Nuget props detector

[zhenghao104]

🔧 New Detector Implementation

File: NuGetCentralPackageManagementDetector.cs
Purpose: Detects NuGet packages in Central Package Management files (Directory.Packages.props, packages.props, package.props)

Features

• Handles both PackageVersion and GlobalPackageReference elements
• Marks GlobalPackageReference as development dependencies
• Validates files are actual Central Package Management files
• Robust error handling for malformed XML
• Implements IDefaultOffComponentDetector interface (detector is off by default)

---

🧪 Comprehensive Test Suite

File: NuGetCentralPackageManagementDetectorTests.cs
Coverage: 8 test methods covering:

• Directory.Packages.props detection
• GlobalPackageReference handling (marked as dev dependencies)
• Different file name variations (packages.props, package.props)
• Malformed XML handling
• Conditional version support
• File validation logic

---

🎯 Key Benefits

• Focused Detection: Targets Central Package Management props files (not .csproj)
• Precise Vulnerability Path: Reports actual props file location instead of multiple project locations
• Development Dependency Classification: Properly marks GlobalPackageReference elements
• Robust: Handles edge cases and malformed files gracefully

---

✅ Validation Complete

• All unit tests pass (8/8)
• Full solution builds successfully
• StyleCop compliance maintained
• Follows existing project patterns and conventions

---

[codecov]

Codecov Report

❌ Patch coverage is 97.21254% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.9%. Comparing base (2fd5d4f) to head (453da63).
⚠️ Report is 41 commits behind head on main.

Files with missing lines	Patch %	Lines
...ors/nuget/NuGetCentralPackageManagementDetector.cs	90.6%	3 Missing and 4 partials ⚠️
...NuGetCentralPackageManagementDetectorExperiment.cs	75.0%	1 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff           @@
##            main   #1479    +/-   ##
======================================
  Coverage   90.9%   90.9%            
======================================
  Files        423     427     +4     
  Lines      37178   37465   +287     
  Branches    2229    2240    +11     
======================================
+ Hits       33814   34092   +278     
- Misses      2922    2926     +4     
- Partials     442     447     +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pauld-msft]

Couple of questions regarding the scope of the feature:

1. I noticed that this doesn't have support for some of the features of central package management, such as 'transitive pinning' and 'version overrides'. Are we planning on supporting those?
2. you mentioned that there will be a follow-up PR in our internal wrapper. Can you help explain the logic that will go there? I'm mostly curious how these results will be used to help clean up the references directly to csproj files and reduce the overall number of vulnerable file paths that we see