ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

C# package references in varying case are listed twice

Open cz-dev-ge opened this issue 10 months ago • 3 comments

Describe the bug

When using central package management in .NET/C# and using different cased when writing package names, they get listed twice - once with and once without version number:

<!-- Directory.Packages.props -->
<Project>
    <PropertyGroup>
        <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    </PropertyGroup>
    <ItemGroup Label="Dependencies">
        <PackageVersion Include="ncrontab.signed" Version="3.3.3" />
    </ItemGroup>
</Project>

<!-- ORT1.csproj -->
<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <OutputType>Exe</OutputType>
        <TargetFramework>net9.0</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>

    <ItemGroup>
      <PackageReference Include="NCrontab.Signed" />
    </ItemGroup>

</Project>

To Reproduce

Steps to reproduce the behavior:

  1. unpack the attached minimal example
  2. run dotnet restore in the directory with the .sln
  3. scan project with ort analyze -i ~/dev/ORT1 -f JSON -o ~/results
  4. see error

Expected behavior

Package is listed only once.

Console / log output

Add console and / or log output that shows the error and additional context. No screenshots of plain text please, to keep text searchable.

Running scan of: /home/user/dev/ORT1/ORT1.csproj with fallback: False
  Using project.assets.json lockfile at: /home/user/dev/ORT1/obj/project.assets.json
LockFile: NuGet.ProjectModel.LockFile
LockFile.Path: /home/user/dev/ORT1/obj/project.assets.json
[...skipping 15 lines...]
ProjectScanner > FetchDependenciesMetadata |nuget NCrontab.Signed
ProjectScanner > FetchDependenciesMetadata |nuget NCrontab.Signed
      Fetching package metadata for: NCrontab.Signed.3.3.3
      Fetching package metadata for: NCrontab.Signed.3.3.3

< ... truncated ... >

Scan completed with Errors or Warnings: JSON file created at: /tmp/ort-NuGetInspector2946731004305336106/nuget-inspector13806836367627266407.json

ERRORS at the dependencies level:
    ERRORS for dependency: NCrontab.Signed@ with purl:
    ERROR: ERROR: Cannot fetch remote metadata: Name or version cannot be empty

Environment

Or manually specify:

  • ORT version: 44.0.0
  • Java version: OpenJdk-21
  • OS: GNU/Linux (Ubuntu 24.04)

ORT1.zip

cz-dev-ge avatar Jan 14 '25 14:01 cz-dev-ge

  1. unpack the appended minimal example

Is this yet missing?

JSON file created at: /tmp/ort-NuGetInspector2946731004305336106/nuget-inspector13806836367627266407.json

Would you also be able to attach that file?

sschuberth avatar Jan 14 '25 14:01 sschuberth

  1. unpack the appended minimal example

Is this yet missing?

JSON file created at: /tmp/ort-NuGetInspector2946731004305336106/nuget-inspector13806836367627266407.json

Would you also be able to attach that file?

Unfortunately not. It gets deleted. I'll try to stop there.

PS: It might be that the cause is slightly different than I thought. It might happen instead if the reference is different in case from the actual package's name as seen on nuget.org.

PS: Potentially related to #9417?

cz-dev-ge avatar Jan 14 '25 14:01 cz-dev-ge

If you can reproduce this with plain https://github.com/aboutcode-org/nuget-inspector, please file an issue over there, as that's the tool that ORT is currently using for C# project analysis under the hood.

sschuberth avatar Apr 07 '25 11:04 sschuberth