[BUG] Coverlet.collector dependencies are undeclared and hard-copied as package contents

[rucamzu-r2r]

Describe the bug
The coverlet.collector nuget package doesn't declare its dependencies e.g. NewtonSoft.Json, and instead includes hard copies of their DLLs as package contents.

To Reproduce
Please see the contents of any version of the coverlet.collector nuget package (confirmed 3.1.2 and the latest 6.0.4).

Expected behavior
The coverlet.collector nuget package does declare its dependencies and doesn't include their binaries as package contents. Dependencies shouldn't be part of the package.

Actual behavior
The coverlet.collector nuget package doesn't declare any dependencies: https://www.nuget.org/packages/coverlet.collector#dependencies-body-tab

The package contents include DLLs from third-party dependencies e.g. NewtonSoft.Json: https://nuget.info/packages/coverlet.collector/6.0.4

Configuration (please complete the following information):
N/A

Additional context
This issue was discovered while tracking CVE-2024-21907, after JetBrains Rider alerted about it in relation to coverlet.collector 3.1.2. It was confusing because the vulnerability advisor targets Newtonsoft.Json and coverlet.collector showed no dependencies.

This practice makes it harder to track and address security vulnerabilities, and also do proper dependency resolution.

[Bertk]

Thank you for the information. The release Coverlet NuGet packages intentionally exclude dependencies, following legacy behavior similar to dotnet tools. The latest preview versions now support multiple runtime target frameworks.

You can find the newest previews here: nightly build packages

Additionally, the Newtonsoft.Json package reference has been removed. Would adding an SBOM to the NuGet package be helpful for your scenario? (see #1752)

[rucamzu-r2r]

Hi @Bertk , thank you for your reply.

I would guess that an SBOM would be a partial mitigation: it's definitely better than nothing and would help with vulnerability tracking, but then again it isn't the conventional mechanism for nuget packages to declare its dependencies.

The removal of Newtonsoft.Json would address the specific case of CVE-2024-21907, however the package still contains other dependencies' binaries e.g. Mono.Cecil 0.11.6, so the issue would still persist. I understand when you say this is an intentional decision; may I ask, though, what would be preventing coverlet.collector from switching to declaring its dependencies - as opposed to including them?