Merge pull request #27 from nexB/privateassets-and-duplicates

Handle PrivateAssets and duplicates correctly

Author: pombredanne

build.sh

@@ -17,6 +17,6 @@ dotnet publish \
   --runtime linux-x64 \
   --self-contained true \
   --configuration Release \
-  -p:Version=0.9.6-beta1 \
+  -p:Version=0.9.6-beta2 \
   --output build \
   src/nuget-inspector/nuget-inspector.csproj

release.sh

@@ -16,7 +16,7 @@
 rm -rf release/
 mkdir release
 
-VERSION=0.9.6-beta1
+VERSION=0.9.6-beta2
 
 TARGET_BASE=nuget-inspector-$(git describe)
 

setup.cfg

@@ -1,7 +1,7 @@
 [bumpversion]
 commit = False
 tag = False
-current_version = 0.9.6-beta1
+current_version = 0.9.6-beta2
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+))?
 serialize = 
 	{major}.{minor}.{patch}-{release}

src/nuget-inspector/Config.cs

@@ -6,5 +6,5 @@ public static class Config
     public static bool TRACE_NET = false;
     public static bool TRACE_DEEP = false;
     public static bool TRACE_META = false;
-    public static string NUGET_INSPECTOR_VERSION = "0.9.6-beta1";
+    public static string NUGET_INSPECTOR_VERSION = "0.9.6-beta2";
 }

src/nuget-inspector/NugetApi.cs

@@ -415,7 +415,7 @@ public IEnumerable<PackageDependency> GetPackageDependenciesForPackage(PackageId
         PackageDownload download;
         if (download_by_identity.ContainsKey(identity))
         {
-            if (Config.TRACE)
+            if (Config.TRACE_NET)
                 Console.WriteLine($"    GetPackageDownload Cache Hit for package '{identity}'");
             download = download_by_identity[identity];
             if (download.IsEnhanced())
@@ -432,7 +432,7 @@ public IEnumerable<PackageDependency> GetPackageDependenciesForPackage(PackageId
             };
 
             download_by_identity[identity] = download;
-            if (Config.TRACE)
+            if (Config.TRACE_NET)
                 Console.WriteLine($"    GetPackageDownload Cache miss for package '{identity}'");
         }
         if (!with_details)

src/nuget-inspector/ProjectFileProcessor.cs

@@ -1,5 +1,4 @@
 using Microsoft.Build.Evaluation;
-//using NuGet.Build.Tasks.Console;
 using NuGet.Common;
 using NuGet.Frameworks;
 using NuGet.LibraryModel;
@@ -68,6 +67,50 @@ public List<Dependency> GetDependenciesFromReferences(List<PackageReference> ref
         return dependencies;
     }
 
+    /// <summary>
+    /// Return a deduplicated list of PackageReference, selecting the first of each
+    /// duplicated package names in the original order. This is the dotnet behaviour.
+    /// </summary>
+    public static List<PackageReference> DeduplicateReferences(List<PackageReference> references)
+    {
+        var by_name = new Dictionary<string, List<PackageReference>>();
+
+        List<PackageReference> refs;
+        foreach (var reference in references)
+        {
+            var pid = reference.PackageIdentity;
+            if (by_name.ContainsKey(pid.Id))
+            {
+                refs = by_name[pid.Id];
+            }
+            else
+            {
+                refs = new List<PackageReference>();
+                by_name[pid.Id] = refs;
+            }
+            refs.Add(reference);
+        }
+
+        var deduped = new List<PackageReference>();
+        foreach(var dupes in by_name.Values)
+        {
+            if (Config.TRACE)
+            {
+                if (dupes.Count != 1)
+                {
+                    string duplicated = string.Join("; ", dupes.Select(d => string.Join(", ", $"{d.PackageIdentity}")));
+
+                    Console.WriteLine(
+                        "DeduplicateReferences: Remove the duplicate items to ensure a consistent dotnet restore behavior. "
+                        + $"The duplicate 'PackageReference' items are: {duplicated}");
+                }
+            }
+            deduped.Add(dupes[0]);
+        }
+        return deduped;
+    }
+
+
     /// <summary>
     /// Copied from NuGet.Client/src/NuGet.Core/NuGet.Build.Tasks.Console/MSBuildStaticGraphRestore.cs
     /// Copyright (c) .NET Foundation. All rights reserved.
@@ -112,30 +155,35 @@ public List<PackageReference> GetPackageReferences()
 
         foreach (ProjectItem reference in project.GetItems(itemType: "PackageReference"))
         {
-            if (Config.TRACE)
+            if (Config.TRACE_DEEP)
             {
                 Console.WriteLine($"    Project reference: EvaluatedInclude: {reference.EvaluatedInclude}");
                 foreach (var meta in reference.Metadata)
-                {
                     Console.WriteLine($"        Metadata: name: '{meta.Name}' value: '{meta.EvaluatedValue}'");
-                }
             }
-            // var IncludeAssets = reference.Metadata.FirstOrDefault(predicate: meta => meta.Name == "IncludeAssets");
-            // var IncludeType? = null;
-            // if (IncludeAssets is not null)
-            //    IncludeType = GetLibraryIncludeFlags(IncludeAssets.EvaluatedValue, LibraryIncludeFlags.All);
-
-            // var IncludeType = GetLibraryIncludeFlags(
-            //     reference.GetProperty("IncludeAssets"), 
-            //     LibraryIncludeFlags.All) & ~GetLibraryIncludeFlags(
-            //     reference.GetProperty("ExcludeAssets"),
-            //     LibraryIncludeFlags.None),
-            // LibraryRange = new LibraryRange(
-            //     packageReferenceItem.Identity,
-            //     string.IsNullOrWhiteSpace(version) ? isCentralPackageVersionManagementEnabled ? null : VersionRange.All : VersionRange.Parse(version),
-            //     LibraryDependencyTarget.Package),
-            // NoWarn = MSBuildStringUtility.GetNuGetLogCodes(packageReferenceItem.GetProperty("NoWarn")).ToList(),
-            // SuppressParent = GetLibraryIncludeFlags(packageReferenceItem.GetProperty("PrivateAssets"), LibraryIncludeFlagUtils.DefaultSuppressParent),
+
+            // Compute the include and exclude flags
+            LibraryIncludeFlags effective_includes_flag = LibraryIncludeFlags.All;
+            LibraryIncludeFlags private_assets = LibraryIncludeFlags.None;
+
+            foreach (var meta in reference.Metadata)
+            {
+                if (meta.Name == "IncludeAssets")
+                    effective_includes_flag &= GetLibraryIncludeFlags(meta.EvaluatedValue, LibraryIncludeFlags.All);
+                if (meta.Name == "ExcludeAssets")
+                    effective_includes_flag &= ~GetLibraryIncludeFlags(meta.EvaluatedValue, LibraryIncludeFlags.None);
+                // Private assets is treated as an exclude
+                if (meta.Name == "PrivateAssets")
+                    private_assets = GetLibraryIncludeFlags(meta.EvaluatedValue, LibraryIncludeFlagUtils.DefaultSuppressParent);
+            }
+            // Skip fully private assets for package references
+            effective_includes_flag &= ~private_assets;
+            if (effective_includes_flag == LibraryIncludeFlags.None || private_assets == LibraryIncludeFlags.All)
+            {
+                if (Config.TRACE)
+                    Console.WriteLine($"    Skipping private or excluded asset reference for {reference.EvaluatedInclude}");
+                continue;
+            }
 
             var version_metadata = reference.Metadata.FirstOrDefault(predicate: meta => meta.Name == "Version");
             VersionRange? version_range;
@@ -148,7 +196,7 @@ public List<PackageReference> GetPackageReferences()
             }
             else
             {
-                if (Config.TRACE)
+                if (Config.TRACE_DEEP)
                     Console.WriteLine($"    Project reference without version: {reference.EvaluatedInclude}");
                 version_range = null;
             }
@@ -265,6 +313,7 @@ public DependencyResolution ResolveOneAtATime()
         try
         {
             List<PackageReference> references = GetPackageReferences();
+            references = DeduplicateReferences(references);
             List<Dependency> dependencies = GetDependenciesFromReferences(references);
 
             var deps_helper = new NugetResolverHelper(nugetApi: nugetApi);
@@ -317,6 +366,7 @@ public DependencyResolution ResolveOneAtATimeEnhanced()
         try
         {
             List<PackageReference> references = GetPackageReferences();
+            references = DeduplicateReferences(references);
             List<Dependency> dependencies = GetDependenciesFromReferences(references);
             List<PackageIdentity> direct_deps = CollectDirectDeps(dependencies);
 
@@ -396,6 +446,7 @@ public DependencyResolution ResolveManyAtOnce()
         try
         {
             List<PackageReference> references = GetPackageReferences();
+            references = DeduplicateReferences(references);
             List<Dependency> dependencies = GetDependenciesFromReferences(references);
             List<PackageIdentity> direct_deps = CollectDirectDeps(dependencies);
 
@@ -469,21 +520,21 @@ public DependencyResolution ResolveManyAtOnce()
     /// </summary>
     private List<PackageIdentity> CollectDirectDeps(List<Dependency> dependencies)
     {
-        if (Config.TRACE)
+        if (Config.TRACE_DEEP)
             Console.WriteLine("ProjectFileProcessor.CollectDirectDeps for dependencies:");
 
         var direct_deps = new List<PackageIdentity>();
         foreach (var dep in dependencies)
         {
-            if (Config.TRACE)
+            if (Config.TRACE_DEEP)
                 Console.WriteLine($"    name: {dep.name} version_range: {dep.version_range}");
 
             PackageSearchMetadataRegistration? psmr = nugetApi.FindPackageVersion(
                 id: dep.name,
                 versionRange: dep.version_range,
                 include_prerelease: false);
 
-            if (Config.TRACE)
+            if (Config.TRACE_DEEP)
                 Console.WriteLine($"    psmr1: '{psmr}' for dep.name: {dep.name} dep.version_range: {dep.version_range}");
 
             if (psmr == null)
@@ -494,7 +545,7 @@ private List<PackageIdentity> CollectDirectDeps(List<Dependency> dependencies)
                     versionRange: dep.version_range,
                     include_prerelease: true);
 
-                if (Config.TRACE)
+                if (Config.TRACE_DEEP)
                     Console.WriteLine($"    psmr2: '{psmr}' for dep.name: {dep.name} dep.version_range: {dep.version_range}");
             }
 

src/nuget-inspector/ProjectScanner.cs

@@ -160,7 +160,7 @@ public void FetchMetadata(ScanResult scan_result)
                 try
                 {
                     if (Config.TRACE)
-                        Console.WriteLine($"FetchMetadata for '{package.name}@{package.version}'");
+                        Console.WriteLine($"FetchMetadata for '{dep.name}@{dep.version}'");
                     dep.Update(nugetApi: NugetApiService);
                 }
                 catch (Exception ex)

src/nuget-inspector/nuget-inspector.csproj

@@ -23,11 +23,11 @@
         <PackageId>nuget-inspector</PackageId>
         <Product>nuget-inspector</Product>
         <AssemblyName>nuget-inspector</AssemblyName>
-        <Version>0.9.6-beta1</Version>
+        <Version>0.9.6-beta2</Version>
         <Authors>nexB Inc.</Authors>
         <Company>nexB Inc</Company>
-        <AssemblyVersion>0.9.6.1</AssemblyVersion>
-        <FileVersion>0.9.6.1</FileVersion>
+        <AssemblyVersion>0.9.6.2</AssemblyVersion>
+        <FileVersion>0.9.6.2</FileVersion>
         <Description>A NuGet and Dotnet package dependency resolver</Description>
         <PackageProjectUrl>https://github.com/nexB/nuget-inspector</PackageProjectUrl>
         <PackageLicenseUrl>Apache-2.0 AND MIT</PackageLicenseUrl>

tests/data/basic/csproj1/CycloneDX.csproj-expected.json

@@ -348,63 +348,6 @@
           "datafile_path": "",
           "dependencies": []
         },
-        {
-          "type": "nuget",
-          "namespace": "",
-          "name": "Microsoft.CodeAnalysis.NetAnalyzers",
-          "version": "6.0.0",
-          "qualifiers": "",
-          "subpath": "",
-          "purl": "pkg:nuget/Microsoft.CodeAnalysis.NetAnalyzers@6.0.0",
-          "primary_language": "C#",
-          "description": "Microsoft recommended code quality rules and .NET API usage rules implemented as analyzers using the .NET Compiler Platform (Roslyn).",
-          "release_date": "",
-          "parties": [
-            {
-              "type": "organization",
-              "role": "author",
-              "name": "Microsoft",
-              "email": "",
-              "url": ""
-            }
-          ],
-          "keywords": [
-            "Roslyn",
-            "CodeAnalysis",
-            "Compiler",
-            "CSharp",
-            "VB",
-            "VisualBasic",
-            "Diagnostic",
-            "Analyzers",
-            "Syntax",
-            "Semantics"
-          ],
-          "homepage_url": "https://github.com/dotnet/roslyn-analyzers",
-          "download_url": "https://api.nuget.org/v3-flatcontainer/microsoft.codeanalysis.netanalyzers/6.0.0/microsoft.codeanalysis.netanalyzers.6.0.0.nupkg",
-          "size": 3969653,
-          "sha1": "",
-          "md5": "",
-          "sha256": "",
-          "sha512": "8D16B934642E2A61A6676D3522677961E68271174875F17573E905A926EC1EF57342D3A0156B4EF6E0DD488138616093191C24570601BC194FBC7A12195859F9",
-          "bug_tracking_url": "",
-          "code_view_url": "",
-          "vcs_url": "",
-          "copyright": "",
-          "license_expression": "",
-          "declared_license": "LicenseUrl: https://www.nuget.org/packages/Microsoft.CodeAnalysis.NetAnalyzers/6.0.0/license\nLicenseType: Expression\nLicense: MIT\nLicenseExpression: MIT",
-          "notice_text": "",
-          "source_packages": [],
-          "extra_data": {
-            "framework": "net6.0"
-          },
-          "repository_homepage_url": "https://www.nuget.org/packages/Microsoft.CodeAnalysis.NetAnalyzers/6.0.0?_src=template",
-          "repository_download_url": "https://api.nuget.org/v3-flatcontainer/microsoft.codeanalysis.netanalyzers/6.0.0/microsoft.codeanalysis.netanalyzers.6.0.0.nupkg",
-          "api_data_url": "https://api.nuget.org/v3/registration5-gz-semver2/microsoft.codeanalysis.netanalyzers/6.0.0.json",
-          "datasource_id": "",
-          "datafile_path": "",
-          "dependencies": []
-        },
         {
           "type": "nuget",
           "namespace": "",
@@ -1695,63 +1638,6 @@
       "datafile_path": "",
       "dependencies": []
     },
-    {
-      "type": "nuget",
-      "namespace": "",
-      "name": "Microsoft.CodeAnalysis.NetAnalyzers",
-      "version": "6.0.0",
-      "qualifiers": "",
-      "subpath": "",
-      "purl": "pkg:nuget/Microsoft.CodeAnalysis.NetAnalyzers@6.0.0",
-      "primary_language": "C#",
-      "description": "Microsoft recommended code quality rules and .NET API usage rules implemented as analyzers using the .NET Compiler Platform (Roslyn).",
-      "release_date": "",
-      "parties": [
-        {
-          "type": "organization",
-          "role": "author",
-          "name": "Microsoft",
-          "email": "",
-          "url": ""
-        }
-      ],
-      "keywords": [
-        "Roslyn",
-        "CodeAnalysis",
-        "Compiler",
-        "CSharp",
-        "VB",
-        "VisualBasic",
-        "Diagnostic",
-        "Analyzers",
-        "Syntax",
-        "Semantics"
-      ],
-      "homepage_url": "https://github.com/dotnet/roslyn-analyzers",
-      "download_url": "https://api.nuget.org/v3-flatcontainer/microsoft.codeanalysis.netanalyzers/6.0.0/microsoft.codeanalysis.netanalyzers.6.0.0.nupkg",
-      "size": 3969653,
-      "sha1": "",
-      "md5": "",
-      "sha256": "",
-      "sha512": "8D16B934642E2A61A6676D3522677961E68271174875F17573E905A926EC1EF57342D3A0156B4EF6E0DD488138616093191C24570601BC194FBC7A12195859F9",
-      "bug_tracking_url": "",
-      "code_view_url": "",
-      "vcs_url": "",
-      "copyright": "",
-      "license_expression": "",
-      "declared_license": "LicenseUrl: https://www.nuget.org/packages/Microsoft.CodeAnalysis.NetAnalyzers/6.0.0/license\nLicenseType: Expression\nLicense: MIT\nLicenseExpression: MIT",
-      "notice_text": "",
-      "source_packages": [],
-      "extra_data": {
-        "framework": "net6.0"
-      },
-      "repository_homepage_url": "https://www.nuget.org/packages/Microsoft.CodeAnalysis.NetAnalyzers/6.0.0?_src=template",
-      "repository_download_url": "https://api.nuget.org/v3-flatcontainer/microsoft.codeanalysis.netanalyzers/6.0.0/microsoft.codeanalysis.netanalyzers.6.0.0.nupkg",
-      "api_data_url": "https://api.nuget.org/v3/registration5-gz-semver2/microsoft.codeanalysis.netanalyzers/6.0.0.json",
-      "datasource_id": "",
-      "datafile_path": "",
-      "dependencies": []
-    },
     {
       "type": "nuget",
       "namespace": "",