Find dependencies from Nuspec files

[mgrandi]

This tool only seems to list the direct dependencies of a project, but i would expect any dependency tree visualization tool to list all dependencies recursively.

[Tradioyes]

This will list all the dependencies used by all the projects in a solution, do you have an example of a dependency you'd expect to see but isn't shown by the tool?

[mgrandi]

i have a private repo, that has a test project with 1 dependency, and its not able to list the dependencies other than the top level

in the test project, the csproj has:

  <ItemGroup>
    <PackageReference Include="MycroftPackageCore" Version="132.879.3341.4" />
  </ItemGroup>

if i go to that package in my .nuget folder and open it's .nuspec file, i see:

    <dependencies>
      <dependency id="Bond.CSharp" version="8.2.0" />
      <dependency id="REPLACED.Framework" version="1.83.0" />
      <dependency id="REPLACED.Web.ClientGen" version="1.83.0" />
      <dependency id="Microsoft.AspNet.WebApi.Client" version="5.2.7" />
      <dependency id="System.Diagnostics.DiagnosticSource" version="5.0.1" />
      <dependency id="Newtonsoft.Json" version="12.0.3" />
    </dependencies>

and then some of those packages have their own dependencies themselves. I can even see it in the visual studio solution explorer:

but if i run this tool on my solution, i get the following (with all the relevant files also printed out)

PS C:\Users\mgrandi\source\repos\TestMycroftPackageNetCore> dependency-analyzer.exe .\TestMycroftPackageNetCore.sln .
Building Project TestMycroftPackageNetCore
Project TestMycroftPackageNetCore done
Done

---------------------------------------

PS C:\Users\mgrandi\source\repos\TestMycroftPackageNetCore> cat .\TestMycroftPackageNetCore.sln

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.31424.327
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TestMycroftPackageNetCore", "TestMycroftPackageNetCore\TestMycroftPackageNetCore.csproj", "{B155DB30-0BA7-4258-B1F8-64A8962F13D1}"
EndProject
Global
        GlobalSection(SolutionConfigurationPlatforms) = preSolution
                Debug|Any CPU = Debug|Any CPU
                Release|Any CPU = Release|Any CPU
        EndGlobalSection
        GlobalSection(ProjectConfigurationPlatforms) = postSolution
                {B155DB30-0BA7-4258-B1F8-64A8962F13D1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
                {B155DB30-0BA7-4258-B1F8-64A8962F13D1}.Debug|Any CPU.Build.0 = Debug|Any CPU
                {B155DB30-0BA7-4258-B1F8-64A8962F13D1}.Release|Any CPU.ActiveCfg = Release|Any CPU
                {B155DB30-0BA7-4258-B1F8-64A8962F13D1}.Release|Any CPU.Build.0 = Release|Any CPU
        EndGlobalSection
        GlobalSection(SolutionProperties) = preSolution
                HideSolutionNode = FALSE
        EndGlobalSection
        GlobalSection(ExtensibilityGlobals) = postSolution
                SolutionGuid = {6076169C-03ED-40BD-8BD2-87162A67B1A0}
        EndGlobalSection
EndGlobal

---------------------------------------

PS C:\Users\mgrandi\source\repos\TestMycroftPackageNetCore> cat .\TestMycroftPackageNetCore\TestMycroftPackageNetCore.csproj
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>netcoreapp3.1</TargetFramework>
    <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="MycroftPackageCore" Version="132.879.3341.4" />
  </ItemGroup>

</Project>

---------------------------------------

PS C:\Users\mgrandi\source\repos\TestMycroftPackageNetCore> cat .\packages.md
# Nuget dependencies
 - MycroftPackageCore 132.879.3341.4

---------------------------------------

PS C:\Users\mgrandi\source\repos\TestMycroftPackageNetCore> cat .\packagesByProject.md
# Package dependencies by project
### TestMycroftPackageNetCore
 - MycroftPackageCore 132.879.3341.4

---------------------------------------

PS C:\Users\mgrandi\source\repos\TestMycroftPackageNetCore> cat .\projectsByPackage.md
# Project dependencies by package
### MycroftPackageCore 132.879.3341.4
 - TestMycroftPackageNetCore

---------------------------------------

PS C:\Users\mgrandi\source\repos\TestMycroftPackageNetCore> cat .\projectDependencyGraph.dot
digraph "TestMycroftPackageNetCore" {
splines=ortho;
}

[Tradioyes]

Thanks!

We use it internally, on solutions where all the dependencies will be at least listed in the top level props file (including indirect dependencies). This could be a nice new feature

[mgrandi]

forgive me for not understanding, how else are dependencies determined? the microsoft / c# ecosystem has changed so much in the past few years that i'm not sure how it used to be, but it seems that now at least, all of the dependencies for files are included in the .nuspec files that are inside the .nupkg files themselves

[Tradioyes]

This project was built for doc purposes, to know exactly which projects used which dependencies. We have a .props file up top that contain all package references, direct and indirect, for all the solution, with the nuget version centralized. Each project then has its own references without the version.

Because the props file has everything, there was no need to go into nuspec files for our use case.

[Tradioyes]

Scratch that, I looked in the code, this is an issue with Buildalyzer, all the references listed come from there. I'll see if updating Buildalyzer does the trick, but I doubt it. To add nuspec indirect references, this could need custom code to get it from the references returned by Buildalyzer

[aligneddev]

that would be a great feature! I wonder if you could borrow ideas from the SBOMs (software bill of materials) ideas in DependencyBot (Github) and others use for security issues.

[StefH]

Any updates on this?

[Tradioyes]

Not at the moment, I may try it at some point but anyone who wants to look at this is more than welcome