NuGet audit bug fix - can't identify dependencies without assets files (

#925)
jfrog · Sep 6, 2023 · d12337c · d12337c
1 parent 90c9d87
commit d12337c
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 6 deletions.
diff --git a/go.mod b/go.mod
@@ -96,6 +96,6 @@ require (
 
 replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f
 
-replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230831151231-e5e7bd035ddc
+replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38
 
 // replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27
diff --git a/go.sum b/go.sum
@@ -194,8 +194,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jedib0t/go-pretty/v6 v6.4.7 h1:lwiTJr1DEkAgzljsUsORmWsVn5MQjt1BPJdPCtJ6KXE=
 github.com/jedib0t/go-pretty/v6 v6.4.7/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs=
-github.com/jfrog/build-info-go v1.8.9-0.20230831151231-e5e7bd035ddc h1:pqu82clhPKyUKJcljMuxYa+kviaWnHycLNCLqZZNl30=
-github.com/jfrog/build-info-go v1.8.9-0.20230831151231-e5e7bd035ddc/go.mod h1:QEskae5fQpjeY2PBzsjWtUQVskYSNDF2sSmw/Gx44dQ=
+github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38 h1:XyAcwWP2a6a5RL861gkfgQ7MUaQ7mmDkUVoD6kMtUtQ=
+github.com/jfrog/build-info-go v1.8.9-0.20230905120411-62d1bdd4eb38/go.mod h1:QEskae5fQpjeY2PBzsjWtUQVskYSNDF2sSmw/Gx44dQ=
 github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
 github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
 github.com/jfrog/jfrog-client-go v1.28.1-0.20230831152946-6ed2ae1aa57f h1:S6l0o2sKFLRJ+QYVB5U/PJhrnwFSmKFFY7eHpRPRH8A=

diff --git a/xray/commands/audit/sca/nuget/nuget.go b/xray/commands/audit/sca/nuget/nuget.go
@@ -1,14 +1,19 @@
 package nuget
 
 import (
+	"errors"
+	"fmt"
+	"github.com/jfrog/build-info-go/build/utils/dotnet/solution"
+	"github.com/jfrog/build-info-go/entities"
+	biutils "github.com/jfrog/build-info-go/utils"
 	"github.com/jfrog/gofrog/datastructures"
 	"github.com/jfrog/jfrog-cli-core/v2/xray/commands/audit/sca"
+	"github.com/jfrog/jfrog-client-go/utils/errorutils"
+	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 	xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
 	"os"
-
-	"github.com/jfrog/build-info-go/build/utils/dotnet/solution"
-	"github.com/jfrog/build-info-go/entities"
+	"os/exec"
 )
 
 const (
@@ -24,6 +29,16 @@ func BuildDependencyTree() (dependencyTree []*xrayUtils.GraphNode, uniqueDeps []
 	if err != nil {
 		return
 	}
+
+	// In case the project's dependencies sources can't be found we run 'dotnet restore' on a copy of the project in order to get its dependencies
+	if !sol.DependenciesSourcesExist() {
+		log.Info("Dependencies sources were not detected. Running 'dotnet restore' command")
+		sol, err = runDotnetRestoreAndLoadSolution(wd)
+		if err != nil {
+			return
+		}
+	}
+
 	buildInfo, err := sol.BuildInfo("", log.Logger)
 	if err != nil {
 		return
@@ -32,6 +47,40 @@ func BuildDependencyTree() (dependencyTree []*xrayUtils.GraphNode, uniqueDeps []
 	return
 }
 
+func runDotnetRestore(wd string) (err error) {
+	command := exec.Command("dotnet", "restore")
+	command.Dir = wd
+	output, err := command.CombinedOutput()
+	if err != nil {
+		err = errorutils.CheckErrorf("'dotnet restore' command failed: %s - %s", err.Error(), output)
+	}
+	return
+}
+
+func runDotnetRestoreAndLoadSolution(originalWd string) (sol solution.Solution, err error) {
+	tmpWd, err := fileutils.CreateTempDir()
+	if err != nil {
+		err = fmt.Errorf("failed creating temporary dir: %w", err)
+		return
+	}
+	defer func() {
+		err = errors.Join(err, fileutils.RemoveTempDir(tmpWd))
+	}()
+
+	err = biutils.CopyDir(originalWd, tmpWd, true, nil)
+	if err != nil {
+		err = fmt.Errorf("failed copying project to temp dir: %w", err)
+		return
+	}
+
+	err = runDotnetRestore(tmpWd)
+	if err != nil {
+		return
+	}
+	sol, err = solution.Load(tmpWd, "", log.Logger)
+	return
+}
+
 func parseNugetDependencyTree(buildInfo *entities.BuildInfo) (nodes []*xrayUtils.GraphNode, allUniqueDeps []string) {
 	uniqueDepsSet := datastructures.MakeSet[string]()
 	for _, module := range buildInfo.Modules {