feat(dotnet): add license support for NuGet (#5217)

* add nuspec files support * docs: docs, log messages, comments refactoring * save found licences to use next time * refactor * refactor * fix typo
aquasecurity · Sep 28, 2023 · 3dd5b1e · 3dd5b1e
1 parent 5c18475
commit 3dd5b1e
Show file tree

Hide file tree

Showing 10 changed files with 349 additions and 51 deletions.
diff --git a/docs/docs/coverage/language/dotnet.md b/docs/docs/coverage/language/dotnet.md
@@ -7,7 +7,7 @@ The following scanners are supported.
 | Artifact  | SBOM | Vulnerability | License |
 |-----------|:----:|:-------------:|:-------:|
 | .Net Core |  ✓   |       ✓       |    -    |
-| NuGet     |  ✓   |       ✓       |    -    |
+| NuGet     |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -17,18 +17,31 @@ The following table provides an outline of the features Trivy offers.
 |      NuGet      | packages.config    |            ✓            |     Excluded     |                  -                   |    -     |
 |      NuGet      | packages.lock.json |            ✓            |     Included     |                  ✓                   |    ✓     |
 
-### *.deps.json
+## *.deps.json
 Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report.
 
-### packages.config
+## packages.config
 Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files.
 
-### packages.lock.json
+### license detection
+`packages.config` files don't have information about the licenses used.
+Trivy uses [*.nuspec][nuspec] files from [global packages folder][global-packages] to detect licenses.
+!!! note
+    The `licenseUrl` field is [deprecated][license-url]. Trivy doesn't parse this field and only checks the [license] field (license `expression` type only).
+Currently only the default path and `NUGET_PACKAGES` environment variable are supported.
+
+## packages.lock.json
 Don't forgot to [enable][enable-lock] lock files in your project.
 
 !!! tip
     Please make sure your lock file is up-to-date after modifying dependencies.
 
+### license detection
+Same as [packages.config](#license-detection)
 
 [enable-lock]: https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-the-lock-file
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
+[nuspec]: https://learn.microsoft.com/en-us/nuget/reference/nuspec
+[global-packages]: https://learn.microsoft.com/en-us/nuget/consume-packages/managing-the-global-packages-and-cache-folders
+[license]: https://learn.microsoft.com/en-us/nuget/reference/nuspec#license
+[license-url]: https://learn.microsoft.com/en-us/nuget/reference/nuspec#licenseurl
diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go
@@ -2,58 +2,110 @@ package nuget
 
 import (
 	"context"
+	"errors"
+	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
+	"sort"
 
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/go-dep-parser/pkg/nuget/config"
 	"github.com/aquasecurity/go-dep-parser/pkg/nuget/lock"
+	godeptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/language"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/utils/fsutils"
 )
 
 func init() {
-	analyzer.RegisterAnalyzer(&nugetLibraryAnalyzer{})
+	analyzer.RegisterPostAnalyzer(analyzer.TypeNuget, newNugetLibraryAnalyzer)
 }
 
 const (
-	version    = 2
+	version    = 3
 	lockFile   = types.NuGetPkgsLock
 	configFile = types.NuGetPkgsConfig
 )
 
 var requiredFiles = []string{lockFile, configFile}
 
-type nugetLibraryAnalyzer struct{}
+type nugetLibraryAnalyzer struct {
+	lockParser    godeptypes.Parser
+	configParser  godeptypes.Parser
+	licenseParser nuspecParser
+}
+
+func newNugetLibraryAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
+	return &nugetLibraryAnalyzer{
+		lockParser:    lock.NewParser(),
+		configParser:  config.NewParser(),
+		licenseParser: newNuspecParser(),
+	}, nil
+}
 
-func (a nugetLibraryAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) {
-	// Set the default parser
-	parser := lock.NewParser()
+func (a *nugetLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) {
+	var apps []types.Application
+	foundLicenses := make(map[string][]string)
 
-	targetFile := filepath.Base(input.FilePath)
-	if targetFile == configFile {
-		parser = config.NewParser()
+	// We saved only config and lock files in the FS,
+	// so we need to parse all saved files
+	required := func(path string, d fs.DirEntry) bool {
+		return true
 	}
 
-	res, err := language.Analyze(types.NuGet, input.FilePath, input.Content, parser)
+	err := fsutils.WalkDir(input.FS, ".", required, func(path string, d fs.DirEntry, r io.Reader) error {
+		// Set the default parser
+		parser := a.lockParser
+
+		targetFile := filepath.Base(path)
+		if targetFile == configFile {
+			parser = a.configParser
+		}
+
+		app, err := language.Parse(types.NuGet, path, r, parser)
+		if err != nil {
+			return xerrors.Errorf("NuGet parse error: %w", err)
+		}
+
+		for i, lib := range app.Libraries {
+			license, ok := foundLicenses[lib.ID]
+			if !ok {
+				license, err = a.licenseParser.findLicense(lib.Name, lib.Version)
+				if err != nil && !errors.Is(err, fs.ErrNotExist) {
+					return xerrors.Errorf("license find error: %w", err)
+				}
+				foundLicenses[lib.ID] = license
+			}
+
+			app.Libraries[i].Licenses = license
+		}
+
+		sort.Sort(app.Libraries)
+		apps = append(apps, *app)
+		return nil
+	})
 	if err != nil {
-		return nil, xerrors.Errorf("NuGet analysis error: %w", err)
+		return nil, xerrors.Errorf("NuGet walk error: %w", err)
 	}
-	return res, nil
+
+	return &analyzer.AnalysisResult{
+		Applications: apps,
+	}, nil
 }
 
-func (a nugetLibraryAnalyzer) Required(filePath string, _ os.FileInfo) bool {
+func (a *nugetLibraryAnalyzer) Required(filePath string, _ os.FileInfo) bool {
 	fileName := filepath.Base(filePath)
 	return slices.Contains(requiredFiles, fileName)
 }
 
-func (a nugetLibraryAnalyzer) Type() analyzer.Type {
+func (a *nugetLibraryAnalyzer) Type() analyzer.Type {
 	return analyzer.TypeNuget
 }
 
-func (a nugetLibraryAnalyzer) Version() int {
+func (a *nugetLibraryAnalyzer) Version() int {
 	return version
 }
diff --git a/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go b/pkg/fanal/analyzer/language/dotnet/nuget/nuget_test.go
@@ -3,7 +3,6 @@ package nuget
 import (
 	"context"
 	"os"
-	"sort"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -15,19 +14,22 @@ import (
 
 func Test_nugetibraryAnalyzer_Analyze(t *testing.T) {
 	tests := []struct {
-		name      string
-		inputFile string
-		want      *analyzer.AnalysisResult
-		wantErr   string
+		name string
+		dir  string
+		env  map[string]string
+		want *analyzer.AnalysisResult
 	}{
 		{
-			name:      "happy path config file",
-			inputFile: "testdata/packages.config",
+			name: "happy path config file.",
+			dir:  "testdata/config",
+			env: map[string]string{
+				"HOME": "testdata/repository",
+			},
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
 						Type:     types.NuGet,
-						FilePath: "testdata/packages.config",
+						FilePath: "packages.config",
 						Libraries: types.Packages{
 							{
 								Name:    "Microsoft.AspNet.WebApi",
@@ -43,13 +45,57 @@ func Test_nugetibraryAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name:      "happy path lock file",
-			inputFile: "testdata/packages.lock.json",
+			name: "happy path lock file.",
+			dir:  "testdata/lock",
+			env: map[string]string{
+				"HOME": "testdata/repository",
+			},
+			want: &analyzer.AnalysisResult{
+				Applications: []types.Application{
+					{
+						Type:     types.NuGet,
+						FilePath: "packages.lock.json",
+						Libraries: types.Packages{
+							{
+								ID:      "Newtonsoft.Json@12.0.3",
+								Name:    "Newtonsoft.Json",
+								Version: "12.0.3",
+								Locations: []types.Location{
+									{
+										StartLine: 5,
+										EndLine:   10,
+									},
+								},
+								Licenses: []string{"MIT"},
+							},
+							{
+								ID:      "NuGet.Frameworks@5.7.0",
+								Name:    "NuGet.Frameworks",
+								Version: "5.7.0",
+								Locations: []types.Location{
+									{
+										StartLine: 11,
+										EndLine:   19,
+									},
+								},
+								DependsOn: []string{"Newtonsoft.Json@12.0.3"},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "happy path lock file. `NUGET_PACKAGES` env is used",
+			dir:  "testdata/lock",
+			env: map[string]string{
+				"NUGET_PACKAGES": "testdata/repository/.nuget/packages",
+			},
 			want: &analyzer.AnalysisResult{
 				Applications: []types.Application{
 					{
 						Type:     types.NuGet,
-						FilePath: "testdata/packages.lock.json",
+						FilePath: "packages.lock.json",
 						Libraries: types.Packages{
 							{
 								ID:      "Newtonsoft.Json@12.0.3",
@@ -61,6 +107,7 @@ func Test_nugetibraryAnalyzer_Analyze(t *testing.T) {
 										EndLine:   10,
 									},
 								},
+								Licenses: []string{"MIT"},
 							},
 							{
 								ID:      "NuGet.Frameworks@5.7.0",
@@ -80,35 +127,58 @@ func Test_nugetibraryAnalyzer_Analyze(t *testing.T) {
 			},
 		},
 		{
-			name:      "sad path",
-			inputFile: "testdata/invalid.txt",
-			wantErr:   "NuGet analysis error",
+			name: "happy path lock file. `.nuget` directory doesn't exist",
+			dir:  "testdata/lock",
+			env: map[string]string{
+				"HOME": "testdata/invalid",
+			},
+			want: &analyzer.AnalysisResult{
+				Applications: []types.Application{
+					{
+						Type:     types.NuGet,
+						FilePath: "packages.lock.json",
+						Libraries: types.Packages{
+							{
+								ID:      "Newtonsoft.Json@12.0.3",
+								Name:    "Newtonsoft.Json",
+								Version: "12.0.3",
+								Locations: []types.Location{
+									{
+										StartLine: 5,
+										EndLine:   10,
+									},
+								},
+							},
+							{
+								ID:      "NuGet.Frameworks@5.7.0",
+								Name:    "NuGet.Frameworks",
+								Version: "5.7.0",
+								Locations: []types.Location{
+									{
+										StartLine: 11,
+										EndLine:   19,
+									},
+								},
+								DependsOn: []string{"Newtonsoft.Json@12.0.3"},
+							},
+						},
+					},
+				},
+			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			f, err := os.Open(tt.inputFile)
+			for env, path := range tt.env {
+				t.Setenv(env, path)
+			}
+			a, err := newNugetLibraryAnalyzer(analyzer.AnalyzerOptions{})
 			require.NoError(t, err)
-			defer f.Close()
 
-			a := nugetLibraryAnalyzer{}
-			ctx := context.Background()
-			got, err := a.Analyze(ctx, analyzer.AnalysisInput{
-				FilePath: tt.inputFile,
-				Content:  f,
+			got, err := a.PostAnalyze(context.Background(), analyzer.PostAnalysisInput{
+				FS: os.DirFS(tt.dir),
 			})
 
-			if tt.wantErr != "" {
-				require.NotNil(t, err)
-				assert.Contains(t, err.Error(), tt.wantErr)
-				return
-			}
-
-			// Sort libraries for consistency
-			for _, app := range got.Applications {
-				sort.Sort(app.Libraries)
-			}
-
 			assert.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})