C#: Choose between .NET framework or core DLLs in standalone #14368
Conversation
|
DCA results don't look great, I checked a couple of the projects, and compiler errors were reported because of conflicting framework DLLs. The conflict was between nuget restored reference assemblies and installed DLLs. So I'll handle this todo: https://github.com/github/codeql/pull/14368/files#diff-0179d8d74e2e78735e1d6cde08b1cff43d2a132f2c53a86c277cfdf3bbd95017R102-R104 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
Fixed
Show fixed
Hide fixed
| existsNetCoreRefNugetPackage = IsNugetPackageAvailable("microsoft.netcore.app.ref"); | ||
| existsNetFrameworkRefNugetPackage = IsNugetPackageAvailable("microsoft.netframework.referenceassemblies"); | ||
|
|
||
| if (existsNetCoreRefNugetPackage || existsNetFrameworkRefNugetPackage) |
There was a problem hiding this comment.
The DCA changes show that this logic is not working great. If dotnet core 6 is installed, and there are net6.0 and net5.0 targets, then the reference assemblies of net5.0 are downloaded and preferred over the installed dotnet 6 DLLs. And this causes an issue if there are other references which are compiled against dotnet 6.0.
We could probably force the download of the ref assemblies for all target platforms, and we should choose the latest one from those.
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
from
dbaa0b8 to
52ccc2a
Compare
csharp/ql/integration-tests/all-platforms/standalone_dependencies/Assemblies.expected
Outdated
Show resolved
Hide resolved
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
3 times, most recently
from
83e5057 to
3f9b989
Compare
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
4 times, most recently
from
fdc8db5 to
c2099fd
Compare
| import os | ||
| from create_database_utils import * | ||
|
|
||
| os.environ['PROCESSOR_ARCHITECTURE'] = 'x64' |
There was a problem hiding this comment.
This should not be merged. I added a fix for this in the internal repo.
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
2 times, most recently
from
8c600ac to
0061dfe
Compare
| @@ -0,0 +1,5 @@ | |||
| [VALUE_NOT_IN_TYPE] predicate attributes(@attribute id, int kind, @type_or_ref type_id, @attributable target): Value 25 of field target is not in type @attributable. The value is however in the following types: @void_type. Appears in tuple (949897,0,960,25) | |||
There was a problem hiding this comment.
This is being fixed in #14436
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
from
59faeb3 to
7e30485
Compare
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
from
39351be to
ada5dcc
Compare
| catch (Exception exc) | ||
| { | ||
| progressMonitor.LogInfo("Couldn't delete package directory: " + exc.Message); | ||
| } |
Check notice
Code scanning / CodeQL
Generic catch clause
| catch (Exception exc) | ||
| { | ||
| progressMonitor.LogInfo("Couldn't delete temporary working directory: " + exc.Message); | ||
| } |
Check notice
Code scanning / CodeQL
Generic catch clause
| } | ||
| catch (Exception exc) | ||
| { | ||
| progressMonitor.LogInfo("Couldn't delete package directory: " + exc.Message); |
There was a problem hiding this comment.
This logs Couldn't delete package directory: The process cannot access the file 'System.EnterpriseServices.Wrapper.dll' because it is being used by another process. on Windows. The DLL can't be loaded as an assembly, and it looks like System.Reflection.PortableExecutable.PEReader doesn't release it.
The DLL is coming from the microsoft.netframework.referenceassemblies.net48.1.0.3 nuget package.
| Directory.CreateDirectory(path); | ||
| } | ||
|
|
||
| args += $" /p:TargetFrameworkRootPath=\"{path}\" /p:NetCoreTargetingPackRoot=\"{path}\""; |
There was a problem hiding this comment.
This feels like an ugly hack, but I couldn't find any other msbuild parameters that would do the same.
The goal is to depend on the nuget reference assemblies instead of the locally installed ones (for both dotnet core and the full framework)
| var monoPath = FileUtils.FindProgramOnPath(Win32.IsWindows() ? "mono.exe" : "mono"); | ||
| var monoDirs = monoPath is not null | ||
| ? new[] { Path.GetFullPath(Path.Combine(monoPath, "..", "lib", "mono")), monoPath } | ||
| : new[] { "/usr/lib/mono", "/usr/local/mono", "/usr/local/bin/mono", @"C:\Program Files\Mono\lib\mono" }; |
There was a problem hiding this comment.
Added a couple more mono installation directories.
| if (Directory.Exists(@"C:\Windows\Microsoft.NET\Framework64")) | ||
| { | ||
| return Directory.EnumerateDirectories(@"C:\Windows\Microsoft.NET\Framework64", "v*") | ||
| .OrderByDescending(Path.GetFileName); | ||
| } | ||
|
|
||
| var monoPath = FileUtils.FindProgramOnPath(Win32.IsWindows() ? "mono.exe" : "mono"); | ||
| var monoDirs = monoPath is not null | ||
| ? new[] { Path.GetFullPath(Path.Combine(monoPath, "..", "lib", "mono")), monoPath } |
There was a problem hiding this comment.
The paths didn't match:
❯ where mono
/Library/Frameworks/Mono.framework/Versions/Current/Commands/mono
vs
/Library/Frameworks/Mono.framework/Versions/Current/lib/mono
| @@ -8,6 +8,7 @@ | |||
| <AllowUnsafeBlocks>true</AllowUnsafeBlocks> | |||
| <RuntimeIdentifiers>win-x64;linux-x64;osx-x64</RuntimeIdentifiers> | |||
| <Nullable>enable</Nullable> | |||
| <NoWarn>$(NoWarn);CA1822</NoWarn> | |||
There was a problem hiding this comment.
Not reporting warnings on members that could be static, such as Runtime.ExecutingRuntime.
There was a problem hiding this comment.
Why not make it static instead of disabling the warning?
There was a problem hiding this comment.
This is just stylistic. This way AspNetCoreRuntime, ExecutingRuntime, DesktopRuntime, and NetCoreRuntime can be called the same way.
| | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Xml.XmlSerializer.dll | | ||
| | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/mscorlib.dll | | ||
| | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/netstandard.dll | | ||
| | /microsoft.windowsdesktop.app.ref/7.0.2/analyzers/dotnet/System.Windows.Forms.Analyzers.dll | |
There was a problem hiding this comment.
The same test is added for unix-only too. The dependencies differ because of the platform. On Windows microsoft.windowsdesktop.app.ref is also fetched.
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
from
e6c0a89 to
3b4ea27
Compare
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileContent.cs
Outdated
Show resolved
Hide resolved
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileContent.cs
Outdated
Show resolved
Hide resolved
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileContent.cs
Outdated
Show resolved
Hide resolved
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/FileContent.cs
Outdated
Show resolved
Hide resolved
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Runtime.cs
Outdated
Show resolved
Hide resolved
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
from
cc02190 to
ba68e2d
Compare
| not a.getCompilation().getOutputAssembly() = a and | ||
| exists(string s | s = a.getFile().getAbsolutePath() | | ||
| result = | ||
| s.substring(s.indexOf("GitHub/packages/") + "GitHub/packages/".length() + 16, s.length()) |
There was a problem hiding this comment.
Why is 16 also added explicitly (looks like this is also the length of "GitHub/packages/"?
There was a problem hiding this comment.
We're using a 16-character-long hash as a subfolder name.
There was a problem hiding this comment.
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
from
ba68e2d to
06cda11
Compare
csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
Show resolved
Hide resolved
tamasvajk
force-pushed
the
standalone/use-legacy-framework-dlls
branch
from
06cda11 to
15ec0a1
Compare
| } | ||
| var subFolderIndex = secondDirectorySeparatorCharIndex + 1; | ||
| var isInAnalyzersFolder = lowerFilename.IndexOf("analyzers", subFolderIndex) == subFolderIndex; | ||
| if (isInAnalyzersFolder) |
There was a problem hiding this comment.
Nuget packages can ship analyzers, code fixes, and source generators in the analyzers folder. These DLLs need to be passed in the analyzers csc argument and not in references. The base classes used in these DLLs are not part of the dotnet runtime (but the dotnet SDK), so if these are passed as references, they will produce compile errors, so we remove them from the reference list.
This PR
The changes help with the extraction of projects that target the full framework. For example: