NuGet Resources Extractor - 1.1

Extension ID

com.castsoftware.dmtdotnetnugetresourcesextractor

What’s new?

Please see NuGet Resources Extractor - 1.1 - Release Notes .

Description

The NuGet Resources Extractor provides the means to configure an automatic extraction of NuGet package dependencies from a NuGet repository for use during a .NET analysis. In other words, NuGet package based source code that resides in a simple local or nuget.org location. This extractor should be used when you want to extract packages (.nupkg) based source code that is stored in a NuGet repository. For example, when your .NET application contains .csproj files which have package references defined, you can use this extractor to extract those NuGet packages from the NuGet repository. Example package references in a .csproj are shown below:

<ItemGroup>
    <!-- ... -->
    <PackageReference Include="Contoso.Utility.UsefulStuff" Version="3.6.0" />
    <!-- ... -->
</ItemGroup>

packages.config

The content of the packages.config file (if this file is delivered and referenced via the .csproj file) is handled differently depending on the release of CAST Imaging Core you are using on your AIP Node to perform the analysis:

AIP Core ≥ 8.3.37	The Nuget Resources Extractor will identify the packages.config file and any packages defined in it will be identified and extracted. For example: `<?xml version="1.0" encoding="utf-8"?> <packages> <package id="jQuery" version="3.1.1" targetFramework="net46" /> <package id="NLog" version="4.3.10" targetFramework="net46" /> </packages>`
AIP Core ≤ 8.3.36	The NuGet Resources Extractor will identify the packages.config file but any packages defined in it will be ignored.

AIP Core compatibility

Item	Version
CAST Console	≥ 1.18.x
AIP Core	≥ 8.3.27
JRE	≤ 17

Microsoft Windows Win32 long paths requirement

CAST highly recommends that Win32 long paths is enabled on the AIP Node on which the .NET analysis will be run: the extracted package dependencies are stored inside a folder called “nugetPck” which is located in the Deployment folder. Depending on where the Deployment folder is located, the path to the extracted package dependencies may exceed the default 260 character length, which would cause the analyzer to fail to access the dependencies during an analysis. To enable long paths, use the Local Group Policy Editor (gpedit) on the AIP Node and drill down to:

Computer Configuration > Administrative Templates > System > Filesystem

Then double click the Enable Win32 long paths option to enable the setting:

Using the extractor with Console

Download and installation

The extractor will be automatically downloaded and installed in Console when at least one .csproj file is delivered for analysis. You can also manually install the extension using the Application - Extensions interface.

Usage

In Console this extractor is driven by options located in the following file on each Node:

Console V2:
%PROGRAMDATA%\CAST\AIP-Node\application.yml

Console V1:
%PROGRAMDATA%\CAST\AipConsole\AipNode\aip-node-app.properties

I.e.:

Console V2:
## HTTP V3 Nuget repository to download package dependencies https://api.nuget.org/v3/index.json or file system like file://C:/Users/johndoe/.nuget/packages
nuget:
  repository: https://api.nuget.org/v3/index.json
  # depth level parameter for manual extraction By default value is 1, if set to -1 then automatic extraction happens
  depthLevel: 1

Console V1:
## HTTP V3 Nuget repository to download package dependencies https://api.nuget.org/v3/index.json or file system like file://C:/Users/johndoe/.nuget/packages
scanner.nuget.repository=https://api.nuget.org/v3/index.json
## depth level parameter for manual extraction By default value is 1, if set to -1 then automatic extraction happens
scanner.nuget.depthLevel=1

Option Description

repository / scanner.nuget.repository

Option	Description
repository / scanner.nuget.repository	By default this attribute is present and defines the location of a NuGet repository. It will accept two values: a nuget.org URL such as https://api.nuget.org/v3/index.json - this value is present by default or a file system path - the location input should start with protocol file:// for example: `file://C:/Users/johndoe/.nuget/packages` If a .csproj file is detected in the delivered source code, the extension will be downloaded and installed as part of the analysis process. If the .csproj file contains NuGet package dependency references, the defined NuGet repository will be automatically accessed and resources will be extracted to a dedicated folder called nugetPck in the Application's Deployment folder: These references will then be used during the .NET analysis.
depthLevel	Available in Console ≥ 2.5 and ≥ 1.29 This option controls the extraction depth for dependencies referenced in the .csproj file: By default this option is set to a value of "1", which means that any referenced dependencies will only be resolved and extracted to a depth of one dependency (i.e. dependencies of referenced dependencies will not be resolved and extracted). Setting the value to "-1" will ensure that ALL dependencies (i.e. dependencies of dependencies etc. etc.), regardless of depth, will be resolved and extracted. This can cause analysis performance issues since potentially a significant amount of dependencies will need to be resolved and extracted. In addition the size of the nugetPck folder on the Node will increase significantly in size. Setting the value to any other number will limit the dependency extraction to the specified number.

By default this attribute is present and defines the location of a NuGet repository. It will accept two values:

a nuget.org URL such as https://api.nuget.org/v3/index.json - this value is present by default
or a file system path - the location input should start with protocol file:// for example: file://C:/Users/johndoe/.nuget/packages

If a .csproj file is detected in the delivered source code, the extension will be downloaded and installed as part of the analysis process. If the .csproj file contains NuGet package dependency references, the defined NuGet repository will be automatically accessed and resources will be extracted to a dedicated folder called nugetPck in the Application's Deployment folder:

These references will then be used during the .NET analysis.

depthLevel

Available in Console ≥ 2.5 and ≥ 1.29

This option controls the extraction depth for dependencies referenced in the .csproj file:

By default this option is set to a value of "1", which means that any referenced dependencies will only be resolved and extracted to a depth of one dependency (i.e. dependencies of referenced dependencies will not be resolved and extracted).
Setting the value to "-1" will ensure that ALL dependencies (i.e. dependencies of dependencies etc. etc.), regardless of depth, will be resolved and extracted. This can cause analysis performance issues since potentially a significant amount of dependencies will need to be resolved and extracted. In addition the size of the nugetPck folder on the Node will increase significantly in size.
Setting the value to any other number will limit the dependency extraction to the specified number.

Using the extractor with the legacy CAST Delivery Manager Tool

The extractor can be accessed as follows:

Enter the path to your NuGet repository, for example:

A nuget.org URL such as https://api.nuget.org/v3/index.json - this nuget.org url is provided by default.
A file system path - the location input should start with protocol file:// for example: file://C:/Users/johndoe/.nuget/packages

Enter the manual extraction dependency depth level. This option controls the extraction depth for dependencies referenced in the .csproj file:

By default this option is set to a value of “1”, which means that any referenced dependencies will only be resolved and extracted to a depth of one dependency (i.e. dependencies of referenced dependencies will not be resolved and extracted).
Setting the value to “-1” will ensure that ALL dependencies (i.e. dependencies of dependencies etc. etc.), regardless of depth, will be resolved and extracted. This can cause analysis performance issues since potentially a significant amount of dependencies will need to be resolved and extracted. In addition the size of the nugetPck folder on the Node will increase significantly in size.
Setting the value to any other number will limit the dependency extraction to the specified number.

When packaging is complete, the package dependencies identified and to be extracted will be displayed under Package Reference with name, version and framework:

Extraction messages

The following messages emitted by the extractor may appear during the source code extraction process

Format	Message Id	Message	Remediation
Error	com.castsoftware.dmt.extractor.dotnet.nuget.EmptyURL	Empty Url	Provide a valid repository URL.
Error	com.castsoftware.dmt.extractor.dotnet.nuget.UnexpectedRepository	Unexpected URL %URL%	Check the repository URL. It should be valid.
Error	com.castsoftware.dmt.extractor.dotnet.nuget.InstallationError	NuGet Not Installed false	Install the NuGet client tool. Follow https://docs.microsoft.com/en-us/nuget/install-nuget-client-tools .
Warning	com.castsoftware.dmt.extractor.dotnet.nuget.invalid URL	Invalid URL: %URL%	Provide a valid repository URL, either nuget.org (https://api.nuget.org/v3/index.json ) or file system (file://C://Users/johndoe/.nuget/packages).
Warning	com.castsoftware.dmt.extractor.dotnet.nuget.extractPackages	No package artifact found!!!	Check the source discovery: packages should be identified as resource profile references in the format [packageName.dll][frameworkVersion] for each module.
Warning	com.castsoftware.dmt.extractor.dotnet.nuget.NugetCommandUtility	Output: %commandoutput% ERROR in setting source command: %Command%	Check the %commandoutput%.