aboutcode-org / nuget-inspector

Inspect and resolve .NET and NuGet package dependencies like dotnet and nuget do. Fetch manifests data. Runs on Linux, Windows and macOS as a standalone application.
https://github.com/nexB/nuget-inspector
4 stars 4 forks source link

Some transitive dependencies are missing in the output of the nuget-inspector #12

Closed nnobelis closed 1 year ago

nnobelis commented 1 year ago

This is a follow up of point 5 of https://github.com/nexB/nuget-inspector/issues/3 with Nuget-Inspector 0.7.2.

I used an ORT example DotNet project to test the nuget-inspector: https://github.com/oss-review-toolkit/ort/tree/main/analyzer/src/funTest/assets/projects/synthetic/dotnet/subProjectTest

And run the nuget-inspector in Debian Bullseye with:

❯ ~/bin/nuget-inspector/nuget-inspector –verbose --project-file oss-review-toolkit-internal/analyzer/src/funTest/assets/projects/synthetic/dotnet/subProjectTest/test.csproj --nuget-config oss-review-toolkit-internal/analyzer/src/funTest/assets/projects/synthetic/dotnet/nuget.config --json /home/nino/nuget-inspector-result.json

And I compared the result with the expected result this test project: https://github.com/oss-review-toolkit/ort/blob/main/analyzer/src/funTest/assets/projects/synthetic/dotnet-expected-output.yml

Packages detected by nuget-inspector

❯ cat ~/nuget-inspector-result.json | jq ".packages[].packages[].purl"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/Antlr@3.4.1.9004"
"pkg:nuget/Newtonsoft.Json@5.0.4"
"pkg:nuget/WebGrease@1.5.2"
""
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"
❯ cat ~/nuget-inspector-result.json | jq ".packages[].dependencies[].purl"
“pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/WebGrease@1.5.2"
""
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"

Packages in the expected result

❯ cat oss-review-toolkit-internal/analyzer/src/funTest/assets/projects/synthetic/dotnet-expected-output.yml | yq ".packages[].id"
NuGet::Antlr:3.4.1.9004
NuGet::Microsoft.NETCore.Platforms:1.0.1
NuGet::Microsoft.NETCore.Platforms:1.1.0
NuGet::Microsoft.NETCore.Targets:1.0.1
NuGet::Microsoft.NETCore.Targets:1.1.0
NuGet::Newtonsoft.Json:5.0.4
NuGet::System.Collections:4.3.0
NuGet::System.Globalization:4.3.0
NuGet::System.Runtime:4.1.0
NuGet::System.Runtime:4.3.0
NuGet::System.Runtime.CompilerServices.Unsafe:4.5.3
NuGet::System.Threading:4.0.11
NuGet::System.Threading.Tasks:4.0.11
NuGet::System.Threading.Tasks:4.3.0
NuGet::System.Threading.Tasks.Extensions:4.5.4
NuGet::WebGrease:1.5.2

Problem: nuget-inspector does not output the transitive dependencies. Examples for both projects: Platforms, Targets, Runtime, Runtime.CompilerServices, Threading.Task

I saw you mentioned in https://github.com/nexB/nuget-inspector/issues/3 that these dependencies are framework specific however as written in issue https://github.com/nexB/nuget-inspector/issues/11, the target framework parameter does not seem to have any effect. Please note however, as mentioned in https://github.com/nexB/nuget-inspector/issues/2, that it is most likely wrong that ORT outputs the same package with different versions.

pombredanne commented 1 year ago

Thanks for the report!

pombredanne commented 1 year ago

I am getting different results but they may be entirely right either

$ cat tf.json | jq ".packages[].packages[].purl"
"pkg:nuget/NETStandard.Library@2.0.3"
"pkg:nuget/Microsoft.NETCore.App@3.0.0-preview8-28405-07"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/Antlr@3.4.1.9004"
"pkg:nuget/Newtonsoft.Json@5.0.4"
"pkg:nuget/WebGrease@1.5.2"
""
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"

and

$ cat tf.json | jq ".packages[].dependencies[].purl"
"pkg:nuget/NETStandard.Library@2.0.3"
"pkg:nuget/Microsoft.NETCore.App@3.0.0-preview8-28405-07"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/WebGrease@1.5.2"
""
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"

But the issue is that the test project may not be correct in the first place. IMHO we should use a correct project file that works without warnings or errors with dotnet first rather than a synthetic one that is used in ORT tests that may never exist in practice.

If I dotnet restore this project I get these issues:

$ dotnet restore --verbosity normal --configfile nuget.config  --packages /home/pombreda/w421/nuget-inspector/tmp/issue-12/packages/
[....]

       "/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj" (Restore target) (1) ->
       (Restore target) -> 
         /home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : warning NU1701: Package 'Antlr 3.4.1.9004' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8, .NETFramework,Version=v4.8.1' instead of the project target framework '.NETCoreApp,Version=v3.1'. This package may not be fully compatible with your project.
         /home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : warning NU1701: Package 'Newtonsoft.Json 5.0.4' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8, .NETFramework,Version=v4.8.1' instead of the project target framework '.NETCoreApp,Version=v3.1'. This package may not be fully compatible with your project.
         /home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : warning NU1701: Package 'WebGrease 1.5.2' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8, .NETFramework,Version=v4.8.1' instead of the project target framework '.NETCoreApp,Version=v3.1'. This package may not be fully compatible with your project.

       "/home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj" (Restore target) (1) ->
       (Restore target) -> 
         /home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102: Unable to find package foobar with version (>= 1.2.3)
       /home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102:   - Found 4 version(s) in nuget.org [ Nearest version: 0.1.8.12 ]
       /home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102:   - Found 0 version(s) in Test Source
       /home/pombreda/w421/nuget-inspector/tmp/issue-12/test.csproj : error NU1102:   - Found 0 version(s) in TerminalDependencies

    3 Warning(s)
    1 Error(s)

The results I have are also different with --target-framework net45 and --target-framework netcoreapp3.1 and without. This later is a bug as it should default to net45

I also get this pkg:nuget/Microsoft.NETCore.App@3.0.0-preview8-28405-07 instead of older versions, and this is because I allow using previews in the resolution... this may need to be disabled so only non-preview are used, which is also the dotnet default

tf-net45-conf.json.txt

tf-netcoreapp3.1-conf.json.txt

tf-def-conf.json.txt

nnobelis commented 1 year ago

@pombredanne do you think we should correct the project in ORT ? If you, could you provide the fixed project ?

pombredanne commented 1 year ago

@nnobelis yes, I will provide this alright, as it is important to get the right tests and most realistic tests in place!

pombredanne commented 1 year ago

@nnobelis As a recap, here are the resolution paths for this issue:

pombredanne commented 1 year ago

This is now handling the target framework correctly in 0.9.0. I verified against running dotnet.

Using these tow files (copied here for stability): nuget.config.txt test.csproj.txt

with these commands:

with these correct data, validated against the dotnet restore below:

$ cat tf-net45.json.txt | jq ".packages[].packages[].purl"
"pkg:nuget/System.Runtime.CompilerServices.Unsafe@4.5.3"
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"
$ cat tf-net45.json.txt | jq ".packages[].dependencies[].purl"
"pkg:nuget/System.Threading.Tasks.Extensions@4.5.4"

with correct data, identical to the net45 run, which is the default.

with these correct data, validated against the dotnet restore below:

$ cat tf-netcoreapp3.1.json.txt | jq ".packages[].packages[].purl"
"pkg:nuget/Microsoft.NETCore.Platforms@1.1.0"
"pkg:nuget/Microsoft.NETCore.Targets@1.1.0"
"pkg:nuget/System.Runtime@4.3.0"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading.Tasks@4.0.11"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/Antlr@3.4.1.9004"
"pkg:nuget/Newtonsoft.Json@5.0.4"
"pkg:nuget/WebGrease@1.5.2"

$ cat tf-netcoreapp3.1.json.txt | jq ".packages[].dependencies[].purl"
"pkg:nuget/System.Globalization@4.3.0"
"pkg:nuget/System.Threading@4.0.11"
"pkg:nuget/WebGrease@1.5.2"

And using dotnet on the same data files

pombredanne commented 1 year ago

@nnobelis what's very clear is that the current ORT tests expected results are not correct.

pombredanne commented 1 year ago

re:

We need better test project(s) in ORT with a complete set of artifacts/files as found in full .NET projects.

The expected tests results are being updated in ORT accordingly!

pombredanne commented 1 year ago

All completed and release and pushed in ORT too. Closing now!