Merge branch 'unable-to-locate-bom-ref-logging' of https://github.com…

…/shawner18/cyclonedx-dotnet into unable-to-locate-bom-ref-logging

.devcontainer/Ubuntu22.04/Dockerfile

@@ -0,0 +1,8 @@
+FROM ubuntu:22.04
+
+RUN apt-get install -y --no-install-recommends wget=2.0.1
+RUN apt-get install -y --no-install-recommends apt-transport-https=2.5.6
+RUN curl -o ./packages-microsoft-prod.deb https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb
+RUN dpkg -i packages-microsoft-prod.deb
+RUN apt-get install -y --no-install-recommends dotnet-sdk-7.0=7.0
+RUN rm -rf /var/lib/apt/lists/*

.devcontainer/devcontainer.json

@@ -1,7 +1,7 @@
 {
     "name": "devcontainer",
     "build": {
-        "dockerfile": "Dockerfile",
+        "dockerfile": "Ubuntu22.04/Dockerfile",
         "context": ".."
     },
     "extensions": [

.github/workflows/dotnetcore.yml

@@ -16,15 +16,12 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v3.1.0
-      - name: Setup dotnet 3.1
+      - uses: actions/checkout@v3.5.2
+      - name: Setup dotnet
         uses: actions/[email protected]
         with:
-          dotnet-version: '3.1.x'
-      - name: Setup dotnet 6
-        uses: actions/[email protected]
-        with:
-          dotnet-version: '6.x'
+          dotnet-version: |
+            7.x
       - name: Build
         run: dotnet build /WarnAsError
 
@@ -46,15 +43,15 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        framework: ['netcoreapp3.1','net6.0']
+        framework: ['net6.0','net7.0']
     timeout-minutes: 30
-    
+
     steps:
-      - uses: actions/checkout@v3.1.0
-      - name: Setup dotnet 3.1
+      - uses: actions/checkout@v3.5.2
+      - name: Setup dotnet 7
         uses: actions/[email protected]
         with:
-          dotnet-version: '3.1.x'
+          dotnet-version: '7.x'
       - name: Setup dotnet 6
         uses: actions/[email protected]
         with:

.github/workflows/release.yml

@@ -8,7 +8,7 @@
 #
 # For an example commit browse to
 # https://github.com/CycloneDX/cyclonedx-dotnet/commit/d110af854371374460430bb8438225a7d7a84274.
-# 
+#
 # The resulting release is here
 # https://github.com/CycloneDX/cyclonedx-dotnet/releases/tag/v1.0.0.
 #
@@ -28,19 +28,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/[email protected]
-      - name: Setup dotnet 3.1
-        uses: actions/[email protected]
-        with:
-          dotnet-version: '3.1.x'
-      - name: Setup dotnet 6
+      - uses: actions/[email protected]
+      - name: Setup dotnet
         uses: actions/[email protected]
         with:
-          dotnet-version: '6.x'
-
+          dotnet-version: |
+            7.x
+
       # The tests should have already been run during the PR workflow, so this is really just a sanity check
       - name: Tests
-        run: dotnet test --framework net6.0
+        run: dotnet test --framework net7.0
 
       # Build and package everything, including the Docker image
       - name: Package release

.gitpod.yml

@@ -8,9 +8,8 @@ tasks:
       wget --output-document="$DOTNET_ROOT/dotnet-install.sh" https://dot.net/v1/dotnet-install.sh
       chmod +x "$DOTNET_ROOT/dotnet-install.sh"
       "$DOTNET_ROOT/dotnet-install.sh" --channel 2.1 --install-dir "$DOTNET_ROOT"
-      "$DOTNET_ROOT/dotnet-install.sh" --channel 3.1 --install-dir "$DOTNET_ROOT"
-      "$DOTNET_ROOT/dotnet-install.sh" --channel 5.0 --install-dir "$DOTNET_ROOT"
       "$DOTNET_ROOT/dotnet-install.sh" --channel 6.0 --install-dir "$DOTNET_ROOT"
+      "$DOTNET_ROOT/dotnet-install.sh" --channel 7.0 --install-dir "$DOTNET_ROOT"
       dotnet tool install --global dotnet-reportgenerator-globaltool
       dotnet restore
 

CycloneDX.Tests/CycloneDX.Tests.csproj

@@ -1,28 +1,29 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net6.0;netcoreapp3.1</TargetFrameworks>
 
     <IsTestProject>true</IsTestProject>
     <IsPackable>false</IsPackable>
+    <TargetFrameworks>net7.0;net6.0</TargetFrameworks>
+    <LangVersion>latest</LangVersion>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="coverlet.msbuild" Version="3.2.0">
+    <PackageReference Include="coverlet.msbuild">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.DotNet.PlatformAbstractions" Version="3.1.6" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.4.0" />
-    <PackageReference Include="Moq" Version="4.18.2" />
-    <PackageReference Include="RichardSzalay.MockHttp" Version="6.0.0" />
-    <PackageReference Include="System.IO.Abstractions.TestingHelpers" Version="17.2.3" />
-    <PackageReference Include="xunit" Version="2.4.2" />
-    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
+    <PackageReference Include="Microsoft.DotNet.PlatformAbstractions" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
+    <PackageReference Include="Moq" />
+    <PackageReference Include="RichardSzalay.MockHttp" />
+    <PackageReference Include="System.IO.Abstractions.TestingHelpers" />
+    <PackageReference Include="xunit" />
+    <PackageReference Include="xunit.runner.visualstudio">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="3.2.0">
+    <PackageReference Include="coverlet.collector">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>

CycloneDX.Tests/NugetV3ServiceTests.cs

@@ -80,37 +80,52 @@ public async Task GetComponent_FromCachedNuspecFile_ReturnsComponent()
             Assert.Equal("testpackage", component.Name);
         }
 
-        [Fact]
-        public async Task GetComponent_FromCachedNugetHashFile_ReturnsComponentWithHash()
+        public static IEnumerable<object[]> VersionNormalization
         {
-            var nuspecFileContents = @"<?xml version=""1.0"" encoding=""utf-8""?>
+            get
+            {
+                return new List<object[]>
+                {
+                    new object[] { "2.5", "2.5" },
+                    new object[] { "2.5.0.0", "2.5.0" },
+                    new object[] { "2.5.0.0-beta.1", "2.5.0-beta.1" },
+                    new object[] { "2.5.1.0", "2.5.1" },
+                    new object[] { "2.5.1.1", "2.5.1.1" }
+                };
+            }
+        }
+
+        [Theory]
+        [MemberData(nameof(VersionNormalization))]
+        public async Task GetComponent_FromCachedNuspecFile_UsesNormalizedVersions(string rawVersion, string normalizedVersion)
+        {
+            var nuspecFileContents = $@"<?xml version=""1.0"" encoding=""utf-8""?>
                 <package xmlns=""http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd"">
                 <metadata>
                     <id>testpackage</id>
+                    <version>{rawVersion}</version>
                 </metadata>
                 </package>";
-            byte[] sampleHash = new byte[] { 1, 2, 3, 4, 5, 6, 78, 125, 200 };
-
-            var nugetHashFileContents = Convert.ToBase64String(sampleHash);
             var mockFileSystem = new MockFileSystem(new Dictionary<string, MockFileData>
             {
-                { XFS.Path(@"c:\nugetcache\testpackage\1.0.0\testpackage.nuspec"), new MockFileData(nuspecFileContents) },
-                { XFS.Path(@"c:\nugetcache\testpackage\1.0.0\testpackage.1.0.0.nupkg.sha512"), new MockFileData(nugetHashFileContents) },
+                { XFS.Path($@"c:\nugetcache\testpackage\{normalizedVersion}\testpackage.nuspec"), new MockFileData(nuspecFileContents) },
             });
+
             var nugetService = new NugetV3Service(null,
                 mockFileSystem,
                 new List<string> { XFS.Path(@"c:\nugetcache") },
                 new Mock<IGithubService>().Object,
                 new NullLogger(), false);
 
-            var component = await nugetService.GetComponentAsync("testpackage", "1.0.0", Component.ComponentScope.Required).ConfigureAwait(false);
+            var component = await nugetService.GetComponentAsync("testpackage", rawVersion, Component.ComponentScope.Required).ConfigureAwait(false);
 
-            Assert.Equal(Hash.HashAlgorithm.SHA_512, component.Hashes[0].Alg);
-            Assert.Equal(BitConverter.ToString(sampleHash).Replace("-", string.Empty), component.Hashes[0].Content);
+            Assert.Equal("testpackage", component.Name);
+            Assert.Equal(rawVersion, component.Version);
         }
 
-        [Fact]
-        public async Task GetComponent_FromCachedNugetFile_ReturnsComponentWithHash()
+        [Theory]
+        [MemberData(nameof(VersionNormalization))]
+        public async Task GetComponent_FromCachedNugetFile_ReturnsComponentWithHashUsingNormalizedVersion(string rawVersion, string normalizedVersion)
         {
             var nuspecFileContents = @"<?xml version=""1.0"" encoding=""utf-8""?>
                 <package xmlns=""http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd"">
@@ -122,8 +137,8 @@ public async Task GetComponent_FromCachedNugetFile_ReturnsComponentWithHash()
             var nugetFileContent = "FooBarBaz";
             var mockFileSystem = new MockFileSystem(new Dictionary<string, MockFileData>
             {
-                { XFS.Path(@"c:\nugetcache\testpackage\1.0.0\testpackage.nuspec"), new MockFileData(nuspecFileContents) },
-                { XFS.Path(@"c:\nugetcache\testpackage\1.0.0\testpackage.1.0.0.nupkg"), new MockFileData(nugetFileContent) },
+                { XFS.Path($@"c:\nugetcache\testpackage\{normalizedVersion}\testpackage.nuspec"), new MockFileData(nuspecFileContents) },
+                { XFS.Path($@"c:\nugetcache\testpackage\{normalizedVersion}\testpackage.{normalizedVersion}.nupkg"), new MockFileData(nugetFileContent) },
             });
 
             var nugetService = new NugetV3Service(null,
@@ -132,7 +147,7 @@ public async Task GetComponent_FromCachedNugetFile_ReturnsComponentWithHash()
                 new Mock<IGithubService>().Object,
                 new NullLogger(), false);
 
-            var component = await nugetService.GetComponentAsync("testpackage", "1.0.0", Component.ComponentScope.Required).ConfigureAwait(false);
+            var component = await nugetService.GetComponentAsync("testpackage", $"{rawVersion}", Component.ComponentScope.Required).ConfigureAwait(false);
 
             byte[] hashBytes;
             using (SHA512 sha = SHA512.Create())
@@ -366,5 +381,64 @@ public async Task GetComponent_GitHubLicenseLookup_FromRepository_WhenLicenseInv
             Assert.Single(component.Licenses);
             Assert.Equal("LicenseId", component.Licenses.First().License.Id);
         }
+
+        [Fact]
+        public async Task GetComponent_SingleLicenseExpression_ReturnsComponent()
+        {
+            var nuspecFileContents = @"<?xml version=""1.0"" encoding=""utf-8""?>
+                <package xmlns=""http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd"">
+                <metadata>
+                    <id>testpackage</id>
+                    <license type=""expression"">Apache-2.0</license>
+                </metadata>
+                </package>";
+            var mockFileSystem = new MockFileSystem(new Dictionary<string, MockFileData>
+            {
+                { XFS.Path(@"c:\nugetcache\testpackage\1.0.0\testpackage.nuspec"), new MockFileData(nuspecFileContents) },
+            });
+
+            var mockGitHubService = new Mock<IGithubService>();
+
+            var nugetService = new NugetV3Service(null,
+                mockFileSystem,
+                new List<string> { XFS.Path(@"c:\nugetcache") },
+                mockGitHubService.Object,
+                new NullLogger(), false);
+
+            var component = await nugetService.GetComponentAsync("testpackage", "1.0.0", Component.ComponentScope.Required).ConfigureAwait(false);
+
+            Assert.Single(component.Licenses);
+            Assert.Equal("Apache-2.0", component.Licenses.First().License.Id);
+        }
+
+        [Fact]
+        public async Task GetComponent_MultiLicenseExpression_ReturnsComponent()
+        {
+            var nuspecFileContents = @"<?xml version=""1.0"" encoding=""utf-8""?>
+                <package xmlns=""http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd"">
+                <metadata>
+                    <id>testpackage</id>
+                    <license type=""expression"">Apache-2.0 OR MPL-2.0</license>
+                </metadata>
+                </package>";
+            var mockFileSystem = new MockFileSystem(new Dictionary<string, MockFileData>
+        {
+            { XFS.Path(@"c:\nugetcache\testpackage\1.0.0\testpackage.nuspec"), new MockFileData(nuspecFileContents) },
+        });
+
+            var mockGitHubService = new Mock<IGithubService>();
+
+            var nugetService = new NugetV3Service(null,
+                mockFileSystem,
+                new List<string> { XFS.Path(@"c:\nugetcache") },
+                mockGitHubService.Object,
+                new NullLogger(), false);
+
+            var component = await nugetService.GetComponentAsync("testpackage", "1.0.0", Component.ComponentScope.Required).ConfigureAwait(false);
+
+            Assert.Equal(2, component.Licenses.Count);
+            Assert.Contains(component.Licenses, choice => choice.License.Id.Equals("Apache-2.0"));
+            Assert.Contains(component.Licenses, choice => choice.License.Id.Equals("MPL-2.0"));
+        }
     }
 }

CycloneDX.Tests/ProgramTests.cs

@@ -55,7 +55,7 @@ public async Task CallingCycloneDX_CreatesOutputDirectory()
                 });
             var mockSolutionFileService = new Mock<ISolutionFileService>();
             mockSolutionFileService
-                .Setup(s => s.GetSolutionNugetPackages(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<bool>(), It.IsAny<string>(), It.IsAny<string>()))
+                .Setup(s => s.GetSolutionNugetPackages(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<bool>(), It.IsAny<bool>(), It.IsAny<string>(), It.IsAny<string>()))
                 .ReturnsAsync(new HashSet<NugetPackage>());
             Program.fileSystem = mockFileSystem;
             Program.solutionFileService = mockSolutionFileService.Object;
@@ -80,7 +80,7 @@ public async Task CallingCycloneDX_WithOutputFilename_CreatesOutputFilename()
                 });
             var mockSolutionFileService = new Mock<ISolutionFileService>();
             mockSolutionFileService
-                .Setup(s => s.GetSolutionNugetPackages(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<bool>(), It.IsAny<string>(), It.IsAny<string>()))
+                .Setup(s => s.GetSolutionNugetPackages(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<bool>(), It.IsAny<bool>(), It.IsAny<string>(), It.IsAny<string>()))
                 .ReturnsAsync(new HashSet<NugetPackage>());
             Program.fileSystem = mockFileSystem;
             Program.solutionFileService = mockSolutionFileService.Object;