/.ort.yml (does not exist)
/home/ort/.ort/config/resolutions.yml (does not exist)
The following 26 package manager(s) are enabled:
Bazel, Bower, Bundler, Cargo, Carthage, CocoaPods, Composer, Conan, GoMod, Gradle Inspector, Maven, NPM, NuGet, PIP, Pipenv, PNPM, Poetry, Pub, SBT, SpdxDocumentFile, Stack, Swift Package Manager, Tycho, Unmanaged, Yarn, Yarn 2+
The following 2 package curation provider(s) are enabled:
DefaultDir, DefaultFile
Analyzing project path:
/repo
Found 1 NuGet definition file(s) at:
nuget-transitive-dependencies.csproj
Found in total 1 definition file(s) from the following 1 package manager(s):
NuGet
Wrote analyzer result to '/repo/analyzer-result.yml' (0.05 MiB) in 576.098836ms.
The analysis took 18.672765012s.
Found 1 project(s) and 38 package(s) in total (not counting excluded ones).
Applied 0 curation(s) from 0 of 2 provider(s).
Resolved issues: 0 errors, 0 warnings, 0 hints.
Unresolved issues: 0 errors, 0 warnings, 0 hints.
The nuget-inspector produces the following console output:
$ nuget-inspector --with-details --verbose --project-file nuget-transitive-dependencies.csproj --json nuget-inspector-result.json
nuget-inspector options:
--project-file nuget-transitive-dependencies.csproj
--json nuget-inspector-result.json
--verbose
--with-details
Effective project framework: net9.0
PopulateResources: Loaded 1 package sources from nuget.config
AddSourceRepo: adding new https://api.nuget.org/v3/index.json
ProjectScanner: Using filename as project name: nuget-transitive-dependencies
No project version found
Running scan of: nuget-transitive-dependencies.csproj with fallback: False
Using project file: nuget-transitive-dependencies.csproj
ProjectFileProcessor.ResolveUsingLib: starting resolution
ProjectFileProcessor.GetPackageReferences: ProjectPath nuget-transitive-dependencies.csproj
Add Direct dependency from PackageReference: id: Microsoft.AspNetCore.OpenApi version_range: [9.0.4, )
Add Direct dependency from PackageReference: id: Azure.Storage.Blobs version_range: [12.19.1, )
Add Direct dependency from PackageReference: id: Serilog version_range: [3.1.1, )
Add Direct dependency from PackageReference: id: KubernetesClient version_range: [14.0.2, )
Add Direct dependency from PackageReference: id: Newtonsoft.Json version_range: [12.0.3, )
Add Direct dependency from PackageReference: id: Azure.Identity version_range: [1.11.3, )
Found #6 references
RestoreTargetGraph
package/Azure.Core 1.38.0
package/[email protected] (>= 1.1.1) autoref: False
package/[email protected] (>= 1.0.0) autoref: False
package/System.Diagnostics.DiagnosticSource@System.Diagnostics.DiagnosticSource (>= 6.0.1) autoref: False
package/[email protected] (>= 1.0.2) autoref: False
package/[email protected] (>= 4.5.0) autoref: False
package/[email protected] (>= 4.7.2) autoref: False
package/[email protected] (>= 4.7.2) autoref: False
package/System.Threading.Tasks.Extensions@System.Threading.Tasks.Extensions (>= 4.5.4) autoref: False
package/Azure.Identity 1.11.3
package/[email protected] (>= 1.38.0) autoref: False
package/[email protected] (>= 4.60.3) autoref: False
package/Microsoft.Identity.Client.Extensions.Msal@Microsoft.Identity.Client.Extensions.Msal (>= 4.60.3) autoref: False
package/[email protected] (>= 4.5.4) autoref: False
package/System.Security.Cryptography.ProtectedData@System.Security.Cryptography.ProtectedData (>= 4.7.0) autoref: False
package/[email protected] (>= 4.7.2) autoref: False
package/System.Threading.Tasks.Extensions@System.Threading.Tasks.Extensions (>= 4.5.4) autoref: False
package/Azure.Storage.Blobs 12.19.1
package/[email protected] (>= 12.18.1) autoref: False
package/[email protected] (>= 4.7.2) autoref: False
package/Azure.Storage.Common 12.18.1
package/[email protected] (>= 1.36.0) autoref: False
package/[email protected] (>= 6.0.0) autoref: False
package/Fractions 7.3.0
package/IdentityModel 5.2.0
package/IdentityModel.OidcClient 5.2.1
package/IdentityModel@IdentityModel (>= 5.2.0) autoref: False
package/[email protected] (>= 6.0.0) autoref: False
package/KubernetesClient 14.0.2
package/Fractions@Fractions (>= 7.3.0) autoref: False
package/[email protected] (>= 5.2.1) autoref: False
package/System.Diagnostics.DiagnosticSource@System.Diagnostics.DiagnosticSource (>= 7.0.0) autoref: False
package/[email protected] (>= 7.1.2) autoref: False
package/YamlDotNet@YamlDotNet (>= 15.1.0) autoref: False
package/Microsoft.AspNetCore.OpenApi 9.0.4
package/[email protected] (>= 1.6.17) autoref: False
package/Microsoft.Bcl.AsyncInterfaces 1.1.1
package/Microsoft.Extensions.DependencyInjection 6.0.0
package/Microsoft.Extensions.DependencyInjection.Abstractions@Microsoft.Extensions.DependencyInjection.Abstractions (>= 6.0.0) autoref: False
package/System.Runtime.CompilerServices.Unsafe@System.Runtime.CompilerServices.Unsafe (>= 6.0.0) autoref: False
package/Microsoft.Extensions.DependencyInjection.Abstractions 6.0.0
package/Microsoft.Extensions.Logging 6.0.0
package/Microsoft.Extensions.DependencyInjection.Abstractions@Microsoft.Extensions.DependencyInjection.Abstractions (>= 6.0.0) autoref: False
package/Microsoft.Extensions.DependencyInjection@Microsoft.Extensions.DependencyInjection (>= 6.0.0) autoref: False
package/Microsoft.Extensions.Logging.Abstractions@Microsoft.Extensions.Logging.Abstractions (>= 6.0.0) autoref: False
package/[email protected] (>= 6.0.0) autoref: False
package/System.Diagnostics.DiagnosticSource@System.Diagnostics.DiagnosticSource (>= 6.0.0) autoref: False
package/Microsoft.Extensions.Logging.Abstractions 6.0.0
package/Microsoft.Extensions.Options 6.0.0
package/Microsoft.Extensions.DependencyInjection.Abstractions@Microsoft.Extensions.DependencyInjection.Abstractions (>= 6.0.0) autoref: False
package/[email protected] (>= 6.0.0) autoref: False
package/Microsoft.Extensions.Primitives 6.0.0
package/System.Runtime.CompilerServices.Unsafe@System.Runtime.CompilerServices.Unsafe (>= 6.0.0) autoref: False
package/Microsoft.Identity.Client 4.60.3
package/Microsoft.IdentityModel.Abstractions@Microsoft.IdentityModel.Abstractions (>= 6.35.0) autoref: False
package/System.Diagnostics.DiagnosticSource@System.Diagnostics.DiagnosticSource (>= 6.0.1) autoref: False
package/Microsoft.Identity.Client.Extensions.Msal 4.60.3
package/[email protected] (>= 4.60.3) autoref: False
package/System.Security.Cryptography.ProtectedData@System.Security.Cryptography.ProtectedData (>= 4.5.0) autoref: False
package/Microsoft.IdentityModel.Abstractions 7.1.2
package/Microsoft.IdentityModel.JsonWebTokens 7.1.2
package/[email protected] (>= 7.1.2) autoref: False
package/Microsoft.IdentityModel.Logging 7.1.2
package/Microsoft.IdentityModel.Abstractions@Microsoft.IdentityModel.Abstractions (>= 7.1.2) autoref: False
package/Microsoft.IdentityModel.Tokens 7.1.2
package/[email protected] (>= 7.1.2) autoref: False
package/Microsoft.OpenApi 1.6.17
package/Newtonsoft.Json 12.0.3
package/Serilog 3.1.1
package/System.ClientModel 1.0.0
package/[email protected] (>= 1.0.2) autoref: False
package/[email protected] (>= 4.7.2) autoref: False
package/System.Diagnostics.DiagnosticSource 7.0.0
package/System.IdentityModel.Tokens.Jwt 7.1.2
package/Microsoft.IdentityModel.JsonWebTokens@Microsoft.IdentityModel.JsonWebTokens (>= 7.1.2) autoref: False
package/[email protected] (>= 7.1.2) autoref: False
package/System.IO.Hashing 6.0.0
package/System.Memory 4.5.4
package/System.Memory.Data 1.0.2
package/[email protected] (>= 4.7.2) autoref: False
package/[email protected] (>= 4.6.0) autoref: False
package/System.Numerics.Vectors 4.5.0
package/System.Runtime.CompilerServices.Unsafe 6.0.0
package/System.Security.Cryptography.ProtectedData 4.7.0
package/System.Text.Encodings.Web 4.7.2
package/System.Text.Json 4.7.2
package/System.Threading.Tasks.Extensions 4.5.4
package/YamlDotNet 15.1.0
Found #38 dependencies with data_source_id: dotnet-project-reference
Project resolved: nuget-transitive-dependencies
Fetching package metadata for: Azure.Core.1.38.0
Fetching package metadata for: Azure.Core.1.38.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/Azure/azure-sdk-for-net
Nuspec repo.branch:
Nuspec repo.commit: dae9516a40d0661a3351c3f6ddf0e0eb85ea2f6b
Fetching package metadata for: Azure.Identity.1.11.3
Fetching package metadata for: Azure.Identity.1.11.3
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/Azure/azure-sdk-for-net
Nuspec repo.branch:
Nuspec repo.commit: 06dd672e59d9bd6068e8ef282cb94ae17e6f75be
Fetching package metadata for: Azure.Storage.Blobs.12.19.1
Fetching package metadata for: Azure.Storage.Blobs.12.19.1
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/Azure/azure-sdk-for-net
Nuspec repo.branch:
Nuspec repo.commit: 675cf1fc091d02e385f4f8455beab2e9a40adc58
Fetching package metadata for: Azure.Storage.Common.12.18.1
Fetching package metadata for: Azure.Storage.Common.12.18.1
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/Azure/azure-sdk-for-net
Nuspec repo.branch:
Nuspec repo.commit: 675cf1fc091d02e385f4f8455beab2e9a40adc58
Fetching package metadata for: Fractions.7.3.0
Fetching package metadata for: Fractions.7.3.0
Nuspec copyright: Copyright 2013-2023 Daniel Mueller
Nuspec repo.type: git
Nuspec repo.url: https://github.com/danm-de/Fractions.git
Nuspec repo.branch:
Nuspec repo.commit: 364cc7bd8d01a741b641bfeff726371150d1e743
Fetching package metadata for: IdentityModel.5.2.0
Fetching package metadata for: IdentityModel.5.2.0
Nuspec copyright:
Nuspec repo.type: git
Nuspec repo.url: https://github.com/IdentityModel/IdentityModel
Nuspec repo.branch:
Nuspec repo.commit: f09bc41c44bb7502e649bf5efa3a7ee18ebe2903
Fetching package metadata for: IdentityModel.OidcClient.5.2.1
Fetching package metadata for: IdentityModel.OidcClient.5.2.1
Nuspec copyright:
Nuspec repo.type: git
Nuspec repo.url: https://github.com/IdentityModel/IdentityModel.OidcClient
Nuspec repo.branch:
Nuspec repo.commit: d7d7bc7e92532f2df9410c61ddaf96dd3cb230e5
Fetching package metadata for: KubernetesClient.14.0.2
Fetching package metadata for: KubernetesClient.14.0.2
Nuspec copyright: 2017 The Kubernetes Project Authors
Nuspec repo.type: git
Nuspec repo.url: https://github.com/kubernetes-client/csharp
Nuspec repo.branch:
Nuspec repo.commit: b50aed2654dd1beaaa712c590cf985e90f4f9928
Fetching package metadata for: Microsoft.AspNetCore.OpenApi.9.0.4
Fetching package metadata for: Microsoft.AspNetCore.OpenApi.9.0.4
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/aspnetcore
Nuspec repo.branch:
Nuspec repo.commit: d5dc8a13cc618b9cbdc1e5744b4806c594d49553
Fetching package metadata for: Microsoft.Bcl.AsyncInterfaces.1.1.1
Fetching package metadata for: Microsoft.Bcl.AsyncInterfaces.1.1.1
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type:
Nuspec repo.url:
Nuspec repo.branch:
Nuspec repo.commit:
Fetching package metadata for: Microsoft.Extensions.DependencyInjection.6.0.0
Fetching package metadata for: Microsoft.Extensions.DependencyInjection.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: Microsoft.Extensions.DependencyInjection.Abstractions.6.0.0
Fetching package metadata for: Microsoft.Extensions.DependencyInjection.Abstractions.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: Microsoft.Extensions.Logging.6.0.0
Fetching package metadata for: Microsoft.Extensions.Logging.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: Microsoft.Extensions.Logging.Abstractions.6.0.0
Fetching package metadata for: Microsoft.Extensions.Logging.Abstractions.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: Microsoft.Extensions.Options.6.0.0
Fetching package metadata for: Microsoft.Extensions.Options.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: Microsoft.Extensions.Primitives.6.0.0
Fetching package metadata for: Microsoft.Extensions.Primitives.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: Microsoft.Identity.Client.4.60.3
Fetching package metadata for: Microsoft.Identity.Client.4.60.3
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
Nuspec repo.branch:
Nuspec repo.commit: 413e319472ccf48c86647f19fa2aa49ff6038488
Fetching package metadata for: Microsoft.Identity.Client.Extensions.Msal.4.60.3
Fetching package metadata for: Microsoft.Identity.Client.Extensions.Msal.4.60.3
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
Nuspec repo.branch:
Nuspec repo.commit: 413e319472ccf48c86647f19fa2aa49ff6038488
Fetching package metadata for: Microsoft.IdentityModel.Abstractions.7.1.2
Fetching package metadata for: Microsoft.IdentityModel.Abstractions.7.1.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Nuspec repo.branch:
Nuspec repo.commit: a607fa5e0005a6178cf1d2fed4fa0f8179cdb186
Fetching package metadata for: Microsoft.IdentityModel.JsonWebTokens.7.1.2
Fetching package metadata for: Microsoft.IdentityModel.JsonWebTokens.7.1.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Nuspec repo.branch:
Nuspec repo.commit: a607fa5e0005a6178cf1d2fed4fa0f8179cdb186
Fetching package metadata for: Microsoft.IdentityModel.Logging.7.1.2
Fetching package metadata for: Microsoft.IdentityModel.Logging.7.1.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Nuspec repo.branch:
Nuspec repo.commit: a607fa5e0005a6178cf1d2fed4fa0f8179cdb186
Fetching package metadata for: Microsoft.IdentityModel.Tokens.7.1.2
Fetching package metadata for: Microsoft.IdentityModel.Tokens.7.1.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Nuspec repo.branch:
Nuspec repo.commit: a607fa5e0005a6178cf1d2fed4fa0f8179cdb186
Fetching package metadata for: Microsoft.OpenApi.1.6.17
Fetching package metadata for: Microsoft.OpenApi.1.6.17
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/Microsoft/OpenAPI.NET
Nuspec repo.branch:
Nuspec repo.commit: ccd4a43fc951448ebc2ea1be8072724e53598239
Fetching package metadata for: Newtonsoft.Json.12.0.3
Fetching package metadata for: Newtonsoft.Json.12.0.3
Nuspec copyright: Copyright © James Newton-King 2008
Nuspec repo.type: git
Nuspec repo.url: https://github.com/JamesNK/Newtonsoft.Json
Nuspec repo.branch:
Nuspec repo.commit: 7c3d7f8da7e35dde8fa74188b0decff70f8f10e3
Fetching package metadata for: Serilog.3.1.1
Fetching package metadata for: Serilog.3.1.1
Nuspec copyright: Copyright © 2013-23 Serilog Contributors
Nuspec repo.type: git
Nuspec repo.url: https://github.com/serilog/serilog.git
Nuspec repo.branch:
Nuspec repo.commit: 999d686d1830edde15ccb1d94c7bff313ec7d7a0
Fetching package metadata for: System.ClientModel.1.0.0
Fetching package metadata for: System.ClientModel.1.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/Azure/azure-sdk-for-net
Nuspec repo.branch:
Nuspec repo.commit: 8ffa7d7f26bb2c5e3dadf74b2aa9c9ba9c9d9208
Fetching package metadata for: System.Diagnostics.DiagnosticSource.7.0.0
Fetching package metadata for: System.Diagnostics.DiagnosticSource.7.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: d099f075e45d2aa6007a22b71b45a08758559f80
Fetching package metadata for: System.IdentityModel.Tokens.Jwt.7.1.2
Fetching package metadata for: System.IdentityModel.Tokens.Jwt.7.1.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Nuspec repo.branch:
Nuspec repo.commit: a607fa5e0005a6178cf1d2fed4fa0f8179cdb186
Fetching package metadata for: System.IO.Hashing.6.0.0
Fetching package metadata for: System.IO.Hashing.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: System.Memory.4.5.4
Fetching package metadata for: System.Memory.4.5.4
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type:
Nuspec repo.url:
Nuspec repo.branch:
Nuspec repo.commit:
Fetching package metadata for: System.Memory.Data.1.0.2
Fetching package metadata for: System.Memory.Data.1.0.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/Azure/azure-sdk-for-net
Nuspec repo.branch:
Nuspec repo.commit: 7e3cf643977591e9041f4c628fd4d28237398e0b
Fetching package metadata for: System.Numerics.Vectors.4.5.0
Fetching package metadata for: System.Numerics.Vectors.4.5.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type:
Nuspec repo.url:
Nuspec repo.branch:
Nuspec repo.commit:
Fetching package metadata for: System.Runtime.CompilerServices.Unsafe.6.0.0
Fetching package metadata for: System.Runtime.CompilerServices.Unsafe.6.0.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type: git
Nuspec repo.url: https://github.com/dotnet/runtime
Nuspec repo.branch:
Nuspec repo.commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6
Fetching package metadata for: System.Security.Cryptography.ProtectedData.4.7.0
Fetching package metadata for: System.Security.Cryptography.ProtectedData.4.7.0
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type:
Nuspec repo.url:
Nuspec repo.branch:
Nuspec repo.commit:
Fetching package metadata for: System.Text.Encodings.Web.4.7.2
Fetching package metadata for: System.Text.Encodings.Web.4.7.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type:
Nuspec repo.url:
Nuspec repo.branch:
Nuspec repo.commit:
Fetching package metadata for: System.Text.Json.4.7.2
Fetching package metadata for: System.Text.Json.4.7.2
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type:
Nuspec repo.url:
Nuspec repo.branch:
Nuspec repo.commit:
Fetching package metadata for: System.Threading.Tasks.Extensions.4.5.4
Fetching package metadata for: System.Threading.Tasks.Extensions.4.5.4
Nuspec copyright: © Microsoft Corporation. All rights reserved.
Nuspec repo.type:
Nuspec repo.url:
Nuspec repo.branch:
Nuspec repo.commit:
Fetching package metadata for: YamlDotNet.15.1.0
Fetching package metadata for: YamlDotNet.15.1.0
Nuspec copyright:
Nuspec repo.type: git
Nuspec repo.url: https://github.com/aaubry/YamlDotNet.git
Nuspec repo.branch:
Nuspec repo.commit:
Run summary:
Dependencies resolved in: 4026 ms.
Metadata collected in: 22800 ms.
Scan completed in: 26826 ms.
Scan Result: success: JSON file created at: nuget-inspector-result.json
Environment
I used the official container image ghcr.io/oss-review-toolkit/ort:60.0.0-086.sha.06c5ec2:
- ORT version: 60.0.0-086.sha
- Java version: 21.0.7+6-LTS
- OS: Linux
I also attempted using the
nuget-inspectordirectly and produced the following result: nuget-inspector-result.json. From my understanding, it does not provide any information on the graph structure of the dependencies.
Thanks for checking. Can you please directly file an issue at https://github.com/aboutcode-org/nuget-inspector/issues?
I understand that #3825 clearly states that the
nugetpackage manager plugin does not yet support the dependency graph format. Is the behaviour described above expected due to this or should the root nodes be listed correctly?
Results should be correct already. #3825 is not about correctness, but about less memory consumption (mostly).
Could you maybe try https://github.com/microsoft/component-detection on your project to see whether you're getting expected results with it? If so, we might consider switching to it from nuget-inspector.
Could you maybe try https://github.com/microsoft/component-detection on your project to see whether you're getting expected results with it? If so, we might consider switching to it from
nuget-inspector.
I performed an analysis with my project - here is the result: component-detection-result.json
I did not dive into every detail, but what I can see is:
- All 38 direct and transitive dependencies of the project are detected.
- The field
dependencyGraphs.<name>.explicitlyReferencedComponentIdscontains the list of all direct dependencies. - The field
dependencyGraphs.<name>.graphseems to correctly reflect the graph relationships.- However, due to a lack of knowledge of NuGet dependency resolution, I am not sure if they are complete. For instance,
Microsoft.Identity.Client.Extensions.Msalis listed with 1 dependency although two are shown here: https://www.nuget.org/packages/Microsoft.Identity.Client.Extensions.Msal/4.60.3#dependencies-body-tab. This may be because the second dependency is already introduced at another point in the graph.
- However, due to a lack of knowledge of NuGet dependency resolution, I am not sure if they are complete. For instance,
One important caveat that Id like to highlight in comparison to nuget-inspector is that my .csproj file could not be analyzed in a "standalone" manner. Instead, I was required to first execute dotnet restore, which in turn required me to use a .NET version that is compatible with my project (rather than just the SDK required by the analyzer tool).
Thanks for checking. Can you please directly file an issue at https://github.com/aboutcode-org/nuget-inspector/issues?
For reference, here is the issue: https://github.com/aboutcode-org/nuget-inspector/issues/63
Unfortunately, there was no reply to my issue for the nuget-inspector yet. Have you given further thought to the possibility of switching to component-detection?
Have you given further thought to the possibility of switching to component-detection?
I still believe the idea is good, but I have no idea yet whether it's feasible, esp. WRT whether the metadata returned by component-detection is sufficient to populate the ORT data model.
I still believe the idea is good, but I have no idea yet whether it's feasible, esp. WRT whether the metadata returned by
component-detectionis sufficient to populate the ORT data model.
I have tried to draw up a comparison between the data contained in the analysis results of the ORT, component-detection and nuget-inspector (based on the files I provided in my previous comments). This is the result:
| ORT | component-detection | nuget-inspector | component-detection comment |
|---|---|---|---|
| Name | :white_check_mark: (componentsFound[i].component.name) |
:white_check_mark: | |
| Version | :white_check_mark: (componentsFound[i].component.version) |
:white_check_mark: | |
| pURL | :white_check_mark: (componentsFound[i].component.packageUrl) |
:white_check_mark: | Provides scheme, type, namespace (if present), name and version |
| Author list | :white_check_mark: (componentsFound[i].component.authors) |
:white_check_mark: | Always null |
| Declared Licenses | :x: | :white_check_mark: | Out of scope: https://github.com/microsoft/component-detection/issues/539 |
| Description | :x: | :white_check_mark: | |
| Homepage URL | :x: | :white_check_mark: | |
| Binary Artifact URL | :x: | :white_check_mark: | |
| Binary Artifact Hash | :x: | :white_check_mark: | |
| Source Artifact URL | :x: | :x: | |
| Source Artifact Hash | :x: | :x: | |
| VCS URL | :x: | :white_check_mark: | |
| VCS Revision | :x: | :white_check_mark: | |
| (Correct) Dependency Graph | :white_check_mark: (dependencyGraphs) |
:x: |
Based on that result, it seems like the component-detection is unfortunately lacking critical data.
I have tried to draw up a comparison between the data contained in the analysis results
Thanks a lot for the effort! That's really useful. I was also looking at their feature overview before and found several things to be missing.
BTW, that table reads as if graph creation (which is different from what they call "scanning") for NuGet only works if you have a project.assets.json file. I guess that's the case for you?
Based on that result, it seems like the component-detection is unfortunately lacking critical data.
Yeah, looks like we'd be better of with contributing the graph creation feature from component-detection to nuget-inspector rather than switching the tool. But that's basically what your https://github.com/aboutcode-org/nuget-inspector/issues/63 already is about. Let me try top bump the priority of that with @pombredanne.
BTW, that table reads as if graph creation (which is different from what they call "scanning") for NuGet only works if you have a
project.assets.jsonfile. I guess that's the case for you?
That is correct - I was required to perform the dependency resolution with dotnet restore before being able to get scan results. When the scan is conducted without running this command (which generates the obj/project.assets.json file), zero results are returned. Reading the feature table, this makes sense since .csproj is not a supported "detection mechanism" on its own.
After reading the table, I also tried to analyze a "legacy" project that uses packages.config to declare the dependencies. In this case, no dotnet restore is required. However, the result then only contains direct dependencies and no transitive dependencies. For example, I have [email protected] for .NET 4.5 as a dependency, which should have transitive dependencies.
Yeah, looks like we'd be better of with contributing the graph creation feature from component-detection to nuget-inspector rather than switching the tool. But that's basically what your aboutcode-org/nuget-inspector#63 already is about. Let me try top bump the priority of that with @pombredanne.
Thanks, that would be really great!