Closed DmitriyLewen closed 1 month ago
Sorry for the delay on a reply and thank you for the praise :)
So, the tl;dr on all of this is that nuget.org is case insensitive and Net
vs NET
makes not difference in terms of what package you would pull when using their api/cli/whatever. In practice this should be a non-issue and if some tooling is breaking because of it then that's a bug on their end.
ex. https://www.nuget.org/packages/Microsoft.NETCore.App.Runtime.linux-arm/ https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm/ and https://www.nuget.org/packages/Microsoft.netCore.App.Runtime.linux-arm/
Similarly on a cli
jon~/g/M/2009:master❯❯❯ nuget install Microsoft.netCore.App.Runtime.linux-arm
...
Resolving actions to install package 'Microsoft.netCore.App.Runtime.linux-arm.8.0.5'
Resolved actions to install package 'Microsoft.netCore.App.Runtime.linux-arm.8.0.5'
Retrieving package 'Microsoft.NETCore.App.Runtime.linux-arm 8.0.5' from 'nuget.org'.
WARNING: Install failed. Rolling back...
Executing nuget actions took 88 ms
Error NU5000: Package 'Microsoft.NETCore.App.Runtime.linux-arm 8.0.5' has a package type 'DotnetPlatform' that is not supported by project '/Users/jon/gits/MITRE-cvelist/2009'.
jon~/g/M/2009:master❯❯❯ nuget install Microsoft.NetCore.App.Runtime.linux-arm
...
Resolving actions to install package 'Microsoft.NetCore.App.Runtime.linux-arm.8.0.5'
Resolved actions to install package 'Microsoft.NetCore.App.Runtime.linux-arm.8.0.5'
Retrieving package 'Microsoft.NETCore.App.Runtime.linux-arm 8.0.5' from 'nuget.org'.
WARNING: Install failed. Rolling back...
Executing nuget actions took 91 ms
Error NU5000: Package 'Microsoft.NETCore.App.Runtime.linux-arm 8.0.5' has a package type 'DotnetPlatform' that is not supported by project '/Users/jon/gits/MITRE-cvelist/2009'.
You can see the resolution of the package to ...NETCore...
prior to the cli erroring out because the working dir isn't a real project
curl-ing at their api with curl https://api.nuget.org/v3/registration5-semver1/microsoft.netcore.app.runtime.linux-arm/index.json
the stable casing on that artifact seems to be "id":"Microsoft.NETCore.App.Runtime.linux-arm"
with all caps NET
.
I can't find a reference in the docs on nuget.org, but it seems like the dotnet approach to naming is Use pascal case if you want but also yolo
https://learn.microsoft.com/en-us/dotnet/standard/design-guidelines/names-of-namespaces
actual quote
✔️ DO use PascalCasing, and separate namespace components with periods (e.g., Microsoft.Office.PowerPoint). If your brand employs nontraditional casing, you should follow the casing defined by your brand, even if it deviates from normal namespace casing.
Either way it seems that all caps NET
is the most correct choice for the specific GHSAs you've raised, so I've gone ahead and corrected them (please yell at me if I missed something 😅). Looking into where we got Net
from on these it seems like that came from microsoft themselves 🤬
ex. https://github.com/dotnet/sdk/security/advisories/GHSA-x469-cv7m-77r9
Anyway, I've got a ticket filed to add some automation so that our advisories sync with the preferred case choice of nuget.org. No promise on when that get done, but 🤞
Description
Hello all! Thanks for your work!
I detected that some
nuget
vulnerabilities use different package names for same packages. e.g.Microsoft.NETCore.App.Runtime.linux-arm
andMicrosoft.NetCore.App.Runtime.linux-arm
(NET
andNet
).Example for
Microsoft.NETCore.App.Runtime.linux-arm
:It would be great to have one name for these packages.
Thank you in advance Best regards, Dmitriy.