Skip to content

Promote MSBuildBinLog Detector to experimental #1829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
grvillic merged 1 commit into from
Jun 17, 2026
Merged

Promote MSBuildBinLog Detector to experimental #1829

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 19 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,21 +33,34 @@ Component Detection can also be used as a library to detect dependencies in your

## Features

Component Detection supports detecting libraries from the following ecosystem:
Component Detection supports detecting libraries from the following ecosystems:

| Ecosystem | Scanning | Graph Creation |
| -------------------------------------------------------------------------------- | ----------------------------------------------- | -------------- |
| CocoaPods | ✔ | ✔ |
| [Go](docs/detectors/go.md) | ✔ | ❌ |
| [CocoaPods](docs/detectors/cocoapods.md) | ✔ | ✔ |
| [Conan](docs/detectors/conan.md) | ✔ | ❌ |
| [Conda (Python)](docs/detectors/conda.md) | ✔ | ✔ |
| [Docker Compose](docs/detectors/dockercompose.md) | ✔ | ❌ |
| [Dockerfile](docs/detectors/dockerfile.md) | ✔ | ❌ |
| [DotNet SDK](docs/detectors/dotnet.md) | ✔ | ❌ |
| [Go](docs/detectors/go.md) | ✔ | ✔ (with Go 1.11+) |
| [Gradle (lockfiles only)](docs/detectors/gradle.md) | ✔ | ❌ |
| [Linux (Debian, Alpine, Rhel, Centos, Fedora, Ubuntu)](docs/detectors//linux.md) | ✔ (via [syft](https://github.com/anchore/syft)) | ❌ |
| [Helm](docs/detectors/helm.md) | ✔ | ❌ |
| [Ivy](docs/detectors/ivy.md) | ✔ | ✔ |
| [Linux (Debian, Alpine, Rhel, Centos, Fedora, Ubuntu)](docs/detectors/linux.md) | ✔ (via [syft](https://github.com/anchore/syft)) | ❌ |
| [Maven](docs/detectors/maven.md) | ✔ | ✔ |
| [NPM (including Yarn, Pnpm)](docs/detectors/npm.md) | ✔ | ✔ |
| [NuGet (including Paket)](docs/detectors/nuget.md) | ✔ | ✔ |
| [Pip (Python)](docs/detectors/pip.md) | ✔ | ✔ |
| [Poetry (Python, lockfiles only)](docs/detectors/poetry.md) | ✔ | ❌ |
| Ruby | ✔ | ✔ |
| Rust | ✔ | ✔ |
| [Ruby](docs/detectors/ruby.md) | ✔ | ✔ |
| [Rust (Cargo)](docs/detectors/rust.md) | ✔ | ✔ |
| [SPDX SBOM](docs/detectors/spdx.md) | ✔ | ❌ |
| [Swift](docs/detectors/swift.md) | ✔ | ❌ |
| [Uv (Python)](docs/detectors/uv.md) | ✔ | ✔ |
| [Vcpkg](docs/detectors/vcpkg.md) | ✔ | ❌ |

See the [detectors directory](docs/detectors/README.md) for the current status (Stable, Experimental, or DefaultOff) of each individual detector.

For a complete feature overview refer to [feature-overview.md](docs/feature-overview.md)

Expand Down
2 changes: 1 addition & 1 deletion docs/detectors/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@
| NuGetComponentDetector | Stable |
| NuGetPackagesConfigDetector | Stable |
| NuGetProjectModelProjectCentricComponentDetector | Stable |
| MSBuildBinaryLogComponentDetector | DefaultOff |
| MSBuildBinaryLogComponentDetector | Experimental |

- [Pip](pip.md)

Expand Down
4 changes: 3 additions & 1 deletion docs/detectors/nuget.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,9 @@ The `NuGetPackagesConfig` detector raises NuGet components referenced by project

## MSBuildBinaryLog

The `MSBuildBinaryLog` detector is a **DefaultOff** detector intended to eventually replace both the `NuGetProjectCentric` and `DotNet` detectors. It combines MSBuild binary log (binlog) information with `project.assets.json` to provide enhanced component detection with project-level classifications.
The `MSBuildBinaryLog` detector is an **Experimental** detector intended to eventually replace both the `NuGetProjectCentric` and `DotNet` detectors. It combines MSBuild binary log (binlog) information with `project.assets.json` to provide enhanced component detection with project-level classifications.

As an experimental detector, it runs automatically whenever a scan is performed, but its results are not reported as part of the normal scan output. Instead, the results are compared against the existing `NuGetProjectCentric` and `DotNet` detectors and recorded as telemetry so maintainers can evaluate parity before promoting the detector to default.
Comment thread
grvillic marked this conversation as resolved.

It looks for `project.assets.json` files and separately discovers `*.binlog` files. The binlog provides build-time context that isn't available from `project.assets.json` alone.

Expand Down
2 changes: 1 addition & 1 deletion docs/feature-overview.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
| NPM | <ul><li>package.json</li><li>package-lock.json</li><li>npm-shrinkwrap.json</li><li>lerna.json</li></ul> | - | ✔ (dev-dependencies in package.json, dev flag in package-lock.json) | ✔ |
| Yarn (v1, v2) | <ul><li>package.json</li><li>yarn.lock</li></ul> | - | ✔ (dev-dependencies in package.json) | ✔ |
| Pnpm | <ul><li>shrinkwrap.yaml</li><li>pnpm-lock.yaml</li></ul> | - | ✔ (packages/{package}/dev flag) | ✔ |
| NuGet | <ul><li>project.assets.json</li><li>*.nupkg</li><li>*.nuspec</li><li>packages.config</li><li>nuget.config</li><li>*.binlog (DefaultOff)</li></ul> | - | - | ✔ (required project.assets.json) |
| NuGet | <ul><li>project.assets.json</li><li>*.nupkg</li><li>*.nuspec</li><li>packages.config</li><li>nuget.config</li><li>*.binlog (Experimental)</li></ul> | - | - | ✔ (required project.assets.json) |
| Pip (Python) | <ul><li>setup.py</li><li>requirements.txt</li><li>*setup=distutils.core.run_setup({setup.py}); setup.install_requires*</li><li>dist package METADATA file</li></ul> | <ul><li>Python 2 or Python 3</li><li>Internet connection</li></ul> | ❌ | ✔ |
| Poetry (Python) | <ul><li>poetry.lock</li><ul> | - | ✔ | ❌ |
| Ruby | <ul><li>gemfile.lock</li></ul> | - | ❌ | ✔ |
Expand Down
2 changes: 1 addition & 1 deletion src/Microsoft.ComponentDetection.Detectors/nuget/MSBuildBinaryLogComponentDetector.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ namespace Microsoft.ComponentDetection.Detectors.NuGet;
/// - Fallback mode: When no binlog info is available, falls back to standard NuGet detection.
/// </para>
/// </remarks>
public class MSBuildBinaryLogComponentDetector : FileComponentDetector, IDefaultOffComponentDetector
public class MSBuildBinaryLogComponentDetector : FileComponentDetector, IExperimentalDetector
{
private readonly IBinLogProcessor binLogProcessor;
private readonly IFileUtilityService fileUtilityService;
Expand Down
Loading