github.com/google/osv-scalibr@v0.4.1/extractor/filesystem/language/dotnet/packageslockjson/packageslockjson.go (about) 1 // Copyright 2025 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package packageslockjson extracts packages.lock.json files. 16 package packageslockjson 17 18 import ( 19 "context" 20 "encoding/json" 21 "fmt" 22 "io" 23 "path/filepath" 24 25 "github.com/google/osv-scalibr/extractor" 26 "github.com/google/osv-scalibr/extractor/filesystem" 27 "github.com/google/osv-scalibr/inventory" 28 "github.com/google/osv-scalibr/plugin" 29 "github.com/google/osv-scalibr/purl" 30 "github.com/google/osv-scalibr/stats" 31 ) 32 33 const ( 34 // Name is the unique name of this extractor. 35 Name = "dotnet/packageslockjson" 36 ) 37 38 // Config is the configuration for the Extractor. 39 type Config struct { 40 // Stats is a stats collector for reporting metrics. 41 Stats stats.Collector 42 // MaxFileSizeBytes is the maximum file size this extractor will unmarshal. If 43 // `FileRequired` gets a bigger file, it will return false, 44 MaxFileSizeBytes int64 45 } 46 47 // DefaultConfig returns the default configuration for the extractor. 48 func DefaultConfig() Config { 49 return Config{ 50 Stats: nil, 51 MaxFileSizeBytes: 0, 52 } 53 } 54 55 // Extractor extracts packages from inside a packages.lock.json. 56 type Extractor struct { 57 stats stats.Collector 58 maxFileSizeBytes int64 59 } 60 61 // New returns a requirements.txt extractor. 62 // 63 // For most use cases, initialize with: 64 // ``` 65 // e := New(DefaultConfig()) 66 // ``` 67 func New(cfg Config) *Extractor { 68 return &Extractor{ 69 stats: cfg.Stats, 70 maxFileSizeBytes: cfg.MaxFileSizeBytes, 71 } 72 } 73 74 // NewDefault returns an extractor with the default config settings. 75 func NewDefault() filesystem.Extractor { return New(DefaultConfig()) } 76 77 // PackagesLockJSON represents the `packages.lock.json` file generated from 78 // running `dotnet restore --use-lock-file`. 79 // The schema path we care about is: 80 // "dependencies" -> target framework moniker -> package name -> package info 81 type PackagesLockJSON struct { 82 Dependencies map[string]map[string]PackageInfo `json:"dependencies"` 83 } 84 85 // PackageInfo represents a single package's info, including its resolved 86 // version, and its dependencies 87 type PackageInfo struct { 88 // Resolved is the resolved version for this dependency. 89 Resolved string `json:"resolved"` 90 Dependencies map[string]string `json:"dependencies"` 91 } 92 93 // Name of the extractor. 94 func (e Extractor) Name() string { return Name } 95 96 // Version of the extractor. 97 func (e Extractor) Version() int { return 0 } 98 99 // Requirements of the extractor. 100 func (e Extractor) Requirements() *plugin.Capabilities { return &plugin.Capabilities{} } 101 102 // FileRequired returns true if the specified file is marked executable. 103 func (e Extractor) FileRequired(api filesystem.FileAPI) bool { 104 path := api.Path() 105 if filepath.Base(path) != "packages.lock.json" { 106 return false 107 } 108 109 fileinfo, err := api.Stat() 110 if err != nil { 111 return false 112 } 113 if e.maxFileSizeBytes > 0 && fileinfo.Size() > e.maxFileSizeBytes { 114 e.reportFileRequired(path, fileinfo.Size(), stats.FileRequiredResultSizeLimitExceeded) 115 return false 116 } 117 118 e.reportFileRequired(path, fileinfo.Size(), stats.FileRequiredResultOK) 119 return true 120 } 121 122 func (e Extractor) reportFileRequired(path string, fileSizeBytes int64, result stats.FileRequiredResult) { 123 if e.stats == nil { 124 return 125 } 126 e.stats.AfterFileRequired(e.Name(), &stats.FileRequiredStats{ 127 Path: path, 128 Result: result, 129 FileSizeBytes: fileSizeBytes, 130 }) 131 } 132 133 // Extract returns a list of dependencies in a packages.lock.json file. 134 func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) { 135 pkgs, err := e.extractFromInput(input) 136 if e.stats != nil { 137 var fileSizeBytes int64 138 if input.Info != nil { 139 fileSizeBytes = input.Info.Size() 140 } 141 e.stats.AfterFileExtracted(e.Name(), &stats.FileExtractedStats{ 142 Path: input.Path, 143 Result: filesystem.ExtractorErrorToFileExtractedResult(err), 144 FileSizeBytes: fileSizeBytes, 145 }) 146 } 147 return inventory.Inventory{Packages: pkgs}, err 148 } 149 150 func (e Extractor) extractFromInput(input *filesystem.ScanInput) ([]*extractor.Package, error) { 151 p, err := Parse(input.Reader) 152 if err != nil { 153 return nil, err 154 } 155 var res []*extractor.Package 156 for _, packages := range p.Dependencies { 157 for pkgName, info := range packages { 158 pkg := &extractor.Package{ 159 Name: pkgName, 160 Version: info.Resolved, 161 PURLType: purl.TypeNuget, 162 Locations: []string{ 163 input.Path, 164 }, 165 } 166 res = append(res, pkg) 167 } 168 } 169 170 return res, nil 171 } 172 173 // Parse returns a struct representing the structure of a .NET project's 174 // packages.lock.json file. 175 func Parse(r io.Reader) (PackagesLockJSON, error) { 176 dec := json.NewDecoder(r) 177 var p PackagesLockJSON 178 if err := dec.Decode(&p); err != nil { 179 return PackagesLockJSON{}, fmt.Errorf("failed to decode packages.lock.json file: %w", err) 180 } 181 182 return p, nil 183 }