search

microsoft / component-detection

Scans your project to determine what components you use
MIT License
412 stars 87 forks source link

Incorrect and duplicate versions detected of a component in the same project file when using central package management (NuGet) #970

Open Sebazzz opened 7 months ago

Sebazzz commented 7 months ago

I'm using Central Package Management to manage my NuGet versions centrally, and also pin subdependencies to higher versions, for instance to mitigate vulnerable transitive dependencies.

I pinned System.IdentityModel.Tokens.Jwt because it had a vulnerability, which is used by Microsoft.IdentityModel.Protocols.OpenIdConnect, which is used by Microsoft.Data.SqlClient, which is used by Microsoft.EntityFrameworkCore.SqlServer which I directly reference.

<?xml version="1.0" encoding="utf-8"?>
<Project>
  <!-- Central registry of all packages used in the project -->
  <!-- See: https://devblogs.microsoft.com/nuget/introducing-central-package-management/ -->
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
  </PropertyGroup>
  <ItemGroup>
    <PackageVersion Include="Microsoft.Data.SqlClient" Version="5.1.4" />
    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.0" />
    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.2.0" />
    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
  </ItemGroup>
</Project>
<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Data.SqlClient" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" />
  </ItemGroup>
</Project>

I'm using the sbom-tool to generate my SBOM, and the scan manifest shows:

 {
      "locationsFoundAt": [
        "/src/MyProject.Persistence/MyProject.Persistence.csproj"
      ],
      "component": {
        "name": "System.IdentityModel.Tokens.Jwt",
        "version": "6.24.0",
        "authors": null,
        "type": "NuGet",
        "id": "System.IdentityModel.Tokens.Jwt 6.24.0 - NuGet",
        "packageUrl": {
          "Scheme": "pkg",
          "Type": "nuget",
          "Namespace": null,
          "Name": "System.IdentityModel.Tokens.Jwt",
          "Version": "6.24.0",
          "Qualifiers": null,
          "Subpath": null
        }
      },
      "detectorId": "NuGetProjectCentric",
      "isDevelopmentDependency": null,
      "dependencyScope": null,
      "topLevelReferrers": [
        {
          "name": "Microsoft.Data.SqlClient",
          "version": "5.1.4",
          "authors": null,
          "type": "NuGet",
          "id": "Microsoft.Data.SqlClient 5.1.4 - NuGet",
          "packageUrl": {
            "Scheme": "pkg",
            "Type": "nuget",
            "Namespace": null,
            "Name": "Microsoft.Data.SqlClient",
            "Version": "5.1.4",
            "Qualifiers": null,
            "Subpath": null
          }
        },
        {
          "name": "Microsoft.EntityFrameworkCore.SqlServer",
          "version": "8.0.0",
          "authors": null,
          "type": "NuGet",
          "id": "Microsoft.EntityFrameworkCore.SqlServer 8.0.0 - NuGet",
          "packageUrl": {
            "Scheme": "pkg",
            "Type": "nuget",
            "Namespace": null,
            "Name": "Microsoft.EntityFrameworkCore.SqlServer",
            "Version": "8.0.0",
            "Qualifiers": null,
            "Subpath": null
          }
        }
      ],
      "containerDetailIds": [],
      "containerLayerIds": {}
    },

Interestingly, in a different project in the same solution the dependency version is correctly detected, but the project mentioned above also shows up here:

 {
      "locationsFoundAt": [
        "/src/MyProject.Web/MyProject.Web.csproj",
        "/tests/MyProject.Tests.Integration/MyProject.Tests.Integration.csproj",
        "/src/MyProject.Persistence/MyProject.Persistence.csproj"
      ],
      "component": {
        "name": "System.IdentityModel.Tokens.Jwt",
        "version": "7.2.0",
        "authors": null,
        "type": "NuGet",
        "id": "System.IdentityModel.Tokens.Jwt 7.2.0 - NuGet",
        "packageUrl": {
          "Scheme": "pkg",
          "Type": "nuget",
          "Namespace": null,
          "Name": "System.IdentityModel.Tokens.Jwt",
          "Version": "7.2.0",
          "Qualifiers": null,
          "Subpath": null
        }
      }
}

AB#2139506

swells commented 6 months ago

We have the same issue. Does component gov not support central package management (NuGet)?

jcfiorenzano commented 6 months ago

Hello @Sebazzz

I am not able to reproduce the issue. I tried your configuration using the latest version of component detection v4.2.1 and the right components are detected. I also tried running the latest version of the sbom-tool v2.2.3 and also the correct components were reported. These are the files that I used:

csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer"/>
    <PackageReference Include="Microsoft.Data.SqlClient" />
    <PackageReference Include="Newtonsoft.Json" />
  </ItemGroup>

</Project>

Directory.Packages.Props

<?xml version="1.0" encoding="utf-8"?>
<Project>
  <!-- Central registry of all packages used in the project -->
  <!-- See: https://devblogs.microsoft.com/nuget/introducing-central-package-management/ -->
  <PropertyGroup>
    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
    <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
  </PropertyGroup>

  <ItemGroup>
    <PackageVersion Include="Microsoft.Data.SqlClient" Version="5.1.4" />
    <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.0" />
    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.2.0" />
    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
    <PackageVersion Include="Newtonsoft.Json" Version="12.0.3" />
  </ItemGroup>
</Project>

This is the manifest generated by sbom

manifest.spdx.json

Image