Add OpenSslLegacyShim to ensure OpenSSL 1.1 libraries are accessible on Linux
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
This commit introduces the OpenSslLegacyShim class, which sets the LD_LIBRARY_PATH environment variable to include the directory containing OpenSSL 1.1 native libraries. This is necessary for Mongo2Go to function correctly on Linux platforms that do not ship these libraries by default. The shim checks if the current operating system is Linux and whether the required directory exists before modifying the environment variable.
This commit is contained in:
master
31
docs/benchmarks/scanner/deep-dives/dotnet.md
Normal file
31
docs/benchmarks/scanner/deep-dives/dotnet.md
Normal file
@@ -0,0 +1,31 @@
|
||||
# .NET / NuGet Ecosystem
|
||||
|
||||
## StellaOps implementation
|
||||
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/DotNetLanguageAnalyzer.cs` orchestrates package collection through `Internal/DotNetDependencyCollector.cs`.
|
||||
- Aggregates data from `*.deps.json`, `*.runtimeconfig.json`, and assemblies, merging multiple sources via `DotNetPackageAggregator`.
|
||||
- Metadata includes RID lists, serviceable flags, target frameworks, runtimeconfig origins, and authenticode signer details (via optional `IDotNetAuthenticodeInspector`).
|
||||
- Evidence records SHA512 hashes, file paths, and runtime config references; EntryTrace hints mark assemblies tied to runtime entrypoints.
|
||||
|
||||
## Trivy implementation
|
||||
- `pkg/fanal/analyzer/language/dotnet/nuget/nuget.go` parses `packages.lock.json` and `packages.config`, populating `types.Application` via parsers in `pkg/dependency/parser/nuget`.
|
||||
- Optionally resolves licenses by inspecting local `*.nuspec` files if the NuGet packages directory is present.
|
||||
- Focuses on dependency graph reconstruction (direct vs transitive) but does not analyse runtime asset maps or signing metadata.
|
||||
|
||||
## Snyk implementation
|
||||
- `src/lib/plugins/index.ts` routes NuGet and Paket projects to `snyk-nuget-plugin`.[s1]
|
||||
- CLI scans require authenticated access to Snyk’s SaaS backend; results reflect dependency tree analysis without runtimeconfig/signing metadata.[s2]
|
||||
- No offline mode or per-assembly evidence is provided beyond the vulnerability list returned.
|
||||
|
||||
## Grype implementation
|
||||
- Syft collects .NET packages and assemblies before matching (`grype/pkg/syft_provider.go`).
|
||||
- The .NET matcher targets `syftPkg.DotnetPkg` entries and invokes ecosystem/CPE matching (`grype/matcher/dotnet/matcher.go`); no authenticode or RID enrichment is propagated.
|
||||
- Outputs mirror SBOM inventory without runtimeconfig correlation or signing metadata.
|
||||
|
||||
## Key differences
|
||||
- **Runtime-aware metadata**: StellaOps correlates deps.json, runtimeconfig, and authenticode signatures; Trivy, Snyk, and Grype limit themselves to dependency catalogs.
|
||||
- **Evidence richness**: StellaOps stores per-assembly hashes and source file paths; Trivy, Snyk, and Grype output dependency lists without file-level provenance.
|
||||
- **Usage insights**: StellaOps applies EntryTrace flags to mark runtime use; Trivy, Snyk, and Grype do not differentiate runtime vs build-time packages.
|
||||
|
||||
### References
|
||||
- [s1] `/tmp/snyk-cli/src/lib/plugins/index.ts`
|
||||
- [s2] `/tmp/snyk-cli/README.md`
|
||||
Reference in New Issue
Block a user