feat(dotnet): add support dependency location for dotnet-core files (#…

…3095)

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.82.0
-	github.com/aquasecurity/go-dep-parser v0.0.0-20221114123729-10affa4805f0
+	github.com/aquasecurity/go-dep-parser v0.0.0-20221114145626-35ef808901e8
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46

go.sum

@@ -194,8 +194,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.82.0 h1:WUpPZ6IR0NgZqDK7CGaY5fOI799FNlqGvGMSboHEHlI=
 github.com/aquasecurity/defsec v0.82.0/go.mod h1:4SMepRtX/F8bzTd8CucIpMiqpNOB6/BVPnRktDF5iN0=
-github.com/aquasecurity/go-dep-parser v0.0.0-20221114123729-10affa4805f0 h1:f4R09zhM5MWD6CnGKpGfjnA45ObGblfVoz8VMAlx3WM=
-github.com/aquasecurity/go-dep-parser v0.0.0-20221114123729-10affa4805f0/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
+github.com/aquasecurity/go-dep-parser v0.0.0-20221114145626-35ef808901e8 h1:574FCPBKyseQXhlOfTFdbxfcynhXRWVlD3cpRK0reC4=
+github.com/aquasecurity/go-dep-parser v0.0.0-20221114145626-35ef808901e8/go.mod h1:ZCiGJgdQxCateSw3nPMwZvp9J/+nU8/3DcGY/NO71e4=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20220726154943-99847deb62b0 h1:tihCUjLWkF0b1SAjAKcFltUs3SpsqGrLtI+Frye0D10=

integration/fs_test.go

@@ -129,6 +129,15 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/nuget.json.golden",
 		},
+		{
+			name: "dotnet",
+			args: args{
+				securityChecks: "vuln",
+				listAllPkgs:    true,
+				input:          "testdata/fixtures/fs/dotnet",
+			},
+			golden: "testdata/dotnet.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{

integration/testdata/dotnet.json.golden

@@ -0,0 +1,70 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/dotnet",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "datacollector.deps.json",
+      "Class": "lang-pkgs",
+      "Type": "dotnet-core",
+      "Packages": [
+        {
+          "Name": "Newtonsoft.Json",
+          "Version": "9.0.1",
+          "Locations": [
+            {
+              "StartLine": 8,
+              "EndLine": 14
+            }
+          ]
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
+          "PkgName": "Newtonsoft.Json",
+          "InstalledVersion": "9.0.1",
+          "FixedVersion": "13.0.1",
+          "Layer": {},
+          "SeveritySource": "ghsa",
+          "PrimaryURL": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr",
+          "DataSource": {
+            "ID": "ghsa",
+            "Name": "GitHub Security Advisory Nuget",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
+          },
+          "Title": "Improper Handling of Exceptional Conditions in Newtonsoft.Json",
+          "Description": "Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-755"
+          ],
+          "CVSS": {
+            "ghsa": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "https://alephsecurity.com/2018/10/22/StackOverflowException/",
+            "https://alephsecurity.com/vulns/aleph-2018004"
+          ],
+          "PublishedDate": "2022-06-22T15:08:47Z",
+          "LastModifiedDate": "2022-06-27T18:37:23Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/fixtures/fs/dotnet/datacollector.deps.json

@@ -0,0 +1,21 @@
+{
+  "runtimeTarget": {
+    "name": ".NETCoreApp,Version=v2.1",
+    "signature": ""
+  },
+  "compilationOptions": {},
+  "libraries": {
+    "Newtonsoft.Json/9.0.1": {
+      "type": "package",
+      "serviceable": true,
+      "sha512": "sha512-U82mHQSKaIk+lpSVCbWYKNavmNH1i5xrExDEquU1i6I5pV6UMOqRnJRSlKO3cMPfcpp0RgDY+8jUXHdQ4IfXvw==",
+      "path": "newtonsoft.json/9.0.1",
+      "hashPath": "newtonsoft.json.9.0.1.nupkg.sha512"
+    },
+    "Microsoft.VisualStudio.TestPlatform.Common/17.2.0-release-20220408-11": {
+      "type": "project",
+      "serviceable": false,
+      "sha512": ""
+    }
+  }
+}

pkg/fanal/analyzer/language/dotnet/deps/deps_test.go

@@ -29,8 +29,9 @@ func Test_depsLibraryAnalyzer_Analyze(t *testing.T) {
 						FilePath: "testdata/datacollector.deps.json",
 						Libraries: []types.Package{
 							{
-								Name:    "Newtonsoft.Json",
-								Version: "9.0.1",
+								Name:      "Newtonsoft.Json",
+								Version:   "9.0.1",
+								Locations: []types.Location{{StartLine: 8, EndLine: 14}},
 							},
 						},
 					},