Fix msbuild parser allowing missing versions (#1559)

This change updates the `msbuild` lockfile parser so that it will not
allow for missing names and or versions. Before this change, a
`*.csproj` file parsed as a lockfile (e.g., with type of `msbuild`)
would show entries with missing name or version as an empty string. This
causes analysis failures when submitting to the API since a valid
package descriptor requires a non-empty `version` field.

Dependency management in NuGet's "Central Package Management" (CPM)
allows for `*.csproj` files containing `PackageReference` elements
without a `Version` attribute. Those versions will be included, along
with the fully transitive set, in the `packages.lock.json` lockfile
generated by NuGet. When both files are present in the same directory,
the changes in this patch will correctly parse both. For more about CPM,
see this reference:

https://devblogs.microsoft.com/nuget/introducing-central-package-management/

The `sample.csproj` test fixture was updated to include an entry with
neither a name or version and another entry with a name but no version.

Author: maxrake

CHANGELOG.md

@@ -12,6 +12,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 - `phylum exception` subcommand for managing suppressions
 
+### Fixed
+
+- `msbuild` lockfile parser allowing missing names and versions
+
 ## 7.2.0 - 2024-12-10
 
 ### Added

lockfile/src/csharp.rs

@@ -95,10 +95,10 @@ pub struct CSProj;
 #[derive(Debug, Deserialize, PartialEq, Eq)]
 pub struct PackageReference {
     #[serde(alias = "@Include", default)]
-    pub name: String,
+    pub name: Option<String>,
 
     #[serde(alias = "@Version", alias = "@version", alias = "Version", default)]
-    pub version: String,
+    pub version: Option<String>,
 }
 
 #[derive(Debug, Deserialize, PartialEq, Eq)]
@@ -113,13 +113,15 @@ struct Project {
     pub item_groups: Vec<ItemGroup>,
 }
 
-impl From<PackageReference> for Package {
-    fn from(pkg_ref: PackageReference) -> Self {
-        Self {
-            name: pkg_ref.name,
-            version: PackageVersion::FirstParty(pkg_ref.version),
+impl TryFrom<PackageReference> for Package {
+    type Error = ();
+
+    fn try_from(pkg_ref: PackageReference) -> Result<Self, Self::Error> {
+        Ok(Self {
+            name: pkg_ref.name.ok_or(())?,
+            version: PackageVersion::FirstParty(pkg_ref.version.ok_or(())?),
             package_type: PackageType::Nuget,
-        }
+        })
     }
 }
 
@@ -130,7 +132,11 @@ impl From<Project> for Vec<Package> {
         for item_group in proj.item_groups {
             if !item_group.dependencies.is_empty() {
                 deps.extend(
-                    item_group.dependencies.into_iter().map(Package::from).collect::<Vec<_>>(),
+                    item_group
+                        .dependencies
+                        .into_iter()
+                        .filter_map(|pkg| Package::try_from(pkg).ok())
+                        .collect::<Vec<_>>(),
                 );
             }
         }

tests/fixtures/sample.csproj

@@ -10,6 +10,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference />
     <PackageReference Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="15.7.0" />
     <PackageReference Include="NUnit3TestAdapter" Version="3.13.0" />
@@ -20,6 +21,7 @@
     <PackageReference Include="System.Collections.Immutable">
       <version>1.5.0</version>
     </PackageReference>
+    <PackageReference Include="Newtonsoft.Json"/>
   </ItemGroup>
 
   <ItemGroup>