Are there any c# .net free software composition analysis tools to check opensource component used and its vulnerabilities and license

I have situation where I have to anlyse the third party components\libraries used in the code within the license terms and no know vulnerabilities.

I know there are tool name blackduck and whitesource which can meet the expectation, but we cannot afford costly tools.

Is there any free stable tools available for such analysis. One I came across is OWASP dependency.

Appreciate any help over here.

Lingering Composition: Does a Performance critical failure cost the Focus point?

TL;DR: The bard player is arguing that lingering composition is a Performance check, and another player is stating it’s Casting a Spell (Focus spell).

I have a player playing a polymath bard with lingering composition.

This player insists that when casting the composition Focus spell, on the composition’s Performance check, a critical failure is the same as a failure, and the bard doesn’t expend the Focus point (because the Focus spell requires a Performance check to determine duration, and lingering composition doesn’t have a critical failure entry, only a failure entry).

My ruling as GM is that the bard is casting a Focus spell, and that the Casting a Spell rule is the active component, not the Performance check.

Lingering Composition: https://2e.aonprd.com/Spells.aspx?ID=389

Casting a Focus Spell: https://2e.aonprd.com/Rules.aspx?ID=276

Logspace Computable of the composition

The bit-graph of $ f: \{0,1\}^* \rightarrow \{0,1\}^*$ is the language:

$ \text{BIT}_f := \{<x,i> : 1\leq i \leq|f(x)| \text{ and the i-th bit of } f(x) \text{ is } 1\}$

It is said that $ f$ is logspace computable if $ \text{BIT}_f$ is decidable in space $ O(log(n))$ . Decidable means that there exist a Turing Machine $ M$ such that:

  1. if $ <x,i> \in \text{BIT}_f$ then $ M(<x,i>) = 1$
  2. if $ <x,i> \notin \text{BIT}_f$ then $ M(<x,i>) = 0$

Prove that the composition $ (f \circ g)(x)=f(g(x))$ of two logspace computable functions $ f,g$ is also a logspace computable function.

Any hint on this exercise? What I tried so far is playing with the composition of the two Turing Machines associated with $ f$ and $ g$ , but I didn’t succed because it always end up with a case analysis exercise.

Can mages change group composition during Ceremonial Casting without interrupting the spell?

When casting a spell, a mage has to constantly concentrate on it for a specific time period (taking Concentrate maneuveres each turn). Their energy reserves are limited by whatever FP they have at the moment plus an optional Powerstone. In other words, barring additional rulings, if the spell costs 16 energy points and the mage only has 14 FP of his own, they cannot cast it at all without a sufficiently large powerstone – they can’t stop in a middle of the casting, rest to recover the spent energy, and then continue.

However, things are slightly more complicated with Ceremonial magic (M12, B238), when the mage can get one or several assistants for contributing more energy to the casting, at the cost of tenfold increased casting time and several other penalties. There is one particular note that grabbed my attention:

  • Once the spell is cast, the participants can continue to provide energy to maintain the spell. The composition of the group may change, as long as the ritual continues uninterrupted. Thus, ceremonial magic lets you maintain a spell indefinitely.

It’s not clear at all whether the composition of the group can change during the casting, though. It would make sense that it can – after all, the ritual continues uninterrupted and the “caster” – group as a whole – keeps constantly concentrating on it. Surely, some of the participants should be able to leave for a while – possibly getting replaced – rest and return, if the ritual is designed so that such leaves are agreed upon in advance and are not a result of any accidents or interruptions?

The rulings on Enchantment (“Slow and Sure Enchantment” – M18, B481) state that, at least with this specific form of ceremonial magic, the participants can regularly interrupt the casting to rest in between. This could have been implying that interruptuble casting has a heavy price of extended time and resources required – as the other form of enchantment (“Quick and Dirty”) is much cheaper, but has no rulings on interruptions – however in this case, the group does not maintain constant concentration, the consequences for possible interruptions do not ruin the whole spell (only a day’s work), there are other benefits over QoD enchanting (no skill penalty for the number of participants), as well as suggestions for GMs who wish to further restrict QoD enchantments. In other words, this is not a definitive indicator.

In addition to that, there’s a Cone of Power spell described in Thaumatology (page 52) which allows to do things very similar to an interruptible casting, but still has many significant differences.

On the other hand, an interruptible ceremonial casting could have quite a few balance issues. For instance, a distant cult in some forgotten temple in a backwater of the world could be casting a Rain of Fire spell over the entire world over the course of several years without anyone noticing… and then unleash it all at once! Then again:

  • It takes just one random raid (or a falling rock™ plus a failed Wil roll) to ruin years of preparation – and so it clearly cannot be done without a GM’s permission, implicit or explicit;
  • “Cone of Power” allows to do that, too, and is way more dangerous – after all, the collected energy can be used prematurely to repel any potential attackers – yet this spell is in an official guidebook;
  • It’s actually quite a hook for an adventure!

    The Cult of Doom has been preparing a terrifying, humongous spell to unleash upon the world, of which our diviners have learnt just now, and now someone must sneak into their highly protected lair to interrupt the casters! Bonus points for cinematic arrival just in the nick of time to interrupt the cult just as they are about to finish the casting.

So…

Is there an official, documented ruling on whether the mages can change group composition during Ceremonial Casting without interrupting the spell? And if not, what balancing considerations the GM should keep in mind when making his own ruling?

Using function composition to turn a function into point free one

In Tacit Programming page on wikipedia, it is stated that the point free version of

p x y z = f (g x y) z is
p = ((.) f) . g

and that the point free version of

mf criteria operator list = filter criteria (map operator list) is
mf = (. map) . (.) . filter.

I can not figure out how can we get from one side to the other, in either way. Would you please show me a step by step explanation of why those equivalences hold?

Are models of computation closed under composition?

It’s common to ask whether a particular class of languages $ \mathcal{C} \subseteq \mathcal{P}(\Sigma^*)$ , for some alphabet $ \Sigma$ , is closed under complement, or union, or intersection, or concatenation, or the Kleene star. And those questions seem natural to me, because they’re essentially questions about the power of a model of computation that can decide precisely the languages in $ C$ . However, it seems just as natural to me – perhaps even more natural – to ask whether such a class is also closed under composition.

Here’s what I mean by that. If I fix some subset $ \mathcal{C} \subseteq \mathcal{P}(\Sigma^*)$ of “decidable” languages relative to some model of computation, for any (finite) $ \Sigma$ , then I have also fixed some subset $ \mathcal{F} \subseteq B^A$ of computable functions, for any languages $ A, B$ – because each function $ f : A \rightarrow B$ can be viewed as a function $ \bar{f} : A \times B \rightarrow \{0, 1\}$ . Given that, I would expect that for any reasonable model of computation, if $ f : A \rightarrow B$ and $ g : B \rightarrow C$ are computable, then $ g \circ f : A \rightarrow C$ should be as well. Put in terms of the corresponding languages, I’d expect that if $ L_f = \{(a, b) \in A \times B : f(a) = b\}$ and $ L_g = \{(b, c) \in B \times C : g(b) = c\}$ are decidable, then $ L_{g \circ f} = \{(a, c) : \exists b \in B s.t. f(a) = b \wedge g(b) = c\}$ should be decidable as well.

This seems to me like a natural question to ask of any class of languages. Is it in fact a reasonable question? If not, why? If it is, is there a better way to frame it, one that would make it more clear what we’re demanding?

Multiplication and division by a morphism under the “inner composition” in closed monoidal categories

I asked this a week ago at math.stackexchange, without success, so I hope it will be appropriate here.

Let $ {\mathcal C}$ be a symmetric closed monoidal category, and let me denote the internal hom-functor by a fraction $ $ (X,Y)\mapsto\frac{Y}{X}, $ $ so that we have an isomorphism of functors $ $ \operatorname{Mor}(A\otimes B,C)\cong \operatorname{Mor}\left(A,\frac{C}{B}\right). $ $ As is known, $ {\mathcal C}$ is an enriched category over itself. For each objects $ A,B,C$ let me denote by $ \bullet_{A,B,C}$ the “inner composition” in $ {\mathcal C}$ as in an enriched category, i.e. the morphism $ $ \bullet_{A,B,C}:\frac{C}{B}\otimes\frac{B}{A}\to\frac{C}{A} $ $ with the corresponding properties.

I wonder if the following identity always holds $ $ \bullet_{A,C,D}\circ\left(1_{\frac{D}{C}}\otimes\frac{\varphi}{1_A}\right)= \bullet_{A,B,D}\circ\left(\frac{1_D}{\varphi}\otimes1_{\frac{B}{A}}\right) $ $ (for arbitrary objects $ A,B,C,D$ and for arbitrary morphism $ \varphi:B\to C$ ).

multiplication and division by a morphism under the inner multiplication

This is strange, I can prove this only in the case when the unit $ I$ is a separating object in $ {\mathcal C}$ (what does not always hold). Is it possible that there is a counterexample?

How to define Composition Roots for libraries (Javascript/inversify)

I’m building a console app (A), which depends on library B. Library B further depends on library C. I am building all 3 entities. Most of the development completed so far has been done using a functional design and so far this is working well, and is currently stateless, and no instantiations have been needed so far. I am now at a point where I need to declare some dependencies and inject them as appropriate. The interaction between libraries B and C should be transparent to the application A. I have been reading up on dependency injection/inversion of control and I’ve decided that I will use inversify as the dependency injection framework. One point I am ‘stuck’ on is the notion of Composition Roots and where they should be created. I found this article ‘https://blog.ploeh.dk/2011/07/28/CompositionRoot/’ which states that the CR should be as close to the main entry point of the application. It also says that CRs, are not applicable to libraries just applications. But the interaction between libraries B & C is an implementation detail that the client should not be aware of. So what is the correct resolution to this issue? I’m inclined to define a CR in library B so that its dependency on a component in library C can be injected. This seems correct to me, but it does seem at odds with established wisdom. To quote the article: “Only applications should have Composition Roots. Libraries and frameworks shouldn’t.”. It seems that to do this correctly, the client app needs to be aware of all the implementation crud and its up to the client to compose everything via a Composition Root.

But if library B needs a dependency to be injected into it (which comes from library C), how do we do this? I’m now suffering analysis paralysis …

PS, I also considered this article: Design/Architecture for passing cross-cutting parameters via constructors at composition roots?, but that does not address the issue of the application/client being aware of downstream dependencies.

Avoiding instantiating the whole application at startup when using a composition root

In a typical non-DI application, when you enter a section of code the necessary objects are constructed and when you leave it they are deconstructed.

However, when doing dependency injection with a composition root, you typically instantiate the whole application graph at startup. Sometimes (if your application is lightweight) this isn’t a problem. However, if you have any elements in your application with large, heavy constructors then startup time immediately suffers.

Is there a standard way around this while still using dependency injection?

A formal epsilon-delta proof for the Continuity Law for Composition

The continuity law for composition states, informally, that:

$ $ \text{IF } f \text{ is continuous at } g \ \text{ AND }\ g \text{ is continuous at } f(a) \text{ THEN } g(f(a)) \text{ is continuous at } a$ $

Or, using the limit definition of continuity:

$ $ \lim_{x \to a} f(x) = f(a) \wedge \lim_{x \to f(x)} g(x) = g(f(a)) \Longrightarrow \lim_{x \to a} g(f(x)) = g(f(a))$ $

Or, using the formal epsilon-delta definitions:

$ $ \forall \epsilon > 0, \exists \delta_1 > 0, \forall x \in \mathbb{R}, 0<|x – a| < \delta_1 \Longrightarrow |f(x) – f(a)| < \epsilon \tag{1}\label{1}$ $

$ $ \forall \epsilon > 0, \exists \delta_2 > 0, \forall x \in \mathbb{R}, 0<|x – f(a)| < \delta_2 \Longrightarrow |g(x) – g(f(a))| < \epsilon \tag{2}\label{2}$ $

$ $ \forall \epsilon > 0, \exists \delta > 0, \forall x \in \mathbb{R}, 0<|x – a| < \delta \Longrightarrow |g(f(x)) – g(f(a))| < \epsilon \tag{3}\label{3}$ $

$ $ \eqref{1} \wedge \eqref{2} \Longrightarrow \eqref{3}$ $


Proof:

We assume \eqref{1} and \eqref{2}. We want to show \eqref{3}.

Let $ \epsilon > 0$ .

We will use the same $ \epsilon$ in \eqref{2}, giving us:

$ $ \exists \delta_2 > 0, \forall x \in \mathbb{R}, 0<|x – f(a)| < \delta_2 \Longrightarrow |g(x) – g(f(a))| < \epsilon \tag{2a}\label{2a} $ $

Let $ \delta_2 > 0$ such that the following is true:

$ $ \forall x \in \mathbb{R}, 0<|x – f(a)| < \delta_2 \Longrightarrow |g(x) – g(f(a))| < \epsilon \tag{2b}\label{2b}$ $

We will substitute $ \delta_2$ for $ \epsilon$ in $ \eqref{1}$ to obtain:

$ $ \exists \delta_1 > 0, \forall x \in \mathbb{R}, 0<|x – a| < \delta_1 \Longrightarrow |f(x) – f(a)| < \delta_2\tag{1a}\label{1a} $ $

Let $ \delta_1 > 0$ such that the following is true:

$ $ \forall x \in \mathbb{R}, 0<|x – a| < \delta_1 \Longrightarrow |f(x) – f(a)| < \delta_2\tag{1b}\label{1b}$ $

Let $ x \in \mathbb{R}$ .

We will use the same $ x$ in \eqref{1b} to obtain:

$ $ 0 < |x – a| < \delta_1 \Longrightarrow |f(x) – f(a)| < \delta_2\tag{1c}\label{1c}$ $

Let $ \delta = \delta_1$ .

We assume $ 0 < |x – a| < \delta = \delta_1$ .

By our assumption and \eqref{1c}, we know:

$ $ |f(x) – f(a)| < \delta_2 \tag{1d}\label{1d}$ $

We substitute $ f(x)$ for $ x$ in \eqref{2b} to obtain:

$ $ 0<|f(x) – f(a)| < \delta_2 \Longrightarrow |g(f(x)) – g(f(a))| < \epsilon \tag{2c}\label{2c}$ $


And here is where I’m stuck. All I need to show is $ 0 < |f(x) – f(a)| $ , and I will be able to complete the proof. But I don’t know how to show that. Any ideas?