Analyzer: Nuget package sub dependencies are not listed in report

[hoang-son-nguyen-grassfish-com]

Since c2c6926, the underlying dependencies of a nuget package are not listed in the report.

Reproduction steps:

• Create a new .NET 6 console application.
• Add a nuget package having sub dependencies such as Microsoft.EntityFrameworkCore 7.0.5 to the project.
• Run analyzer
• Run static HTML report.

Expected: The report should list following dependencies as shown in solucation explorer:

[sschuberth]

Since c2c6926, the underlying dependencies of a nuget package are not listed in the report.

It's very unlikely that the mentioned change in the scanner has an impact on the analyzer. Are you really saying that reverting c2c6926 makes the issue go away?

[hoang-son-nguyen-grassfish-com]

No, i took a snapshot of the program at this commit and ran the analyzer with it and got this problem.

[sschuberth]

No, i took a snapshot of the program at this commit and ran the analyzer with it and got this problem.

So, can you please try to narrow down the problem to a commit / PR that breaks the behavior? Or at least, what's the last revision that's working for you?

[hoang-son-nguyen-grassfish-com]

The last working revision is at this commit https://github.com/oss-review-toolkit/ort/commit/c4a7a74 The analyzer could list underlying dependencies but was not able to read credentials from nuget.config.

The bug is added somewhere between https://github.com/oss-review-toolkit/ort/commit/c4a7a74 and https://github.com/oss-review-toolkit/ort/commit/c2c6926

[sschuberth]

The bug is added somewhere between c4a7a74 and c2c6926

Ok, that's a wide range of commits, and it also includes the complete rewrite of NuGet analyzer via the nuget-inspector in ed6a79275fce5e70f33523c4afeb84b53a864ca0. Does that commit work for you or not?

[hoang-son-nguyen-grassfish-com]

I pulled 2 versions from here: https://github.com/alliander-opensource/ort-container/pkgs/container/ort-container/versions

• Commit caccff5 This commit is after the above rewrite ed6a792. Same problem occurs i.e. no dependencies are listed other than NuGet::Microsoft.EntityFrameworkCore:7.0.5.

Here is the analyzer result:

---
repository:
  vcs:
    type: ""
    url: ""
    revision: ""
    path: ""
  vcs_processed:
    type: ""
    url: ""
    revision: ""
    path: ""
  config: {}
analyzer:
  start_time: "2023-06-14T08:25:09.469024Z"
  end_time: "2023-06-14T08:25:12.840210600Z"
  environment:
    ort_version: "DOCKER-SNAPSHOT"
    java_version: "17.0.6"
    os: "Linux"
    processors: 6
    max_memory: 513802240
    variables:
      JAVA_HOME: "/opt/java/openjdk"
      ANDROID_HOME: "/opt/android-sdk"
    tool_versions: {}
  config:
    allow_dynamic_versions: false
    skip_excluded: false
  result:
    projects:
    - id: "NuGet::ConsoleApp1/ConsoleApp1.csproj:"
      definition_file_path: ""
      declared_licenses: []
      declared_licenses_processed: {}
      vcs:
        type: ""
        url: ""
        revision: ""
        path: ""
      vcs_processed:
        type: ""
        url: ""
        revision: ""
        path: ""
      homepage_url: ""
      scope_names:
      - "net6.0"
    - id: "Unmanaged::project:"
      definition_file_path: ""
      declared_licenses: []
      declared_licenses_processed: {}
      vcs:
        type: ""
        url: ""
        revision: ""
        path: ""
      vcs_processed:
        type: ""
        url: ""
        revision: ""
        path: ""
      homepage_url: ""
      scope_names: []
    packages:
    - id: "NuGet::Microsoft.EntityFrameworkCore:7.0.5"
      purl: "pkg:nuget/[email protected]"
      authors:
      - "Microsoft"
      declared_licenses:
      - "MIT"
      declared_licenses_processed:
        spdx_expression: "MIT"
      description: "Entity Framework Core is a modern object-database mapper for .NET.\
        \ It supports LINQ queries, change tracking, updates, and schema migrations.\
        \ EF Core works with SQL Server, Azure SQL Database, SQLite, Azure Cosmos\
        \ DB, MySQL, PostgreSQL, and other databases through a provider plugin API."
      homepage_url: "https://docs.microsoft.com/ef/core/"
      binary_artifact:
        url: "https://api.nuget.org/v3-flatcontainer/microsoft.entityframeworkcore/7.0.5/microsoft.entityframeworkcore.7.0.5.nupkg"
        hash:
          value: "1f3ce64f305fcafb221b08e7969e3bc976eeaaa3a339bc10121043481024c2eaab330258e87a8c2d4df17523eec7a040e0f3f67e3b59599ce922e3c6a8e646c5"
          algorithm: "SHA-512"
      source_artifact:
        url: ""
        hash:
          value: ""
          algorithm: ""
      vcs:
        type: ""
        url: "git+https://github.com/dotnet/efcore"
        revision: "5c6be2458d7d7d2ec22d1555bf829ed19adacb2a"
        path: ""
      vcs_processed:
        type: "Git"
        url: "https://github.com/dotnet/efcore.git"
        revision: "5c6be2458d7d7d2ec22d1555bf829ed19adacb2a"
        path: ""
    dependency_graphs:
      NuGet:
        packages:
        - "NuGet::Microsoft.EntityFrameworkCore:7.0.5"
        scopes:
          :ConsoleApp1/ConsoleApp1.csproj::net6.0:
          - root: 0
        nodes:
        - {}
        edges: []
      Unmanaged:
        nodes: []
        edges: []
    has_issues: false
scanner: null
advisor: null
evaluator: null
resolved_configuration:
  package_curations:
  - provider:
      id: "DefaultDir"
    curations: []
  - provider:
      id: "DefaultFile"
    curations: []

• Commit 0a4bef5 This commit is shortly before the rewrite and all depencencies are listed as expected.

[sschuberth]

• Same problem occurs i.e. no dependencies are listed other than NuGet::Microsoft.EntityFrameworkCore:7.0.5.

Interestingly, this sounds like more or less the opposite of what @fb33 reported in Slack over here.

[sschuberth]

@hoang-son-nguyen-grassfish-com can you please share the exact project files you were using?