Framework package updates (#1308)

* Include non-implementation packages on .NETCore 2.x Microsoft.NETCore.App contains only reference assemblies, but it was listed in CVEs, so should be excluded. The same is true for System.Private.Uri. I did not include these previously because they weren't part of package overrides list, nor were they found through package comparisons - since conflict resolution doesn't need to do anything with non-implementation packages. They are important for CG though since they've been used in CVE reports. * Include framework packages for .NET 4.6.1 .NET 4.6.1 supports .NET Standard and has built in support for it that will win over nuget packages. In .NET 4.6.1 - .NET 4.7.1 this comes from the Microsoft.NET.Build.Extensions component, after that it's built into the framework itself.
microsoft · Nov 18, 2024 · 1a7b258 · 1a7b258
1 parent 7721f99
commit 1a7b258
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 0 deletions.
diff --git a/src/Microsoft.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.cs b/src/Microsoft.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.cs
@@ -23,6 +23,7 @@ static FrameworkPackages()
     {
         NETStandard20.Register();
         NETStandard21.Register();
+        NET461.Register();
         NETCoreApp20.Register();
         NETCoreApp21.Register();
         NETCoreApp22.Register();

diff --git a/...icrosoft.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.net461.cs b/...icrosoft.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.net461.cs
@@ -0,0 +1,16 @@
+namespace Microsoft.ComponentDetection.Detectors.NuGet;
+
+using static global::NuGet.Frameworks.FrameworkConstants.CommonFrameworks;
+
+/// <summary>
+/// Framework packages for .NETFramework,Version=v4.6.1.
+/// </summary>
+internal partial class FrameworkPackages
+{
+    internal static class NET461
+    {
+        internal static FrameworkPackages Instance { get; } = new(Net461, DefaultFrameworkKey, NETStandard20.Instance);
+
+        internal static void Register() => FrameworkPackages.Register(Instance);
+    }
+}
diff --git a/...t.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.netcoreapp2.0.cs b/...t.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.netcoreapp2.0.cs
@@ -12,6 +12,7 @@ internal static class NETCoreApp20
         internal static FrameworkPackages Instance { get; } = new(NetCoreApp20, FrameworkNames.NetCoreApp, NETStandard20.Instance)
         {
             { "Microsoft.CSharp", "4.4.0" },
+            { "Microsoft.NETCore.App", "2.0.0" },
             { "Microsoft.VisualBasic", "10.2.0" },
             { "Microsoft.Win32.Registry", "4.4.0" },
             { "runtime.any.System.Collections", "4.3.0" },
@@ -182,6 +183,7 @@ internal static class NETCoreApp20
             { "System.Numerics.Vectors", "4.4.0" },
             { "System.ObjectModel", "4.3.0" },
             { "System.Private.DataContractSerialization", "4.3.0" },
+            { "System.Private.Uri", "4.3.0" },
             { "System.Reflection.DispatchProxy", "4.4.0" },
             { "System.Reflection.Emit", "4.7.0" },
             { "System.Reflection.Emit.ILGeneration", "4.7.0" },

diff --git a/...t.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.netcoreapp2.1.cs b/...t.ComponentDetection.Detectors/nuget/FrameworkPackages/FrameworkPackages.netcoreapp2.1.cs
@@ -12,6 +12,7 @@ internal static class NETCoreApp21
         internal static FrameworkPackages Instance { get; } = new(NetCoreApp21, FrameworkNames.NetCoreApp, NETCoreApp20.Instance)
         {
             { "Microsoft.CSharp", "4.5.0" },
+            { "Microsoft.NETCore.App", "2.1.0" },
             { "Microsoft.VisualBasic", "10.3.0" },
             { "Microsoft.Win32.Registry", "4.5.0" },
             { "System.Buffers", "4.5.0" },