Conversation
Fixes #201. DotNet.Glob v2.1.1 throws IndexOutOfRangeException on ** patterns (e.g. **/samples/**). Replace it with Microsoft.Extensions.FileSystemGlobbing in all three call sites: - DetectorProcessingService: directory exclusion via --DirectoryExclusionList - YarnLockComponentDetector: workspace pattern matching - RustSbomDetector: Cargo workspace include/exclude rules FileSystemGlobbing's ** does not match zero trailing segments, so **/dir/** patterns get a companion **/dir pattern added in the directory exclusion predicate. Paths are normalized to forward slashes before matching, which replaces the DotNet.Glob-specific backslash escaping workaround. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Respect allowWindowsPaths flag: skip patterns containing backslashes when the flag is false, restoring the original behavior where backslash-based patterns don't match on non-Windows platforms - Remove unused rootPath variable in YarnLockComponentDetector - Fix stale XML doc on AddGlobRule (was claiming OS-dependent case sensitivity, but the code always uses OrdinalIgnoreCase) - Add test for trailing ** companion pattern workaround - Fix absolute path handling in directory exclusion predicate by stripping the root prefix before matching Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This comment was marked as outdated.
This comment was marked as outdated.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR replaces DotNet.Glob with Microsoft.Extensions.FileSystemGlobbing across the orchestrator’s directory exclusion logic and two detectors (Yarn + Rust) to avoid known DotNet.Glob failures on ** patterns and reduce custom maintenance burden.
Changes:
- Swapped globbing implementation to
Microsoft.Extensions.FileSystemGlobbing.Matcherfor directory exclusions, Yarn workspace matching, and Rust Cargo workspace include/exclude rules. - Added a unit test covering the
**/dir/**compatibility workaround (ensuring the directory itself is excluded, not just descendants). - Updated package references to remove
DotNet.Globand pinMicrosoft.Extensions.FileSystemGlobbingcentrally.
Show a summary per file
| File | Description |
|---|---|
| test/Microsoft.ComponentDetection.Orchestrator.Tests/Services/DetectorProcessingServiceTests.cs | Adds coverage for the trailing-/** workaround to exclude the directory itself. |
| src/Microsoft.ComponentDetection.Orchestrator/Services/DetectorProcessingService.cs | Reimplements directory exclusion predicate using Matcher, with path normalization + trailing-/** companion pattern handling. |
| src/Microsoft.ComponentDetection.Orchestrator/Microsoft.ComponentDetection.Orchestrator.csproj | Replaces DotNet.Glob package reference with Microsoft.Extensions.FileSystemGlobbing. |
| src/Microsoft.ComponentDetection.Detectors/yarn/YarnLockComponentDetector.cs | Switches workspace file matching from Glob to Matcher over normalized relative paths. |
| src/Microsoft.ComponentDetection.Detectors/rust/RustSbomDetector.cs | Switches Cargo workspace include/exclude matching from Glob lists to Matcher. |
| src/Microsoft.ComponentDetection.Detectors/Microsoft.ComponentDetection.Detectors.csproj | Replaces DotNet.Glob package reference with Microsoft.Extensions.FileSystemGlobbing. |
| Directory.Packages.props | Removes DotNet.Glob version pin; adds Microsoft.Extensions.FileSystemGlobbing v8.0.0. |
Copilot's findings
- Files reviewed: 7/7 changed files
- Comments generated: 0 new
jpinz
approved these changes
Apr 6, 2026
grvillic
deleted the
jamieMagee/replace-dotnet-glob-with-filesystemglobbing
branch
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1767 +/- ##
============================
============================
☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #201
What
Swaps
DotNet.GlobforMicrosoft.Extensions.FileSystemGlobbingin all three call sites:DetectorProcessingService(directory exclusion via--DirectoryExclusionList)YarnLockComponentDetector(workspace pattern matching)RustSbomDetector(Cargo workspace include/exclude rules)Why
DotNet.Globv2.1.1 throwsIndexOutOfRangeExceptionon**patterns like**/samples/**. This has been broken since 2022. PR #1091 tried to fix it by hand-porting npm's minimatch (862 lines of C#) but that landed on a dead branch and never made it tomain.FileSystemGlobbingis a first-party Microsoft package. No custom code to maintain.Notable behavior difference
FileSystemGlobbing's**does not match zero trailing path segments. So**/node_modules/**won't match the pathproject/node_modulesby itself -- onlyproject/node_modules/something.The directory exclusion predicate works around this by adding a companion pattern: when it sees
**/dir/**, it also adds**/dir. The other two call sites (Yarn workspaces, Rust Cargo) don't use trailing**patterns, so they're unaffected.All paths are normalized to forward slashes before matching, which removes the old
DotNet.Glob-specific backslash escaping (Replace("\\", "[\\]")).