search

aboutcode-org / nuget-inspector

Inspect and resolve .NET and NuGet package dependencies like dotnet and nuget do. Fetch manifests data. Runs on Linux, Windows and macOS as a standalone application.
https://github.com/nexB/nuget-inspector
4 stars 4 forks source link

nuget-inspector detects local project reference as NuGet package #54

Open georg-eckert-zeiss opened 4 months ago

georg-eckert-zeiss commented 4 months ago

When referencing a lokal project "B.csproj" which is in a sibling directory nuget-inspector resolves it to a package B at nuget.org - which clearly is not the same.

Minimal example

<!-- MyProject.sln -->
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.0.31903.59
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "A", "A\A.csproj", "{450DF022-8D0B-4415-9CE0-9276EDAA556A}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "B", "B\B.csproj", "{5E680340-6469-443E-A56D-D6B3936EAC16}"
EndProject
Global
    GlobalSection(SolutionConfigurationPlatforms) = preSolution
        Debug|Any CPU = Debug|Any CPU
        Release|Any CPU = Release|Any CPU
    EndGlobalSection
    GlobalSection(SolutionProperties) = preSolution
        HideSolutionNode = FALSE
    EndGlobalSection
    GlobalSection(ProjectConfigurationPlatforms) = postSolution
        {450DF022-8D0B-4415-9CE0-9276EDAA556A}.Release|Any CPU.ActiveCfg = Release|Any CPU
        {450DF022-8D0B-4415-9CE0-9276EDAA556A}.Release|Any CPU.Build.0 = Release|Any CPU
        {5E680340-6469-443E-A56D-D6B3936EAC16}.Release|Any CPU.ActiveCfg = Release|Any CPU
        {5E680340-6469-443E-A56D-D6B3936EAC16}.Release|Any CPU.Build.0 = Release|Any CPU
    EndGlobalSection
EndGlobal
<!-- A/A.csproj -->
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>
  <ItemGroup>
    <ProjectReference Include="..\B\B.csproj" />
  </ItemGroup>
</Project>
<!-- B/B.csproj -->
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>
</Project>

No simply run

nuget-inspector --project-file=MyProject/A/A.csproj --with-details --verbose --json="dev/ni-test-results/results.json"

And you get

"packages" : [ {
        "id" : "NuGet::B:1.0.0",
        "purl" : "pkg:nuget/B@1.0.0",
        "authors" : [ "Sooraj" ],
        "declared_licenses" : [ ],
        "declared_licenses_processed" : { },
        "description" : "Package Description",
        "homepage_url" : "",
        "binary_artifact" : {
          "url" : "
[https://api.nuget.org/v3-flatcontainer/b/1.0.0/b.1.0.0.nupkg"](https://api.nuget.org/v3-flatcontainer/b/1.0.0/b.1.0.0.nupkg%22)
,
          "hash" : {
            "value" : "69f10826e0952e8f8eef4df829b4573d15add61d50a44569e00342a179d50ae31f826d9fc655c2483e3632c452dea759c5c4f618b6b0de57adb7984fb48e141a",
            "algorithm" : "SHA-512"
          }
        },

Best regards, Georg

sschuberth commented 3 months ago

This issue probably is the root cause of https://github.com/nexB/nuget-inspector/issues/53, because if projects as mistaken for packages, of course no such package exists in any registry to resolve metadata for.