Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recognize NuGet unlisted packages and do not log 'error parsing upload time for NuGet component' #2388

Open
2 tasks done
nil4 opened this issue Jan 17, 2023 · 0 comments · May be fixed by #4521
Open
2 tasks done

Recognize NuGet unlisted packages and do not log 'error parsing upload time for NuGet component' #2388

nil4 opened this issue Jan 17, 2023 · 0 comments · May be fixed by #4521
Labels
enhancement New feature or request

Comments

@nil4
Copy link

nil4 commented Jan 17, 2023

Current Behavior

Using Dependency Track 4.7.0, warnings similar to those below are regularly observed in the logs:

2023-01-13 19:12:06,807 INFO [RepositoryMetaAnalyzerTask] Performing component repository metadata analysis against 58 components in project: 9731f6d0-12f0-4625-a688-fd8d0be204ea
2023-01-13 19:12:09,046 WARN [NugetMetaAnalyzer] An error occurred while parsing upload time for a NuGet component - Repo returned: 1900-01-01T00:00:00+00:00
2023-01-13 19:12:09,046 WARN [NugetMetaAnalyzer] An error occurred while parsing upload time for a NuGet component - Repo returned: 1900-01-01T00:00:00+00:00
2023-01-13 19:12:10,152 WARN [NugetMetaAnalyzer] An error occurred while parsing upload time for a NuGet component - Repo returned: 1900-01-01T00:00:00+00:00

This was reported in #537 but closed as an assumed defect with NuGet metadata.

The official NuGet docs describe at least one valid use case for the 1900-01-01 timestamp: unlisted packages, which are de-facto deprecated and should no longer be used.

One concrete example to illustrate this: https://www.nuget.org/packages/Unity/5.7.4 -- note the warning:

The owner has unlisted this package. This could mean that the package is deprecated, has security vulnerabilities or shouldn't be used anymore.

Use the NuGet API to retrieve the package registration details (https://api.nuget.org/v3/registration5-semver1/unity/5.7.4.json) and note the listed: false and published: "1900-01-01T00:00:00+00:00" values in the response:

{
    "@id": "https://api.nuget.org/v3/registration5-semver1/unity/5.7.4.json",
    "@type": [
        "Package",
        "http://schema.nuget.org/catalog#Permalink"
    ],
    "catalogEntry": "https://api.nuget.org/v3/catalog0/data/2018.10.15.06.25.35/unity.5.7.4.json",
    "listed": false,
    "packageContent": "https://api.nuget.org/v3-flatcontainer/unity/5.7.4/unity.5.7.4.nupkg",
    "published": "1900-01-01T00:00:00+00:00",
    "registration": "https://api.nuget.org/v3/registration5-semver1/unity/index.json",
    "@context": { /* elided for brevity */ }
}

The NuGet docs at https://learn.microsoft.com/en-us/nuget/api/registration-base-url-resource include an explicit note for this behavior:

Note

On nuget.org, the published value is set to year 1900 when the package is unlisted.

However, Dependency Track does not currently recognize this value and logs a warning.

Proposed Behavior

Update NugetMetaAnalyzer to accept a NuGet API published value of 1900-01-01T00:00:00+00:00 as valid, and meant to represent unlisted packages whose use is discouraged.

dependency-track/src/main/java/org/dependencytrack/tasks/repositories/NugetMetaAnalyzer.java

Lines 49 to 52 in 90437bd

public static final DateFormat[] SUPPORTED_DATE_FORMATS = new DateFormat[]{
new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSXXX"),
new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'")
};

Additionally, consider enhancing Dependency Track to flag use of unlisted NuGet packages with warnings, e.g. in its APIs or frontend UI.

It may be helpful to see in the UI, similar to the warning icons for packages which have a newer version available, that the package is unlisted / deprecated and should no longer be used.

Checklist
@nil4 nil4 added the enhancement New feature or request label Jan 17, 2023
@pohli81 pohli81 linked a pull request Jan 6, 2025 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added support of deprecation of Nuget and Npm pohli81/dependency-track
1 participant
@nil4