fix: ignore low confidence packages during nuget scan (#177)

Author: JamieMagee

src/Microsoft.ComponentDetection.Detectors/nuget/NuGetComponentDetector.cs

@@ -31,11 +31,13 @@ public class NuGetComponentDetector : FileComponentDetector
 
         private readonly IList<string> repositoryPathKeyNames = new List<string> { "repositorypath", "globalpackagesfolder" };
 
+        private static readonly IEnumerable<string> LowConfidencePackages = new[] { "Newtonsoft.Json" };
+
         protected override async Task OnFileFound(ProcessRequest processRequest, IDictionary<string, string> detectorArgs)
         {
             var stream = processRequest.ComponentStream;
             bool ignoreNugetConfig = detectorArgs.TryGetValue("NuGet.IncludeRepositoryPaths", out string includeRepositoryPathsValue) && includeRepositoryPathsValue.Equals(bool.FalseString, StringComparison.OrdinalIgnoreCase);
-            
+
             if (NugetConfigFileName.Equals(stream.Pattern, StringComparison.OrdinalIgnoreCase))
             {
                 await ProcessAdditionalDirectory(processRequest, ignoreNugetConfig);
@@ -50,7 +52,7 @@ private async Task ProcessAdditionalDirectory(ProcessRequest processRequest, boo
         {
             var singleFileComponentRecorder = processRequest.SingleFileComponentRecorder;
             var stream = processRequest.ComponentStream;
-           
+
             if (!ignoreNugetConfig)
             {
                 var additionalPaths = GetRepositoryPathsFromNugetConfig(stream);
@@ -106,7 +108,7 @@ private async Task ProcessFile(ProcessRequest processRequest)
                 string name = metadataNode["id"].InnerText;
                 string version = metadataNode["version"].InnerText;
 
-                string[] authors = metadataNode["authors"]?.InnerText.Split(",").Select(author => author.Trim()).ToArray();                
+                string[] authors = metadataNode["authors"]?.InnerText.Split(",").Select(author => author.Trim()).ToArray();
 
                 if (!NuGetVersion.TryParse(version, out NuGetVersion parsedVer))
                 {
@@ -116,7 +118,10 @@ private async Task ProcessFile(ProcessRequest processRequest)
                 }
 
                 NuGetComponent component = new NuGetComponent(name, version, authors);
-                singleFileComponentRecorder.RegisterUsage(new DetectedComponent(component));
+                if (!LowConfidencePackages.Contains(name, StringComparer.OrdinalIgnoreCase))
+                {
+                    singleFileComponentRecorder.RegisterUsage(new DetectedComponent(component));
+                }
             }
             catch (Exception e)
             {

test/Microsoft.ComponentDetection.Detectors.Tests/NuGetComponentDetectorTests.cs

@@ -15,6 +15,8 @@
 
 namespace Microsoft.ComponentDetection.Detectors.Tests
 {
+    using FluentAssertions;
+
     [TestClass]
     [TestCategory("Governance/All")]
     [TestCategory("Governance/ComponentDetection")]
@@ -207,6 +209,20 @@ public async Task TestNugetDetector_AdditionalDirectories()
             Assert.AreEqual(1, componentRecorder.GetDetectedComponents().Count());
         }
 
+        [TestMethod]
+        public async Task TestNugetDetector_LowConfidencePackages()
+        {
+            var nupkg = await NugetTestUtilities.ZipNupkgComponent("Newtonsoft.Json.nupkg", NugetTestUtilities.GetValidNuspec("Newtonsoft.Json", "9.0.1", new []{ "JamesNK"}));
+
+            var (scanResult, componentRecorder) = await this.detectorTestUtility
+                .WithFile("Newtonsoft.Json.nupkg", nupkg)
+                .ExecuteDetector();
+
+            scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
+            componentRecorder.GetDetectedComponents().Should().BeEmpty()
+                .And.HaveCount(0);
+        }
+
         private string CreateTemporaryDirectory()
         {
             string path;