.NET
.NET package analysis and vulnerability scanning capabilities
Package analysis
| Cataloger + Evidence | License | Dependencies | Package Manager Claims | ||||
|---|---|---|---|---|---|---|---|
| Depth | Edges | Kinds | Files | Digests | Integrity Hash | ||
dotnet-deps-binary-cataloger *.deps.json, *.dll, *.exe |
transitive | complete | runtime | ||||
dotnet-deps-cataloger *.deps.json |
transitive | complete | runtime | ||||
dotnet-packages-lock-cataloger packages.lock.json |
transitive | complete | runtime, dev, build | ||||
dotnet-portable-executable-cataloger *.dll, *.exe |
|||||||
Syft Configuration
| Configuration Key | Description |
|---|---|
dotnet.dep-packages-must-claim-dll |
Allows for deps.json packages to be included only if there is a runtime/resource DLL claimed in the deps.json targets section. This does not require such claimed DLLs to exist on disk. The behavior of this |
dotnet.dep-packages-must-have-dll |
Allows for deps.json packages to be included only if there is a DLL on disk for that package. |
dotnet.propagate-dll-claims-to-parents |
Allows for deps.json packages to be included if any child (transitive) package claims a DLL. This applies to both the claims configuration and evidence-on-disk configurations. |
dotnet.relax-dll-claims-when-bundling-detected |
Will look for indications of IL bundle tooling via deps.json package names and, if found (and this config option is enabled), will relax the DepPackagesMustClaimDLL value to `false` only in those cases. |
Vulnerability scanning
| Data Source | Disclosures | Fixes | Track by Source Package |
||
|---|---|---|---|---|---|
| Affected | Date | Versions | Date | ||
| GitHub Security Advisories (GHSA) | |||||
| National Vulnerability Database (NVD) | |||||
Grype Configuration
| Configuration Key | Description |
|---|---|
match.dotnet.using-cpes |
Use CPE package identifiers to find vulnerabilities |