Summary
The NuGet packages.lock.json parser fails when a lockfile contains dependency entries with the Project or CentralTransitive type.
NuGet lockfiles can contain these dependency types in addition to Direct and Transitive. Currently, the parser only handles Direct and Transitive. Any other type raises an exception, which causes parsing to abort.
As a result, valid NuGet lockfiles generated by projects using project references or Central Package Management may produce no package results.
Affected file type
packages.lock.json
Observed behavior
When parsing a NuGet lockfile containing entries like this:
{
"version": 2,
"dependencies": {
"net8.0": {
"Example.Direct": {
"type": "Direct",
"requested": "[1.0.0, )",
"resolved": "1.0.0",
"contentHash": "..."
},
"Example.Transitive": {
"type": "Transitive",
"resolved": "2.0.0",
"contentHash": "..."
},
"Example.CentralTransitive": {
"type": "CentralTransitive",
"requested": "[3.0.0, )",
"resolved": "3.0.0",
"contentHash": "..."
},
"example.project.reference": {
"type": "Project",
"dependencies": {
"Example.Direct": "[1.0.0, )"
}
}
}
}
}the parser raises an exception similar to:
Unknown package type: Project
or:
Unknown package type: CentralTransitive
Expected behavior
The parser should handle all dependency types that NuGet can write to packages.lock.json.
Suggested behavior:
Direct entries should be reported as direct NuGet dependencies.
Transitive entries should be reported as transitive NuGet dependencies.
CentralTransitive entries should be reported as transitive NuGet dependencies, because they are package dependencies resolved through Central Package Management.
Project entries should be skipped, because they are project references and not NuGet package dependencies.
Why this matters
Projects using Central Package Management or project references can generate valid NuGet lockfiles that include CentralTransitive and Project entries.
If parsing aborts on these entries, ScanCode Toolkit cannot reliably extract the package inventory from such lockfiles.
Summary
The NuGet
packages.lock.jsonparser fails when a lockfile contains dependency entries with theProjectorCentralTransitivetype.NuGet lockfiles can contain these dependency types in addition to
DirectandTransitive. Currently, the parser only handlesDirectandTransitive. Any other type raises an exception, which causes parsing to abort.As a result, valid NuGet lockfiles generated by projects using project references or Central Package Management may produce no package results.
Affected file type
packages.lock.jsonObserved behavior
When parsing a NuGet lockfile containing entries like this:
{ "version": 2, "dependencies": { "net8.0": { "Example.Direct": { "type": "Direct", "requested": "[1.0.0, )", "resolved": "1.0.0", "contentHash": "..." }, "Example.Transitive": { "type": "Transitive", "resolved": "2.0.0", "contentHash": "..." }, "Example.CentralTransitive": { "type": "CentralTransitive", "requested": "[3.0.0, )", "resolved": "3.0.0", "contentHash": "..." }, "example.project.reference": { "type": "Project", "dependencies": { "Example.Direct": "[1.0.0, )" } } } } }the parser raises an exception similar to:
or:
Expected behavior
The parser should handle all dependency types that NuGet can write to
packages.lock.json.Suggested behavior:
Directentries should be reported as direct NuGet dependencies.Transitiveentries should be reported as transitive NuGet dependencies.CentralTransitiveentries should be reported as transitive NuGet dependencies, because they are package dependencies resolved through Central Package Management.Projectentries should be skipped, because they are project references and not NuGet package dependencies.Why this matters
Projects using Central Package Management or project references can generate valid NuGet lockfiles that include
CentralTransitiveandProjectentries.If parsing aborts on these entries, ScanCode Toolkit cannot reliably extract the package inventory from such lockfiles.