Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syft incorrectly identifies NuGet package "Newtonsoft.Json" as "Json.NET" with incorrect version #3665

Open
100tomer opened this issue Feb 16, 2025 · 2 comments
Open

Syft incorrectly identifies NuGet package "Newtonsoft.Json" as "Json.NET" with incorrect version #3665

100tomer opened this issue Feb 16, 2025 · 2 comments
Labels
bug Something isn't working needs-investigation

Comments

@100tomer
Copy link

What happened:
When scanning the NuGet package Newtonsoft.Json version 12.0.3, Syft incorrectly identifies the package as Json.NET instead of Newtonsoft.Json. Additionally, the version includes build metadata as 12.0.3.23909 instead of the correct 12.0.3.

What you expected to happen:

  • The package should be detected as Newtonsoft.Json, not Json.NET.
  • The version should be reported as 12.0.3.

Steps to reproduce the issue:

  1. Download the Newtonsoft.Json NuGet package (version 12.0.3) - https://www.nuget.org/packages/Newtonsoft.Json/12.0.3
  2. Run Syft to scan the extracted package directory. 
    syft ./newtonsoft.json.12.0.3 --output json

Anything else we need to know?:
No

Environment:

  • Syft version: 1.19.0
  • OS: macOS Sequoia
@100tomer 100tomer added the bug Something isn't working label Feb 16, 2025
@wagoodman wagoodman mentioned this issue Feb 20, 2025
Draft
6 tasks
@kzantow
Copy link
Contributor

kzantow commented Feb 20, 2025

It was mentioned on the livestream this week, but I'll reiterate here so it doesn't get lost: the reason this package is showing up as Json.NET is because it's currently finding this in the "productName" field in the DLL(s). For example, download the package here and run:

syft -o json lib/net45/Newtonsoft.Json.dll

then look in the Syft-generated JSON, it shows the properties read from the DLL:

    {
      "name": "Json.NET",
...
      "metadata": {
        "assemblyVersion": "12.0.0.0",
        "legalCopyright": "Copyright © James Newton-King 2008",
        "comments": "Json.NET is a popular high-performance JSON framework for .NET",
        "internalName": "Newtonsoft.Json.dll",
        "companyName": "Newtonsoft",
        "productName": "Json.NET",
        "productVersion": "12.0.3+7c3d7f8da7e35dde8fa74188b0decff70f8f10e3"
      }
    }

It looks like the Json.NET name is used in quite a few places in the Newtonsoft.JSON project documentation and repository. If "Json.NET" is incorrect, it could be worth pointing this out to the Newtonsoft folks to see if it should be updated. It's quite unclear to us what the right thing to do here is.

@100tomer
Copy link
Author

It was mentioned on the livestream this week, but I'll reiterate here so it doesn't get lost: the reason this package is showing up as Json.NET is because it's currently finding this in the "productName" field in the DLL(s). For example, download the package here and run:

syft -o json lib/net45/Newtonsoft.Json.dll

then look in the Syft-generated JSON, it shows the properties read from the DLL:

    {
      "name": "Json.NET",
...
      "metadata": {
        "assemblyVersion": "12.0.0.0",
        "legalCopyright": "Copyright © James Newton-King 2008",
        "comments": "Json.NET is a popular high-performance JSON framework for .NET",
        "internalName": "Newtonsoft.Json.dll",
        "companyName": "Newtonsoft",
        "productName": "Json.NET",
        "productVersion": "12.0.3+7c3d7f8da7e35dde8fa74188b0decff70f8f10e3"
      }
    }

It looks like the Json.NET name is used in quite a few places in the Newtonsoft.JSON project documentation and repository. If "Json.NET" is incorrect, it could be worth pointing this out to the Newtonsoft folks to see if it should be updated. It's quite unclear to us what the right thing to do here is.

Thanks for responding!

Is there a way to explicitly specify the package name or version when running Syft? That might help ensure the correct name is captured.

Also, would it be possible for Syft to scan the NuGet .nuspec file? As far as I know, the .nuspec is the source of truth for the package name, so using it might provide a more accurate result.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-investigation
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@popey @kzantow @100tomer