Add support for NuGet license files#1011
Open
mus65 wants to merge 18 commits intoCycloneDX:masterfrom
Open
Conversation
mus65
force-pushed
the
licensefile
branch
3 times, most recently
from
03f1a87 to
d60c6a8
Compare
Contributor
|
Would love to see this in the next release. |
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
Member
|
Needs some small fixes, and I'll discuss if this should be the default behavior with a member of the core group. |
Signed-off-by: Marius Thesing <[email protected]>
Member
|
@mus65 are you still working on this. I would take over as soon as I got the feedback from the core group |
Author
|
@mtsfoni I'm done, just did a rebase because of a merge conflict (I merged master at first, but it triggered secret detection for some reason). |
Signed-off-by: Marius Thesing <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#1003) Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 5.0.1 to 5.1.0. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@2016bd2...baa11fb) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: 5.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ve deps (issue CycloneDX#1025) (CycloneDX#1040) NuGet package IDs are case-insensitive, but project.assets.json preserves the casing from each package's own .nuspec when writing the dependency IDs inside the targets section. The ordinal Except() check introduced by the CycloneDX#894 fix treated a dep key like 'newtonsoft.Json' as having no matching package (whose canonical name is 'Newtonsoft.Json'), causing it to be silently removed from the dependency graph on every scan. Fix: use StringComparer.OrdinalIgnoreCase for both the HashSet construction and the Except() call so that casing differences between a dep reference and its canonical package name are tolerated correctly. Adds a functional test (case-mismatch.assets.json / Issue1025_CaseInsensitivePackageNames) and an e2e test (Issue1025Tests) that builds a real package whose .nuspec lists its dependency with wrong casing, confirming the regression and the fix. Co-authored-by: construct agent <[email protected]>
* fix: metadata import respects --set-name/version/type overrides (CycloneDX#817) - ReadMetaDataFromFile now accepts IFileSystem for testability - Metadata import now only copies Metadata section, preserving BOM spec version - SetMetadataComponentIfNecessary now accepts explicit override values - RunOptions.setType now defaults to Null (not Application) to distinguish 'user explicitly set' from default - Enable 3 previously-skipped tests for setName/setVersion/setType overrides * docs: add bom-metadata reference and update README metadata section * feat: use project file <Version> in BOM metadata when --set-version not provided (CycloneDX#954) * docs: update bom-metadata reference with project file version source * feat: check AssemblyVersion/ProjectVersion/PackageVersion as version fallbacks (CycloneDX#1006) --------- Co-authored-by: construct agent <[email protected]>
…1042) Updates the central package version pin and regenerates lock files. CycloneDX.Core 11.0.0 bumps the default BOM spec version from 1.6 to 1.7; update ValidationTests to validate against v1_7 accordingly. Co-authored-by: construct agent <[email protected]>
…adata (CycloneDX#1043) The tools/tool element is deprecated since CycloneDX spec 1.5. This replaces the AddMetadataTool method to write metadata/tools/components/component instead, using Authors and an ExternalReference URL in place of the legacy Vendor field. Adds unit tests for AddMetadataTool and a dedicated e2e snapshot test to catch any future structural changes to the tool self-identification block. Closes CycloneDX#786 Co-authored-by: construct agent <[email protected]>
…#1052) Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 5.0.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@v5.0.1...c2fa09f) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: 5.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Patrick Dwyer <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6.0.1...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#1051) Namespace for classic .NET 4.8 Framework-Projects was wrong in XPath for at least some project files. Added fallback with namespace added to all path elements Signed-off-by: dridders <[email protected]>
…cts with default XML namespace (CycloneDX#1051) Adds a regression test for the fix in CycloneDX#1051. Classic .NET Framework .csproj files declare a default namespace on the root <Project> element (xmlns="http://schemas.microsoft.com/developer/msbuild/2003"), which puts every element — including <Project> itself — in the msbuild namespace. The XPath queries /Project/... therefore never matched, causing AssemblyName to fall back to the filename. The test uses a .csproj filename that differs from the <AssemblyName> value so that a filename fallback produces a visibly wrong result, confirming the XPath fix is the only path to the correct value. Generated by construct
…1055) * build(deps): upgrade CycloneDX.Core from 11.0.0 to 12.0.1 Generated by construct Signed-off-by: Michael Tsfoni <[email protected]> * build(deps): regenerate lock files for CycloneDX.Core 12.0.1 upgrade Signed-off-by: Michael Tsfoni <[email protected]> Generated by construct * test(e2e): fix AutoVerify always silencing snapshot mismatches in CI VerifierSettings.AutoVerify() was called unconditionally, so snapshot divergences were silently accepted rather than failing the test run. Guard it behind a CI env-var check so snapshots must match in CI. Also update the MetadataToolTests snapshot for CycloneDX.Core 12.0.1: - default spec version bumped to 1.7 Signed-off-by: Michael Tsfoni <[email protected]> Generated by construct --------- Signed-off-by: Michael Tsfoni <[email protected]>
Signed-off-by: Michael Tsfoni <[email protected]>
)" This reverts commit d36e86b.
Adds --include-license-text CLI option that controls whether license file contents are embedded as base64 in the BOM. Fixes null-URL stub emission for packages with no license URL. aka.ms/deprecateLicenseUrl guard still missing (1 unit test + 1 E2E test expected to fail).
Contributor
|
Any timeline on this? |
Member
|
Just needs a last fix and review - I believe one test is failing. Likely the next feature to go out. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #1001 .
This adds support for license files that are defined in the NuGet package.
Some NuGet Packages that this would help with are Lucene.Net, LibGit2Sharp and Oracle.ManagedDataAccess.Core .