Skip to content

feat(manifest): socket manifest dotnet + centralized config-name globs (REA-627, REA-628)#1404

Draft
Jeppe Fredsgaard Blaabjerg (jfblaa) wants to merge 1 commit into
v1.xfrom
jfblaa/rea-627-socket-manifest-dotnet-compute-netnuget-sbom-reachability
Draft

feat(manifest): socket manifest dotnet + centralized config-name globs (REA-627, REA-628)#1404
Jeppe Fredsgaard Blaabjerg (jfblaa) wants to merge 1 commit into
v1.xfrom
jfblaa/rea-627-socket-manifest-dotnet-compute-netnuget-sbom-reachability

Conversation

@jfblaa

Copy link
Copy Markdown
Contributor

Closes REA-627. Closes REA-628.

Warning

Draft — do not merge until coana PR (REA-626) is released and the pinned coana version is bumped in this PR. The reachability sidecar emits nuget-tagged entries that the currently-released coana rejects (strict schema); a polyglot .NET+JVM --reach scan would break until coana ships REA-626. The SBOM-only path (no --reach) is coana-independent.

What

Brings .NET/NuGet to the Socket facts pipeline, at parity with the JVM tools (the .NET analog of REA-613). Previously nuget was only a package-scoring ecosystem — no manifest generation, no auto-detection, no reachability; the only path was a manual socket manifest cdxgen -t dotnet.

socket manifest dotnet (REA-627)

  • New command + auto-manifest detection (top-level .sln/.slnx/.csproj/.fsproj/.vbproj) + setup-wizard entry; socket.json defaults.manifest.dotnet.*.
  • Bundled C# tool (scripts/dotnet-tool/): one MSBuild session — evaluate → in-process restore → read project.assets.json via NuGet.ProjectModel — emitting the shared records TSV.
    • Ships no NuGet/MSBuild runtime assemblies: compile-low/run-high against the locator-selected SDK (net6 floor, RollForward LatestMajor), so it works across installed SDKs and avoids the ref/def assembly clash that breaks multi-SDK hosts.
    • Restore forces TreatWarningsAsErrors=false so NU19xx security-advisory warnings don't abort the run.
    • packages.config supported (flat pinned closure + developmentDependency→dev + HintPath DLLs; downloads missing pinned artifacts via the project's configured feeds/credential providers).
    • Fail-closed: emits failure/unscannable records that raise the CLI exit code; every emitted artifact path is guaranteed to exist.
  • Flags: --target-frameworks / --exclude-target-frameworks (TFM globs; RID targets match under their base TFM); --dotnet-opts (MSBuild -p: props applied to the whole session).
  • Reachability sidecar emits nuget-tagged ResolvedComponents (consumed by coana REA-626).
  • Resolution summary reports scanned target frameworks across N projects (per-project attribution under --verbose).
  • CI leg builds the C# tool; provenance build bundles it like the Maven extension jar.

Centralized config-name glob compilation (REA-628)

  • Compile --include-configs/--exclude-configs globs → anchored regex sources once in config-glob.mts; the gradle/sbt/maven scripts and the dotnet tool all consume the compiled patterns. Removes the per-language globToRegex (Groovy/Scala/Java) and adds a cross-language vector test suite. Rides in this PR because the .NET tool is a fourth consumer of the shared patterns.

Testing

Unit tests (config-glob vectors, dotnet records→assemble, detection, auto-manifest branch, command snapshots); accuracy sweep vs. native-restore ground truth across 17 real .NET repos (~99.6% avg recall, exact real-package versions, packages.config 100%). pnpm check clean.

Follow-ups before un-drafting

  • coana REA-626 merged + released
  • bump pinned coana version in this PR
  • CHANGELOG entry

…s (REA-627, REA-628)

Bring .NET/NuGet to the Socket facts pipeline, at parity with the JVM tools.

socket manifest dotnet (REA-627):
- New command + auto-manifest detection (top-level .sln/.slnx/.csproj/.fsproj/
  .vbproj) and setup-wizard entry; socket.json defaults.manifest.dotnet.*.
- Bundled C# tool (socket-facts-dotnet): one MSBuild session — evaluate,
  in-process restore, read project.assets.json via NuGet.ProjectModel —
  emitting the shared records TSV. Ships no NuGet/MSBuild runtime assemblies
  (compile-low/run-high against the locator-selected SDK; net6 floor,
  RollForward LatestMajor), so it works across installed SDK versions. Restore
  forces TreatWarningsAsErrors=false so NU19xx security advisories don't abort
  the run. packages.config supported (flat closure + HintPath DLLs, with
  pinned-artifact download via the project's configured feeds). Fail-closed:
  emits failure records that raise the CLI exit code; every emitted artifact
  path is guaranteed to exist.
- --target-frameworks / --exclude-target-frameworks (TFM globs; RID targets
  match under their base TFM); --dotnet-opts (MSBuild -p: props applied to the
  whole session). Reachability sidecar emits nuget-tagged ResolvedComponents.
- Resolution summary reports scanned target frameworks across N projects, with
  per-project attribution under --verbose.

Centralized config-name glob compilation (REA-628):
- Compile --include-configs/--exclude-configs globs to anchored regex sources
  once in config-glob.mts; the gradle/sbt/maven scripts and the dotnet tool
  consume the compiled patterns. Removes the per-language globToRegex
  (Groovy/Scala/Java) and adds a cross-language vector test suite.

Gated on coana REA-626 (nuget sidecar consumer): the coana version pin is
bumped and this is un-drafted once coana releases.
@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: NuGet Client Security Feature Bypass Vulnerability in nuget nuget.packaging

CVE: GHSA-68w7-72jg-6qpp NuGet Client Security Feature Bypass Vulnerability (CRITICAL)

Affected versions: = 6.7.0, 6.8.0; >= 4.6.0 < 5.11.6; >= 6.0.0 < 6.0.6; >= 6.3.0 < 6.3.4; >= 6.4.0 < 6.4.3; >= 6.6.0 < 6.6.2; >= 6.7.0 < 6.7.1; >= 6.8.0 < 6.8.1

Patched version: 6.0.6

From: src/commands/manifest/scripts/dotnet-tool/socket-facts-dotnet.csprojnuget/nuget.packaging@6.0.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore nuget/nuget.packaging@6.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@socket-security-staging

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Critical
Critical CVE: NuGet Client Security Feature Bypass Vulnerability in nuget nuget.packaging

CVE: GHSA-68w7-72jg-6qpp NuGet Client Security Feature Bypass Vulnerability (CRITICAL)

Affected versions: = 6.7.0, 6.8.0; >= 4.6.0 < 5.11.6; >= 6.0.0 < 6.0.6; >= 6.3.0 < 6.3.4; >= 6.4.0 < 6.4.3; >= 6.6.0 < 6.6.2; >= 6.7.0 < 6.7.1; >= 6.8.0 < 6.8.1

Patched version: 6.0.6

From: src/commands/manifest/scripts/dotnet-tool/socket-facts-dotnet.csprojnuget/nuget.packaging@6.0.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/nuget.packaging@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: NuGet Client Remote Code Execution Vulnerability in nuget nuget.common

CVE: GHSA-6qmf-mmc7-6c2p NuGet Client Remote Code Execution Vulnerability (HIGH)

Affected versions: = 6.5.0, 6.6.0; >= 6.0.0 < 6.0.5; >= 6.2.0 < 6.2.4; >= 6.3.0 < 6.3.3; >= 6.4.0 < 6.4.2; >= 6.5.0 < 6.5.1; >= 6.6.0 < 6.6.1; >= 4.6.0 < 5.11.5

Patched version: 6.0.5

From: src/commands/manifest/scripts/dotnet-tool/socket-facts-dotnet.csprojnuget/nuget.common@6.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/nuget.common@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: NuGet Client Remote Code Execution Vulnerability in nuget nuget.protocol

CVE: GHSA-6qmf-mmc7-6c2p NuGet Client Remote Code Execution Vulnerability (HIGH)

Affected versions: = 6.5.0, 6.6.0; >= 6.0.0 < 6.0.5; >= 6.2.0 < 6.2.4; >= 6.3.0 < 6.3.3; >= 6.4.0 < 6.4.2; >= 6.5.0 < 6.5.1; >= 6.6.0 < 6.6.1; >= 4.7.0 < 5.11.5

Patched version: 6.0.5

From: src/commands/manifest/scripts/dotnet-tool/socket-facts-dotnet.csprojnuget/nuget.protocol@6.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/nuget.protocol@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: NuGet Elevation of Privilege Vulnerability in nuget nuget.protocol

CVE: GHSA-g3q9-xf95-8hp5 NuGet Elevation of Privilege Vulnerability (HIGH)

Affected versions: >= 4.6.0 < 4.9.6; >= 5.0.0 < 5.7.3; >= 5.8.0 < 5.9.3; >= 5.10.0 < 5.11.3; >= 6.0.0 < 6.0.3; >= 6.1.0 < 6.2.2; >= 6.3.0 < 6.3.1

Patched version: 6.0.3

From: src/commands/manifest/scripts/dotnet-tool/socket-facts-dotnet.csprojnuget/nuget.protocol@6.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/nuget.protocol@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability in nuget system.formats.asn1

CVE: GHSA-447r-wph3-92pm Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability (HIGH)

Affected versions: >= 5.0.0-preview.7.20364.11 < 6.0.1; >= 7.0.0-preview.1.22076.8 < 8.0.1

Patched version: 6.0.1

From: src/commands/manifest/scripts/dotnet-tool/socket-facts-dotnet.csprojnuget/nuget.packaging@6.0.0nuget/system.formats.asn1@5.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/system.formats.asn1@5.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
High CVE: Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerability in nuget system.text.json

CVE: GHSA-8g4q-xg66-9fp4 Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerability (HIGH)

Affected versions: >= 8.0.0 < 8.0.5; >= 6.0.0 < 6.0.10

Patched version: 6.0.10

From: src/commands/manifest/scripts/dotnet-tool/socket-facts-dotnet.csprojnuget/microsoft.build@17.3.2nuget/system.text.json@6.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore nuget/system.text.json@6.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant