pr fixes

Signed-off-by: Avishay <[email protected]>

checks/raw/pinned_dependencies_test.go

@@ -261,7 +261,7 @@ func TestGithubWorkflowPkgManagerPinning(t *testing.T) {
 		{
 			name:     "npm packages without verification",
 			filename: "./testdata/.github/workflows/github-workflow-pkg-managers.yaml",
-			warns:    48,
+			warns:    49,
 		},
 	}
 	for _, tt := range tests {
@@ -827,8 +827,14 @@ func TestShellscriptInsecureDownloadsLineNumber(t *testing.T) {
 				},
 				{
 					snippet:   "dotnet add package some-package",
-					startLine: 62,
-					endLine:   62,
+					startLine: 63,
+					endLine:   63,
+					t:         checker.DependencyUseTypeNugetCommand,
+				},
+				{
+					snippet:   "dotnet add SomeProject package some-package",
+					startLine: 64,
+					endLine:   64,
 					t:         checker.DependencyUseTypeNugetCommand,
 				},
 			},
@@ -983,7 +989,7 @@ func TestDockerfileScriptDownload(t *testing.T) {
 		{
 			name:     "pkg managers",
 			filename: "./testdata/Dockerfile-pkg-managers",
-			warns:    59,
+			warns:    60,
 		},
 		{
 			name:     "download with some python",
@@ -1101,7 +1107,7 @@ func TestShellScriptDownload(t *testing.T) {
 		{
 			name:     "pkg managers",
 			filename: "./testdata/script-pkg-managers",
-			warns:    55,
+			warns:    56,
 		},
 		{
 			name:     "invalid shell script",

checks/raw/shell_download_validate.go

@@ -698,6 +698,11 @@ func isChocoUnpinnedDownload(cmd []string) bool {
 }
 
 func isUnpinnedNugetCliInstall(cmd []string) bool {
+	// looking for command of type nuget install ...
+	if len(cmd) < 2 {
+		return false
+	}
+
 	// Search for nuget commands.
 	if !isBinaryName("nuget", cmd[0]) {
 		return false
@@ -708,61 +713,66 @@ func isUnpinnedNugetCliInstall(cmd []string) bool {
 		return false
 	}
 
+	// Asseume installing a project with PackageReference (with versions)
+	// or packages.config at the root of command
+	if len(cmd) == 2 {
+		return false
+	}
+
+	// Assume that the script is installing from a packages.config file (with versions)
 	// package.config schema has required version field
 	// https://learn.microsoft.com/en-us/nuget/reference/packages-config#schema
+	// and Nuget follows Semantic Versioning 2.0.0 (versions are immutable)
+	// https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#semantic-versioning-200
 	if strings.HasSuffix(cmd[2], "packages.config") {
 		return false
 	}
 
-	hasVersion := false
+	unpinnedDependency := true
 	for i := 2; i < len(cmd); i++ {
 		// look for version flag
 		if strings.EqualFold(cmd[i], "-Version") {
-			hasVersion = true
+			unpinnedDependency = false
 			break
 		}
 	}
 
-	if hasVersion {
-		return !hasVersion
-	}
-
-	return true
+	return unpinnedDependency
 }
 
 func isUnpinnedDotNetCliInstall(cmd []string) bool {
+	// Search for command of type dotnet add <PROJECT> package <PACKAGE_NAME>
+	if len(cmd) < 4 {
+		return false
+	}
 	// Search for dotnet commands.
 	if !isBinaryName("dotnet", cmd[0]) {
 		return false
 	}
 
-	// Search for add package commands.
-	if !strings.EqualFold(cmd[1], "add") && !strings.EqualFold(cmd[2], "package") {
+	// Search for add commands.
+	if !strings.EqualFold(cmd[1], "add") {
 		return false
 	}
 
-	hasVersion := false
+	// Search for package commands (can be either the second or the third word)
+	if !(strings.EqualFold(cmd[2], "package") || strings.EqualFold(cmd[3], "package")) {
+		return false
+	}
+
+	unpinnedDependency := true
 	for i := 3; i < len(cmd); i++ {
 		// look for version flag
 		// https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-add-package
 		if strings.EqualFold(cmd[i], "-v") || strings.EqualFold(cmd[i], "--version") {
-			hasVersion = true
+			unpinnedDependency = false
 			break
 		}
 	}
-
-	if hasVersion {
-		return !hasVersion
-	}
-
-	return true
+	return unpinnedDependency
 }
 
 func isNugetUnpinnedDownload(cmd []string) bool {
-	if len(cmd) < 2 {
-		return false
-	}
-
 	if isUnpinnedDotNetCliInstall(cmd) {
 		return true
 	}

checks/raw/shell_download_validate_test.go

@@ -123,6 +123,13 @@ func Test_isDotNetUnpinnedDownload(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "nuget restore",
+			args: args{
+				cmd: []string{"nuget", "restore"},
+			},
+			want: false,
+		},
 		{
 			name: "nuget install with -Version",
 			args: args{
@@ -144,13 +151,48 @@ func Test_isDotNetUnpinnedDownload(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "dotnet add to project",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "package", "Newtonsoft.Json"},
+			},
+			want: true,
+		},
+		{
+			name: "dotnet add reference to project",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "reference", "OtherProject"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet build",
+			args: args{
+				cmd: []string{"dotnet", "build"},
+			},
+			want: false,
+		},
 		{
 			name: "dotnet add with -v",
 			args: args{
 				cmd: []string{"dotnet", "add", "package", "Newtonsoft.Json", "-v", "2.0"},
 			},
 			want: false,
 		},
+		{
+			name: "dotnet add to project with -v",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "package", "Newtonsoft.Json", "-v", "2.0"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet add reference to project with -v",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "reference", "Newtonsoft.Json", "-v", "2.0"},
+			},
+			want: false,
+		},
 		{
 			name: "dotnet add with --version",
 			args: args{

checks/raw/testdata/.github/workflows/github-workflow-pkg-managers.yaml

@@ -164,8 +164,12 @@ jobs:
         run: choco install --require-checksums 'some-package'
       - name:
         run: nuget install 'some-package'
+      - name:
+        run: nuget restore
       - name:
         run: dotnet add package 'some-package'
+      - name:
+        run: dotnet add SomeProject package 'some-package'
       - name:
         run: nuget install 'some-package' -Version 1.2.3
       - name:
@@ -175,4 +179,8 @@ jobs:
       - name:
         run: dotnet add package 'some-package' -v 1.2.3
       - name:
-        run: dotnet add package 'some-package' --version 1.2.3
+        run: dotnet build
+      - name:
+        run: dotnet add package 'some-package' --version 1.2.3
+      - name:
+        run: dotnet add SomeProject package 'some-package' --version 1.2.3

checks/raw/testdata/Dockerfile-pkg-managers

@@ -126,8 +126,12 @@ RUN choco install --require-checksums 'some-package'
 
 
 RUN nuget install some-package
+RUN nuget restore
 RUN nuget install some-package -Version 1.2.3
 RUN nuget install packages.config
 RUN dotnet add package some-package
+RUN dotnet add SomeProject package some-package
+RUN dotnet build
 RUN dotnet add package some-package -v 1.2.3
-RUN dotnet add package some-package --version 1.2.3
+RUN dotnet add package some-package --version 1.2.3
+RUN dotnet add SomeProject package some-package --version 1.2.3

checks/raw/testdata/script-pkg-managers

@@ -125,8 +125,11 @@ choco install --requirechecksums 'some-package'
 choco install --require-checksums 'some-package'
 
 nuget install some-package
+nuget restore
 nuget install some-package -Version 1.2.3
 nuget install packages.config
 dotnet add package some-package
+dotnet add SomeProject package some-package
+dotnet build
 dotnet add package some-package -v 1.2.3
 dotnet add package some-package --version 1.2.3

checks/raw/testdata/shell-download-lines.sh

@@ -57,8 +57,11 @@ python -m pip install --no-deps -e git+https://github.com/username/repo.git
 python -m pip install --no-deps -e git+https://github.com/username/repo.git@0123456789abcdef0123456789abcdef01234567#egg=package
 
 nuget install some-package
+nuget restore
 nuget install some-package -Version 1.2.3
 nuget install packages.config
 dotnet add package some-package
+dotnet add SomeProject package some-package
+dotnet build
 dotnet add package some-package -v 1.2.3
 dotnet add package some-package --version 1.2.3