search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.67k stars 1.01k forks source link

Central Package Management sets dependency graph versions to >=0 #10772

Open Bluubb opened 1 week ago

Bluubb commented 1 week ago

Is there an existing issue for this?

Package ecosystem

Nuget

Package manager version

No response

Language version

latest C#

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

When using Central Package Management as mentioned in this link: https://devblogs.microsoft.com/nuget/introducing-central-package-management/

The versions in the Dependency Graph SBOM are set to >=0 instead of the defined version. By the reason of this the security alerts are not triggered since missing version information.

Steps to reproduce:

  1. Create an empty library project (i.e. netstandard2.0) with one dependency (i.e. newtonsoft.json 13.0.3)
  2. Push to GitHub repo
  3. Check dependency graph version which corresponds to 13.0.3 --> VALID
  4. Change the library project to central package versioning by this guide: https://devblogs.microsoft.com/nuget/introducing-central-package-management/
  5. push again
  6. newtonsoft json is NOT 13.0.3 anymore it is >=0 --> INVALID

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

image

Smallest manifest that reproduces the issue

DependencyGraph_NoVersion_When_Central_Package_Management.zip

brettfo commented 2 days ago

Thank you for the issue and the repro project. My initial guess is there is an issue with how we report the dependencies as the job starts, specifically from file_parser.rb, but more investigation will need to be done.