Merge branch 'main' into user/aamaini/dependency-graph-identity-reconciliation

Author: AMaini503

.github/workflows/smoke-test.yml

@@ -8,6 +8,13 @@ on:
     branches:
       - main
   pull_request:
+    paths:
+      - "src/**"
+      - "Directory.Build.props"
+      - "Directory.Build.targets"
+      - "Directory.Packages.props"
+      - "global.json"
+      - ".github/workflows/smoke-test.yml"
   schedule:
     - cron: "0 0 * * *" # every day at midnight
 
@@ -16,28 +23,9 @@ permissions:
 
 jobs:
   smoke-test:
-    if: github.repository == 'microsoft/component-detection'
+    if: github.repository == 'microsoft/component-detection' && (github.event_name != 'pull_request' || github.event.pull_request.draft == false)
     runs-on: ["self-hosted", "1ES.Pool=1ES-OSE-GH-Pool"]
-    strategy:
-      matrix:
-        language:
-          [
-            { name: "CocoaPods", repo: "realm/realm-swift" },
-            { name: "Gradle", repo: "microsoft/ApplicationInsights-Java" },
-            { name: "Go", repo: "kubernetes/kubernetes" },
-            { name: "Maven", repo: "apache/kafka" },
-            { name: "NPM", repo: "axios/axios" },
-            { name: "NuGet", repo: "Radarr/Radarr" },
-            { name: "Pip", repo: "django/django" },
-            { name: "Pnpm", repo: "pnpm/pnpm" },
-            { name: "Poetry", repo: "Textualize/rich" },
-            { name: "Ruby", repo: "rails/rails" },
-            { name: "Rust", repo: "alacritty/alacritty" },
-            { name: "Yarn", repo: "gatsbyjs/gatsby" },
-          ]
-      fail-fast: false
-      max-parallel: 4 # limit the total number of running jobs to avoid rate limiting
-    name: ${{ matrix.language.name }}
+    name: Smoke Test
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
@@ -67,23 +55,39 @@ jobs:
           sudo chmod 777 /usr/share/ant/lib
           curl https://downloads.apache.org/ant/ivy/2.5.2/apache-ivy-2.5.2-bin.tar.gz | tar xOz apache-ivy-2.5.2/ivy-2.5.2.jar > /usr/share/ant/lib/ivy.jar
 
-      - name: Checkout Smoke Test Repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-          repository: ${{ matrix.language.repo }}
-          path: smoke-test-repo
+      - name: Checkout Smoke Test Repos
+        run: |
+          mkdir -p smoke-test-repos
+          repos=(
+            "realm/realm-swift"                    # CocoaPods
+            "microsoft/ApplicationInsights-Java"   # Gradle
+            "kubernetes/kubernetes"                # Go
+            "apache/kafka"                         # Maven
+            "axios/axios"                          # NPM
+            "Radarr/Radarr"                        # NuGet
+            "django/django"                        # Pip
+            "pnpm/pnpm"                            # Pnpm
+            "Textualize/rich"                      # Poetry
+            "rails/rails"                          # Ruby
+            "alacritty/alacritty"                  # Rust
+            "gatsbyjs/gatsby"                      # Yarn
+          )
+          for repo in "${repos[@]}"; do
+            dir="smoke-test-repos/$(basename "$repo")"
+            echo "Cloning $repo into $dir..."
+            git clone --depth 1 "https://github.com/$repo.git" "$dir"
+          done
 
       - name: Restore Smoke Test NuGet Packages
-        if: ${{ matrix.language.name == 'NuGet'}}
-        working-directory: smoke-test-repo/src
+        working-directory: smoke-test-repos/Radarr/src
         run: dotnet restore
 
       - name: Run Smoke Test
         working-directory: src/Microsoft.ComponentDetection
         run: |
-          for i in $(seq 1 10); do
-              dotnet run -c Release -- scan --SourceDirectory ${{ github.workspace }}/smoke-test-repo --Verbosity Verbose || exit 1
+          ITERATIONS=${{ github.event_name == 'schedule' && 10 || 1 }}
+          for i in $(seq 1 $ITERATIONS); do
+              dotnet run -c Release -- scan --SourceDirectory ${{ github.workspace }}/smoke-test-repos --Verbosity Verbose || exit 1
           done
 
   create-issue:

Directory.Packages.props

@@ -6,7 +6,6 @@
     </PackageReference>
   </ItemDefinitionGroup>
   <ItemGroup>
-    <PackageVersion Include="CommandLineParser" Version="2.9.1" />
     <PackageVersion Include="Docker.DotNet" Version="3.125.15" />
     <PackageVersion Include="AwesomeAssertions" Version="9.4.0" />
     <PackageVersion Include="AwesomeAssertions.Analyzers" Version="9.0.8" />
@@ -44,7 +43,6 @@
     <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
     <PackageVersion Include="System.Memory" Version="4.6.3" />
     <PackageVersion Include="System.Reactive" Version="6.1.0" />
-    <PackageVersion Include="System.Runtime.Loader" Version="4.3.0" />
     <PackageVersion Include="System.Text.Json" Version="9.0.13" />
     <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="8.0.1" />
     <PackageVersion Include="Tomlyn.Signed" Version="0.20.0" />

docs/detectors/README.md

@@ -18,6 +18,12 @@
 | -------------------------- | ---------- |
 | CondaLockComponentDetector | DefaultOff |
 
+- [Docker Compose](dockercompose.md)
+
+| Detector                       | Status     |
+| ------------------------------ | ---------- |
+| DockerComposeComponentDetector | DefaultOff |
+
 - [Dockerfile](dockerfile.md)
 
 | Detector                    | Status     |

docs/detectors/dockercompose.md

@@ -0,0 +1,48 @@
+# Docker Compose Detection
+
+## Requirements
+
+Docker Compose detection depends on the following to successfully run:
+
+- One or more Docker Compose files matching the patterns: `docker-compose.yml`, `docker-compose.yaml`, `docker-compose.*.yml`, `docker-compose.*.yaml`, `compose.yml`, `compose.yaml`, `compose.*.yml`, `compose.*.yaml`
+
+The `DockerComposeComponentDetector` is a **DefaultOff** detector and must be explicitly enabled via the `--DetectorArgs` parameter.
+
+## Detection strategy
+
+The Docker Compose detector parses YAML compose files to extract Docker image references from service definitions.
+
+### Service Image Detection
+
+The detector looks for the `services` section and extracts the `image` field from each service:
+
+```yaml
+services:
+  web:
+    image: nginx:1.21
+  db:
+    image: postgres:14
+```
+
+Services that only define a `build` directive without an `image` field are skipped, as they do not reference external Docker images.
+
+### Full Registry References
+
+The detector supports full registry image references:
+
+```yaml
+services:
+  app:
+    image: ghcr.io/myorg/myapp:v2.0
+```
+
+### Variable Resolution
+
+Images containing unresolved variables (e.g., `${TAG}` or `${REGISTRY:-docker.io}`) are skipped to avoid reporting incomplete or incorrect references. The detector checks for `$`, `{`, or `}` characters in image references.
+
+## Known limitations
+
+- **DefaultOff Status**: This detector must be explicitly enabled using `--DetectorArgs DockerCompose=EnableIfDefaultOff`
+- **Variable Resolution**: Image references containing unresolved environment variables or template expressions are not reported, which may lead to under-reporting in compose files that heavily use variable substitution
+- **Build-Only Services**: Services that only specify a `build` directive without an `image` field are not reported
+- **No Dependency Graph**: All detected images are registered as independent components without parent-child relationships

src/Microsoft.ComponentDetection.Common/DockerReference/DockerReferenceUtility.cs

@@ -29,6 +29,7 @@ namespace Microsoft.ComponentDetection.Common;
 using System;
 using System.Diagnostics.CodeAnalysis;
 using Microsoft.ComponentDetection.Contracts;
+using Microsoft.Extensions.Logging;
 
 public static class DockerReferenceUtility
 {
@@ -38,6 +39,67 @@ public static class DockerReferenceUtility
     private const string LEGACYDEFAULTDOMAIN = "index.docker.io";
     private const string OFFICIALREPOSITORYNAME = "library";
 
+    /// <summary>
+    /// Returns true if the reference contains unresolved variable placeholders (e.g., ${VAR}, {{ .Values.tag }}).
+    /// Such references should be skipped before calling <see cref="ParseFamiliarName"/> or <see cref="ParseQualifiedName"/>.
+    /// </summary>
+    /// <param name="reference">The image reference string to check.</param>
+    /// <returns><c>true</c> if the reference contains variable placeholder characters; otherwise <c>false</c>.</returns>
+    public static bool HasUnresolvedVariables(string reference) =>
+        reference.IndexOfAny(['$', '{', '}']) >= 0;
+
+    /// <summary>
+    /// Attempts to parse an image reference string into a <see cref="DockerReference"/>.
+    /// Returns <c>null</c> if the reference contains unresolved variables or cannot be parsed.
+    /// </summary>
+    /// <param name="imageReference">The image reference string to parse.</param>
+    /// <param name="logger">Optional logger for recording parse failures.</param>
+    /// <returns>A <see cref="DockerReference"/> if parsing succeeds; otherwise <c>null</c>.</returns>
+    public static DockerReference? TryParseImageReference(string imageReference, ILogger? logger = null)
+    {
+        if (HasUnresolvedVariables(imageReference))
+        {
+            return null;
+        }
+
+        try
+        {
+            return ParseFamiliarName(imageReference);
+        }
+        catch (DockerReferenceException ex)
+        {
+            logger?.LogWarning(ex, "Failed to parse image reference '{ImageReference}'.", imageReference);
+            return null;
+        }
+    }
+
+    /// <summary>
+    /// Parses an image reference and registers it with the recorder if valid.
+    /// Skips references with unresolved variables or that cannot be parsed,
+    /// logging a warning for parse failures so that remaining entries continue to be processed.
+    /// </summary>
+    /// <param name="imageReference">The image reference string to parse.</param>
+    /// <param name="recorder">The component recorder to register the image with.</param>
+    /// <param name="logger">Optional logger for recording parse failures.</param>
+    public static void TryRegisterImageReference(string imageReference, ISingleFileComponentRecorder recorder, ILogger? logger = null)
+    {
+        var dockerRef = TryParseImageReference(imageReference, logger);
+        TryRegisterImageReference(dockerRef, recorder);
+    }
+
+    /// <summary>
+    /// Registers a pre-parsed <see cref="DockerReference"/> with the recorder if non-null.
+    /// </summary>
+    /// <param name="dockerReference">The parsed docker reference, or <c>null</c> to skip.</param>
+    /// <param name="recorder">The component recorder to register the image with.</param>
+    public static void TryRegisterImageReference(DockerReference? dockerReference, ISingleFileComponentRecorder recorder)
+    {
+        if (dockerReference != null)
+        {
+            recorder.RegisterUsage(new DetectedComponent(dockerReference.ToTypedDockerReferenceComponent()));
+        }
+    }
+
     public static DockerReference ParseQualifiedName(string qualifiedName)
     {
         var regexp = DockerRegex.ReferenceRegexp;

src/Microsoft.ComponentDetection.Common/Microsoft.ComponentDetection.Common.csproj

@@ -21,16 +21,4 @@
         <ProjectReference Include="..\Microsoft.ComponentDetection.Contracts\Microsoft.ComponentDetection.Contracts.csproj" />
     </ItemGroup>
 
-    <ItemGroup>
-        <Compile Update="Resources.Designer.cs">
-            <DependentUpon>Resources.resx</DependentUpon>
-            <DesignTime>True</DesignTime>
-            <AutoGen>True</AutoGen>
-        </Compile>
-        <EmbeddedResource Update="Resources.resx">
-            <LastGenOutput>Resources.Designer.cs</LastGenOutput>
-            <Generator>ResXFileCodeGenerator</Generator>
-        </EmbeddedResource>
-    </ItemGroup>
-
 </Project>

src/Microsoft.ComponentDetection.Common/Resources.Designer.cs

@@ -0,0 +1,8 @@
+namespace Microsoft.ComponentDetection.Common;
+
+internal static class Resources
+{
+    internal const string MissingComponentId = "The component object does not have a componentId specified";
+
+    internal const string MissingNodeInDependencyGraph = "Node with id {0} has not be inserted in the dependency graph";
+}