Closed nnobelis closed 1 year ago
Thanks for the report!
I am getting different results but they may be entirely right either
$ cat tf.json | jq ".packages[].packages[].purl"
"pkg:nuget/NETStandard.Library@2.0.3"
"pkg:nuget/Microsoft.NETCore.App@3.0.0-preview8-28405-07"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/Antlr@3.4.1.9004"
"pkg:nuget/Newtonsoft.Json@5.0.4"
"pkg:nuget/WebGrease@1.5.2"
""
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"
and
$ cat tf.json | jq ".packages[].dependencies[].purl"
"pkg:nuget/NETStandard.Library@2.0.3"
"pkg:nuget/Microsoft.NETCore.App@3.0.0-preview8-28405-07"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/WebGrease@1.5.2"
""
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"
But the issue is that the test project may not be correct in the first place. IMHO we should use a correct project file that works without warnings or errors with dotnet first rather than a synthetic one that is used in ORT tests that may never exist in practice.
If I dotnet restore
this project I get these issues:
$ dotnet restore --verbosity normal --configfile nuget.config --packages /home/pombreda/w421/nuget-inspector/tmp/issue-12/packages/
[....]
"/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj" (Restore target) (1) ->
(Restore target) ->
/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : warning NU1701: Package 'Antlr 3.4.1.9004' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8, .NETFramework,Version=v4.8.1' instead of the project target framework '.NETCoreApp,Version=v3.1'. This package may not be fully compatible with your project.
/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : warning NU1701: Package 'Newtonsoft.Json 5.0.4' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8, .NETFramework,Version=v4.8.1' instead of the project target framework '.NETCoreApp,Version=v3.1'. This package may not be fully compatible with your project.
/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : warning NU1701: Package 'WebGrease 1.5.2' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8, .NETFramework,Version=v4.8.1' instead of the project target framework '.NETCoreApp,Version=v3.1'. This package may not be fully compatible with your project.
"/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj" (Restore target) (1) ->
(Restore target) ->
/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102: Unable to find package foobar with version (>= 1.2.3)
/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102: - Found 4 version(s) in nuget.org [ Nearest version: 0.1.8.12 ]
/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102: - Found 0 version(s) in Test Source
/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102: - Found 0 version(s) in TerminalDependencies
3 Warning(s)
1 Error(s)
The results I have are also different with --target-framework net45 and --target-framework netcoreapp3.1 and without. This later is a bug as it should default to net45
I also get this pkg:nuget/Microsoft.NETCore.App@3.0.0-preview8-28405-07 instead of older versions, and this is because I allow using previews in the resolution... this may need to be disabled so only non-preview are used, which is also the dotnet default
@pombredanne do you think we should correct the project in ORT ? If you, could you provide the fixed project ?
@nnobelis yes, I will provide this alright, as it is important to get the right tests and most realistic tests in place!
@nnobelis As a recap, here are the resolution paths for this issue:
This is now handling the target framework correctly in 0.9.0. I verified against running dotnet.
Using these tow files (copied here for stability): nuget.config.txt test.csproj.txt
with these commands:
/nuget-inspector --json tf-net45.json.txt --project-file test.csproj --nuget-config nuget.config --verbose --target-framework "net45"
I get:
tf-net45.json.txtwith these correct data, validated against the dotnet restore below:
$ cat tf-net45.json.txt | jq ".packages[].packages[].purl"
"pkg:nuget/System.Runtime.CompilerServices.Unsafe@4.5.3"
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"
$ cat tf-net45.json.txt | jq ".packages[].dependencies[].purl"
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"
/nuget-inspector --json tf-notarget.json.txt --project-file test.csproj --nuget-config nuget.config --verbose
I get:
tf-notarget.json.txtwith correct data, identical to the net45 run, which is the default.
/nuget-inspector --json tf-netcoreapp3.1.json.txt --project-file test.csproj --nuget-config nuget.config --verbose --target-framework "netcoreapp3.1"
I get:
tf-netcoreapp3.1.json.txtwith these correct data, validated against the dotnet restore below:
$ cat tf-netcoreapp3.1.json.txt | jq ".packages[].packages[].purl"
"pkg:nuget/Microsoft.NETCore.Platforms@1.1.0"
"pkg:nuget/Microsoft.NETCore.Targets@1.1.0"
"pkg:nuget/System.Runtime@4.3.0"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading.Tasks@4.0.11"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/Antlr@3.4.1.9004"
"pkg:nuget/Newtonsoft.Json@5.0.4"
"pkg:nuget/WebGrease@1.5.2"
$ cat tf-netcoreapp3.1.json.txt | jq ".packages[].dependencies[].purl"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/WebGrease@1.5.2"
And using dotnet on the same data files
with $ dotnet restore --configfile nuget.config --ignore-failed-sources --no-cache -p:TargetFramework=net45 --use-lock-file --packages packages/
I get this lockfile:
packages.lock.json.net45.txt
and with $ dotnet restore --configfile nuget.config --ignore-failed-sources --no-cache -p:TargetFramework=netcoreapp3.1 --use-lock-file --packages packages/
I get this lockfile:
packages.lock-netcoreapp3.1.json.txt
@nnobelis what's very clear is that the current ORT tests expected results are not correct.
re:
We need better test project(s) in ORT with a complete set of artifacts/files as found in full .NET projects.
The expected tests results are being updated in ORT accordingly!
All completed and release and pushed in ORT too. Closing now!
This is a follow up of point 5 of https://github.com/nexB/nuget-inspector/issues/3 with Nuget-Inspector 0.7.2.
I used an ORT example DotNet project to test the nuget-inspector: https://github.com/oss-review-toolkit/ort/tree/main/analyzer/src/funTest/assets/projects/synthetic/dotnet/subProjectTest
And run the nuget-inspector in Debian Bullseye with:
And I compared the result with the expected result this test project: https://github.com/oss-review-toolkit/ort/blob/main/analyzer/src/funTest/assets/projects/synthetic/dotnet-expected-output.yml
Packages detected by nuget-inspector
Packages in the expected result
Problem: nuget-inspector does not output the transitive dependencies. Examples for both projects: Platforms, Targets, Runtime, Runtime.CompilerServices, Threading.Task
I saw you mentioned in https://github.com/nexB/nuget-inspector/issues/3 that these dependencies are framework specific however as written in issue https://github.com/nexB/nuget-inspector/issues/11, the target framework parameter does not seem to have any effect. Please note however, as mentioned in https://github.com/nexB/nuget-inspector/issues/2, that it is most likely wrong that ORT outputs the same package with different versions.