Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Support Nuget Pinned Dependency with RestoreLockedMode attribute #4351

Merged
merged 23 commits into from
Oct 3, 2024

Conversation

balteravishay
Copy link
Contributor

What kind of change does this PR introduce?

Support pinning dependency in .NET using lockfile by declaring the RestoreLockedMode attribute in csproj

What is the current behavior?

checking for nuget pinned dependency attributes only CLI locked mode flags (i.e. --locked-mode) and if not found the score is 0.

What is the new behavior (if this is a feature change)?**

if nuget cli command found that is not locked with the CLI flag, a post-processing method checks for csproj files in the repo and scores according to the number of them that are declaring RestoreLockedMode attribute set to true.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Fixes #4251

Special notes for your reviewer

This implementation for this fix, using post processing method, was discussed with @spencerschrock in the Scorecard community call.
There is an upcoming PR that will compliment the behaviour by adding support for Central Package Management that will also be performing post processing to look for another file type (Directory.Packages.props) where this feature is enabled.

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a full review, just wanted to tackle a question around the approach.

checks/fileparser/csproj_parser.go Outdated Show resolved Hide resolved
checks/fileparser/csproj_parser.go Outdated Show resolved Hide resolved
checks/raw/pinned_dependencies.go Outdated Show resolved Hide resolved
checks/raw/pinned_dependencies.go Outdated Show resolved Hide resolved
checks/raw/pinned_dependencies.go Outdated Show resolved Hide resolved
checks/raw/pinned_dependencies.go Outdated Show resolved Hide resolved
@balteravishay
Copy link
Contributor Author

here are a number of repos to test this change on:

  • https://github.com/Mongo2Go/Mongo2Go - has 3 csproj files, only 1 is locked. according to the new logic, this maintains the unpinned dependency state of the found "hits" and updates the Remediation.
  • Sn0wCrack/saucybot-discord - has 1 csproj file that is locked. 2 nuget dependencies that are found as unpinned are set to pinned at the post-process stage.

balteravishay and others added 16 commits October 3, 2024 16:08
Signed-off-by: balteraivshay <avishay.balter@gmail.com>

Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
…#4317)

Signed-off-by: Spencer Schrock <sschrock@google.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
…4343)

Signed-off-by: balteraivshay <avishay.balter@gmail.com>
…sf#4356)

Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
Signed-off-by: balteraivshay <avishay.balter@gmail.com>
@spencerschrock
Copy link
Member

/scdiff generate Pinned-Dependencies

Copy link

github-actions bot commented Oct 3, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

BUG: .Net Pinned dependency check ignores using RestoreLockedMode
2 participants