Packages from Private GitHub package repos are being reported with `nuget.org` Fake URLs

[stunney]

Describe the bug
We have proprietary packages in nuget.pkg.github.com/MYCORP. When generating our FOSS list with your tool all packages are output to the readme.md with https://www.nuget.org/packages/MYPACKAGE/VERSION which doesn't exist. No license information is gathered either. Right now this scenario only pertains to NUGET but it might very likely pertain to NPM in the future for us. My GitHub PAT has access to these repositories as well for the restore and also has package:read permissions in the PAT as well. No errors are reported during the runtime of the tool.

To Reproduce
Create a CSPROJ with a private package coming from GitHub.

Expected behavior
The proper URL and other things such as licensing should be output.

Environment

• OS: MacOS 13.3.1
• .net framework version: 6.0.100

Thank you :)

[stunney]

Note:
I have tried adding the following section in the configuration/appsettings.json file as well in a few permutations

nuget.pkg.github.com
nuget.pkg.github.com/MYCORP
pkg.github.com
github.com

  "nuget.pkg.github.com": {
    "allowToUseLocalCache": true,
    "downloadPackageIntoRepository": false,
    "ignorePackages": {
      "byName": [],
      "byProjectName": []
    },
    "internalPackages": {
      "byName": [ "StyleCop\\.Analyzers" ],
      "byProjectName": [ "\\.Test$" ]
    }
  },

None of these appear to make a difference

[max-ieremenko]

hi @stunney

The proper URL

This is not supported in the current version. TPL always assumes that a package came from www.nuget.org, so you see https://www.nuget.org/packages/MYPACKAGE/VERSION in the readme.md.

I need to investigate how it can work - it will take some time.

Other things such as licensing should be output

License info is generated from .nuspec file, as an example "newtonsoft.json.nuspec":

<package xmlns="http://schemas.microsoft.com/packaging/2013/05/nuspec.xsd">
  <metadata minClientVersion="2.12">
    <id>Newtonsoft.Json</id>
    <version>13.0.3</version>
    <license type="expression">MIT</license>
    <projectUrl>https://www.newtonsoft.com/json</projectUrl>
    <iconUrl>https://www.newtonsoft.com/content/images/nugeticon.png</iconUrl>
    <repository type="git" url="https://github.com/JamesNK/Newtonsoft.Json" commit="0a2e291c0d9c0c7675d445703e51750363a549ef" />
  </metadata>
</package>

see <license, <projectUrl and <repository.

This should work. If you do not see the license information, check your .nuspec file.

[stunney]

Thank you @max-ieremenko ! I'd love to see this as a feature. GitHub supports the V3 nuget API so I'm hoping it would just be an array of nuget repository feeds.

[max-ieremenko]

Proper URL generation for github nuget feeds is implemented in version 3.3.0.

Please remember that it affects only new package references, which are not in the TPL repository yet.
If there are already created references under packages/nuget.org for nugets from nuget.pkg.github.com/MYCORP, before running version 3.3.0 delete coresponding folders,

For example, there is already a folder packages/nuget.org/my-github-package/version, created by TPL version 3.2.1

• delete the folder my-github-package manually
• run TPL 3.3.0 update command