fix: optimise nuget v3 dependencies lookup (#263)

37IulianPopovici · web-flow · commit 51ffe9bdd43d · 2025-10-01T11:57:23.000+03:00
diff --git a/lib/nuget-parser/parsers/dotnet-core-v3-parser.ts b/lib/nuget-parser/parsers/dotnet-core-v3-parser.ts
@@ -2,7 +2,7 @@ import * as debugModule from 'debug';
 import * as depGraphLib from '@snyk/dep-graph';
 import { DepGraphBuilder } from '@snyk/dep-graph';
 import { InvalidManifestError } from '../../errors';
-import { Overrides, ProjectAssets, Target } from '../types';
+import { Overrides, ProjectAssets, ResolvedPackagesMap } from '../types';
 
 const debug = debugModule('snyk');
 
@@ -16,26 +16,9 @@ export const FILTERED_DEPENDENCY_PREFIX = [
   'runtime',
 ];
 
-/**
- * Finds the actual resolved version of a package in the targets section.
- * This is necessary because NuGet may resolve to a different version than what's
- * declared in transitive dependencies due to version constraints and resolution rules.
- */
-function findActualResolvedVersion(
-  allPackagesForFramework: Record<string, Target>,
-  packageName: string,
-): string | null {
-  for (const key of Object.keys(allPackagesForFramework)) {
-    if (key.startsWith(`${packageName}/`)) {
-      return key.split('/')[1];
-    }
-  }
-  return null;
-}
-
 function recursivelyPopulateNodes(
   depGraphBuilder: DepGraphBuilder,
-  allPackagesForFramework: Record<string, Target>,
+  resolvedPackages: ResolvedPackagesMap,
   parentID: string,
   dependencies: Record<string, string>,
   overrides: Overrides,
@@ -58,38 +41,23 @@ function recursivelyPopulateNodes(
       continue;
     }
 
-    let actualResolvedVersion: string | null = childResolvedVersion;
+    // Find the actual resolved version and target for this package name
+    // NuGet may resolve to a different version than what's declared in transitive dependencies
+    const resolvedPackage = resolvedPackages[childName];
+    if (!resolvedPackage) {
+      debug(
+        `Child package ${childName} not found in lock file packages for framework.`,
+      );
+      continue;
+    }
+
+    const { resolvedVersion: actualResolvedVersion, target: childPkgEntry } =
+      resolvedPackage;
 
-    let childPkgEntry =
-      allPackagesForFramework[`${childName}/${childResolvedVersion}`];
-    if (!childPkgEntry) {
-      // Find the actual resolved version for this package name in the targets section
-      // NuGet may resolve to a different version than what's declared in transitive dependencies
-      actualResolvedVersion = findActualResolvedVersion(
-        allPackagesForFramework,
-        childName,
+    if (childResolvedVersion !== actualResolvedVersion) {
+      debug(
+        `Version mismatch for ${childName}: declared ${childResolvedVersion}, using resolved ${actualResolvedVersion}`,
       );
-      if (!actualResolvedVersion) {
-        debug(
-          `Child package ${childName} not found in lock file packages for framework.`,
-        );
-        continue;
-      }
-
-      if (childResolvedVersion !== actualResolvedVersion) {
-        debug(
-          `Version mismatch for ${childName}: declared ${childResolvedVersion}, using resolved ${actualResolvedVersion}`,
-        );
-      }
-
-      childPkgEntry =
-        allPackagesForFramework[`${childName}/${actualResolvedVersion}`];
-      if (!childPkgEntry) {
-        debug(
-          `Child package ${childName}@${actualResolvedVersion} not found in lock file packages for framework (this should not happen).`,
-        );
-        continue;
-      }
     }
 
     const childID = `${childName}@${actualResolvedVersion}`;
@@ -131,7 +99,7 @@ function recursivelyPopulateNodes(
 
     recursivelyPopulateNodes(
       depGraphBuilder,
-      allPackagesForFramework,
+      resolvedPackages,
       childID,
       childPkgEntry.dependencies,
       overrides,
@@ -190,6 +158,12 @@ function buildDepGraph(
 
   const allPackagesForFramework = projectAssets.targets[assetsTargetFramework];
 
+  const resolvedPackages: ResolvedPackagesMap = {};
+  for (const [key, target] of Object.entries(allPackagesForFramework)) {
+    const [name, version] = key.split('/');
+    resolvedPackages[name] = { resolvedVersion: version, target };
+  }
+
   // Identify direct dependencies for the selected framework
   const directDependencies: Record<string, string> = {};
   projectAssets.projectFileDependencyGroups[assetsTargetFramework].forEach(
@@ -214,7 +188,7 @@ function buildDepGraph(
   // Start recursive population from direct dependencies
   recursivelyPopulateNodes(
     depGraphBuilder,
-    allPackagesForFramework,
+    resolvedPackages,
     'root-node',
     directDependencies, // Pass the direct dependencies object
     overrides,
diff --git a/lib/nuget-parser/types.ts b/lib/nuget-parser/types.ts
@@ -114,4 +114,12 @@ export type Overrides = {
   overrideVersion: string;
 };
 
+export type ResolvedPackagesMap = Record<
+  string,
+  {
+    readonly resolvedVersion: string;
+    readonly target: Target;
+  }
+>;
+
 export type DotnetCoreV2Results = DotnetCoreV2Result[];
