-
Notifications
You must be signed in to change notification settings - Fork 131
Separated paket.lock handling from NuGetComponentDetector to PaketCom… #1502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Thorium
wants to merge
20
commits into
microsoft:main
Choose a base branch
from
Thorium:paket-component-detector
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
20 commits
Select commit
Hold shift + click to select a range
2d097a1
Separated paket.lock handling from NuGetComponentDetector to PaketCom…
Thorium 40a3e72
Merge branch 'main' into paket-component-detector
Thorium 1059a11
Addressed to the code-review feedback of FernandoRojo
Thorium 7e06225
Copilot suggestion commit
Thorium 2b73aa3
New CoPilot feedback addressed as well
Thorium 7595d73
Merge branch 'paket-component-detector' of https://github.com/Thorium…
Thorium 7b72d3f
Add isDevelopmentDependency detection for Paket.
Thorium db38ced
Merge branch 'main' into paket-component-detector
Thorium 1a14bee
Merge branch 'microsoft:main' into paket-component-detector
Thorium f7434cd
Merge branch 'microsoft:main' into paket-component-detector
Thorium 260879f
Implemented latest Copilot feedback
Thorium bff2468
Merge branch 'microsoft:main' into paket-component-detector
Thorium 5791dab
Potential fix for pull request finding
Thorium 02fd413
Copilot comments addressed
Thorium 4e537e5
Potential fix for pull request finding
Thorium 5e3e843
Potential fix for pull request finding
Thorium 30fe03a
Copilot reporting new comments one-by-one. Here is the change for the…
Thorium fd2a532
Potential fix for pull request finding
Thorium 23cb5bf
Copilot wants these
Thorium 0d4a84d
Potential fix for pull request finding
Thorium File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| # Paket Detection | ||
|
|
||
| ## Requirements | ||
|
|
||
| Paket Detection depends on the following to successfully run: | ||
|
|
||
| - One or more `paket.lock` files. | ||
| - The Paket detector looks for [`paket.lock`][1] files. | ||
|
|
||
| [1]: ../../src/Microsoft.ComponentDetection.Detectors/paket/PaketComponentDetector.cs | ||
|
|
||
| ## Detection Strategy | ||
|
|
||
| Paket Detection is performed by parsing any `paket.lock` files found under the scan directory. | ||
|
|
||
| The `paket.lock` file is a lock file that records the concrete dependency resolution of all direct and transitive dependencies of your project. It is generated by [Paket][2], an alternative dependency manager for .NET that is popular in both large-scale C# projects and small-scale F# projects. | ||
|
|
||
| [2]: https://fsprojects.github.io/Paket/ | ||
|
|
||
| ## What is Paket? | ||
|
|
||
| Paket is a dependency manager for .NET and Mono projects that provides: | ||
| - Precise control over package dependencies | ||
| - Reproducible builds through lock files | ||
| - Support for multiple package sources (NuGet, GitHub, HTTP, Git) | ||
| - Better resolution algorithm compared to legacy NuGet | ||
|
|
||
| The `paket.lock` file structure is straightforward and human-readable: | ||
| ``` | ||
| NUGET | ||
| remote: https://api.nuget.org/v3/index.json | ||
| PackageName (1.0.0) | ||
| DependencyName (>= 2.0.0) | ||
|
|
||
| GROUP Test | ||
| NUGET | ||
| remote: https://api.nuget.org/v3/index.json | ||
| NUnit (4.3.2) | ||
| ``` | ||
|
|
||
| ## Enabling the Detector | ||
|
|
||
| This detector is currently **DefaultOff** and must be explicitly enabled by passing `--DetectorArgs Paket=EnableIfDefaultOff` (see [enabling default off detectors](../enable-default-off.md)). | ||
|
|
||
| When the Paket detector is enabled, the NuGet detector automatically skips `paket.lock` files so the same file is not processed twice; when it is not enabled, the NuGet detector continues to handle `paket.lock` with its legacy parser. | ||
|
|
||
| ## Paket Detector | ||
|
|
||
| The Paket detector parses `paket.lock` files to extract: | ||
| - Resolved package names and versions recorded in the lock file | ||
| - Dependency relationships between packages as represented in the lock file | ||
| - Development dependency classification based on Paket group names | ||
|
|
||
| When a companion `paket.dependencies` file is present next to `paket.lock`, the detector uses it to identify explicitly declared NuGet packages; otherwise it falls back to a lock-graph heuristic (packages that appear as dependencies of other packages are treated as transitive). | ||
|
|
||
| Currently, the detector focuses on the `NUGET` section of the lock file, which contains NuGet package dependencies. Other dependency types (GITHUB, HTTP, GIT) are not currently supported. | ||
|
|
||
| ## How It Works | ||
|
|
||
| The detector: | ||
| 1. Locates `paket.lock` files in the scan directory | ||
| 2. Parses the file line by line, tracking the current GROUP context | ||
| 3. Identifies packages (4-space indentation) and their versions, keyed by group | ||
| 4. Identifies dependencies (6-space indentation) and their version constraints | ||
| 5. Records all packages as NuGet components | ||
| 6. Establishes parent-child relationships between packages and their dependencies | ||
| 7. Classifies packages as development dependencies based on their group name | ||
| 8. Classifies packages as direct (explicitly referenced) using the declarations in the companion `paket.dependencies` file when present, falling back to the lock-graph heuristic otherwise | ||
|
|
||
| ## Development Dependency Classification | ||
|
|
||
| Paket organizes dependencies into groups within `paket.lock`. The detector uses group names to classify packages as development (`isDevelopmentDependency: true`) or production (`isDevelopmentDependency: false`) dependencies. | ||
|
|
||
| **Well-known development groups** (case-insensitive): | ||
| - Exact matches: `Test`, `Tests`, `Docs`, `Documentation`, `Build`, `Analyzers`, `Fake`, `Benchmark`, `Benchmarks`, `Samples`, `DesignTime` | ||
| - Suffix matches: any group name ending with `Test` or `Tests` (e.g., `UnitTest`, `IntegrationTests`, `AcceptanceTests`, `E2ETest`) | ||
|
|
||
| **Production groups**: | ||
| - The default/unnamed group (packages before any `GROUP` line) | ||
| - `Main` | ||
| - Any group name not matching the well-known patterns above (e.g., `Server`, `Client`, `Shared`) | ||
|
|
||
| When the same package appears in multiple groups (e.g., `FSharp.Core` in both `Build` and `Server`), both occurrences are registered. The framework's merge logic ensures that if a package appears in **any** production group, it is ultimately classified as a production dependency. | ||
|
|
||
| ## Known Limitations | ||
|
|
||
| - This detector is currently **DefaultOff** and must be explicitly enabled with `--DetectorArgs Paket=EnableIfDefaultOff` (see [Enabling the Detector](#enabling-the-detector)) | ||
| - Only NuGet dependencies from the `NUGET` section are detected | ||
| - GitHub, HTTP, and Git dependencies are not currently supported | ||
| - Direct vs. transitive classification is authoritative only when a readable `paket.dependencies` file is present next to `paket.lock`; when it is missing or unreadable, the detector falls back to approximating this from the dependency graph within the lock file, which cannot reliably distinguish a direct dependency that is also pulled in transitively | ||
| - Development dependency classification is based on group names only; it does not cross-reference `paket.references` files to verify which packages are actually used by test vs. production projects (planned for a future iteration) | ||
| - The detector assumes the lock file format follows the standard Paket conventions | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.