Consider DLL claims for dependencies of .NET packages from deps.json #3822

wagoodman · 2025-04-23T21:24:04Z

This augments the .NET cataloger to include packages that themselves do not claim any DLLs but have dependencies that do have DLLs, which is a common convention for larger nuget package groups (for example Humanizer and Umbraco.Cms). This logic now applies to both the DLL claims configuration option as well as DLL existence configuration option. A new configurable has been added to control this behavior:

dotnet:
  # treat DLL claims or on-disk evidence for child packages as DLL claims or on-disk evidence for any parent package (env: SYFT_DOTNET_PROPAGATE_DLL_CLAIMS_TO_PARENTS)
  propagate-dll-claims-to-parents: true

Type of change

Bug fix (non-breaking change which fixes an issue)

Checklist:

I have added unit tests that cover changed behavior
I have tested my code in common scenarios and confirmed there are no regressions
I have added comments to my code, particularly in hard-to-understand sections

PR Stack

.NET cataloger should consider compile target paths from deps.json #3821

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* main: (150 commits) fix the fluent-bit regex detection pattern (#3817) chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832) chore(deps): update tools to latest versions (#3830) Resolve owned file paths when searching for overlaps (#3828) chore(deps): update anchore dependencies (#3827) fix: Make the fileresolver Support Prefix Match of Files (#3820) Add support for detecting javascript assets in .NET projects using libman (#3825) chore(deps): update tools to latest versions (#3823) (feat): support skipping archive extraction with file source (#3795) Consider DLL claims for dependencies of .NET packages from deps.json (#3822) PE cataloger should consider compile target paths from deps.json (#3821) Perf: skip license scanner injection (#3796) chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 (#3818) chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#3819) chore(deps): update tools to latest versions (#3815) docs: document test commands (#3816) Support detection of Chrome binaries (#3136) fix:allow golang tip image detection regex pattern (#3757) fix:Make the parse of the replace part in ```go.mod``` more compliant and traceable (#3812) (fix): delete collection name/type key entries when empty (#3797) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

* main: (142 commits) feat: detect when full license text has been provided and preserve as separate field (#3450) chore(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1 (#3843) chore(deps): update tools to latest versions (#3841) Update github.com/Masterminds/semver to v3 (#3836) Add support for PHP Pear (#2775) fix: Improve detection of erlang binary in alpine Linux (#3839) fix:Resolve ancestral symlinks correctly (#3783) chore(deps): update CPE dictionary index (#3834) chore(deps): update tools to latest versions (#3835) chore(deps): bump github.com/charmbracelet/bubbletea from 1.3.4 to 1.3.5 (#3838) fix the fluent-bit regex detection pattern (#3817) chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832) chore(deps): update tools to latest versions (#3830) Resolve owned file paths when searching for overlaps 7E2C (#3828) chore(deps): update anchore dependencies (#3827) fix: Make the fileresolver Support Prefix Match of Files (#3820) Add support for detecting javascript assets in .NET projects using libman (#3825) chore(deps): update tools to latest versions (#3823) (feat): support skipping archive extraction with file source (#3795) Consider DLL claims for dependencies of .NET packages from deps.json (#3822) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

wagoodman added the bug Something isn't working label Apr 23, 2025

wagoodman self-assigned this Apr 23, 2025

wagoodman added this to OSS Apr 23, 2025

wagoodman moved this to In Review in OSS Apr 23, 2025

wagoodman changed the title ~~consider child dll claims for .NET packages from deps.json~~ Consider DLL claims for dependencies of .NET packages from deps.json Apr 23, 2025

Base automatically changed from add-pe-compile-path-processing to main April 24, 2025 13:01

wagoodman added 2 commits April 24, 2025 09:10

consider child dll claims for .NET packages from deps.json

2a99ece

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

make dll claim propagation configurable

824c49b

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

wagoodman force-pushed the add-pe-child-processing branch from f07cf91 to 824c49b Compare April 24, 2025 13:10

wagoodman enabled auto-merge (squash) April 24, 2025 13:11

wagoodman added 2 commits April 24, 2025 09:13

rename configuration

5ed849d

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

restore test fixture comment

f54b186

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

wagoodman mentioned this pull request Apr 24, 2025

Add support for detecting javascript assets in .NET projects using libman #3825

Merged

4 tasks

spiffcs approved these changes 8000 Apr 24, 2025

View reviewed changes

wagoodman merged commit df18edf into main Apr 24, 2025
13 checks passed

wagoodman deleted the add-pe-child-processing branch April 24, 2025 15:59

github-project-automation bot moved this from In Review to Done in OSS Apr 24, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Consider DLL claims for dependencies of .NET packages from deps.json #3822

Consider DLL claims for dependencies of .NET packages from deps.json #3822

Consider DLL claims for dependencies of .NET packages from deps.json #3822

Consider DLL claims for dependencies of .NET packages from deps.json #3822

Conversation

Type of change

Checklist:

PR Stack