search

NuGet / NuGetGallery

NuGet Gallery is a package repository that powers https://www.nuget.org. Use this repo for reporting NuGet.org issues.
https://www.nuget.org/
Apache License 2.0
1.55k stars 645 forks source link

Surface Microsoft Application Inspector information on nuget.org #7824

Open joelverhagen opened 4 years ago

joelverhagen commented 4 years ago

Is your feature request related to a problem? Please describe.

Microsoft has released a tool called Microsoft Application Inspector to perform static analysis of source code to identify what categories of APIs are used. For example: networking APIs, file access, cryptography.

NuGet.org could use this tool to automatically surface such information about packages in the web UI.

The output of the tool looks like this: image

Describe the solution you'd like

For every package uploaded to nuget.org, run Microsoft Application Inspector on the source code (potentially gathered via decompilation or via the GitHub repository URL) and show the report per version on the display packages page.

As a stretch goal, allow comparison of two versions so you can see leveraged APIs getting added or removed.

NuGet client could also show this information for an arbitrary package upgrade (and transitive packages pulled in) but this is harder since the analysis process may be slow.

Additional context

Thanks to members of the Hacker News community for connecting the dots: https://news.ycombinator.com/item?id=22170705 https://news.ycombinator.com/item?id=22171263

JonDouglas commented 2 years ago

These exist as CLI tooling now: https://github.com/Microsoft/OSSGadget