.NET
Supported frameworks and package managers
Code analysis
Snyk Code supports the following frameworks:
.NET Framework 4.6-4.8.x
ASP.NET 6.x (C# only)
.NET 6
Open source and licensing
Snyk Open Source provides support for both NuGet and Paket, as outlined below.
Feature availability Features may not be available, depending on your plan. See pricing plans for more details.
Snyk does not currently support PackageReference without a version attribute. If your Project lacks this, Snyk may fail to open a PR for your Project. The current workaround is to add versions to all PackageReferences.
Open source policy
To manage licenses from your developer workflows through policy, see the following topics:
Open source license compliance
To check compliance for open source licenses, see Getting Started with Snyk License Compliance Management.
Getting started with Snyk for .NET across environments
Snyk CLI
Prerequisites
Set the default Organization for all Snyk tests (code analysis)
Code analysis
To start testing your code using Snyk Code open your repository in a terminal and run the following command:
To customize test options, run other commands, exclude directories and files, and explore the results in different formats, see the following:
Open source and licensing
The following sections list the steps to start scanning your dependencies. The basic commands are covered, such as snyk test
and snyk monitor
. To check the full list, see CLI commands and options summary.
To scan your dependencies, ensure you install the relevant package manager and that your Project contains the supported manifest files.
Nuget
Dependencies managed by PackageReference
Restore dependencies in the .NET project by running dotnet restore
and make sure that obj/project.assets.json has been created by the previous command. Then run snyk test
. For more information see Getting started with the CLI.
Examples of supported Project files that resolve into project.assets.json include:
*.csproj
*.vbproj
*.fsproj
The project.assets.json file is required for scanning.
Project files can be combined with lock files for a more deterministic project.assets.json resolution.
Dependencies managed by packages.config
While there are two approaches for dependencies managed by packages.config., the following is the recommended approach because it will yield the most accurate results:
First, install the dependencies into the packages folder by running nuget install -OutputDirectory packages
and make sure the packages directory has been created by the previous command. Then run snyk test
.
Examples of supported project files that resolve into packages include: packages.config
While you should also be able to run snyk test
without previously installing dependencies this will result in less accurate vulnerability results.
Nuget CLI options
For information about the
snyk test
options available for use with NuGet, see Options for NuGet projects in the Test help.For the available
snyk monitor
options, see Options for NuGet projects in the Monitor help.
Paket CLI options
To use Paket, be sure a paket.lock file is present in combination with a paket.dependencies file.
Run
snyk test
.
CLI options for use with other dependencies
Other support includes project.json (no longer recommended, refer to Microsoft documentation).
To build the dependency tree, Snyk analyzes the paket.dependencies and paket.lock files.
Snyk Web UI (Git repository integration)
Import .NET Projects from any of the Git services Snyk supports.
When your Projects have been imported, Snyk analyzes your Projects based on their supported manifest files and then builds the dependency tree and displays it in the Snyk Web UI, similar to the following:
Nuget
After you select a Project for import, Snyk builds the dependency tree based on these manifest files:
For .NET Core, the *.proj files
For .NET Framework, the *.proj file, and packages.config
Examples of supported Project files include:
*.csproj
*.vbproj
*.fsproj
A .NET Project can target multiple target frameworks. Snyk creates a separate dependency tree for each target framework, displaying each as a separate Snyk Project from the interface. This makes it easier to understand why a dependency is being used and also to assess the fix strategy.
Paket
No import support currently.
Git settings for .NET
From the Snyk Web UI, you can configure Snyk to scan your entire Project, including the build dependencies, or skip the build dependencies.
You can also update your language preferences.
Log in to your account and navigate to the relevant Group and Organization you want to manage.
Go to Settings and select settings for .NET. To scan all development dependencies, be sure that Scan build dependencies are checked.
Fixing vulnerabilities for .NET
For a general understanding of how Snyk helps you fix Open Source vulnerabilities within your Projects, see Fix your vulnerabilities.
Feature availability The Fix PR feature is only available across Snyk SCM integrations.
Fix PR supported manifest files
If you are currently managing your Project dependencies with NuGet and leveraging PackageReference
or packages.config
Snyk can automatically update the dependency version in your manifest file, provided there is an actual fix for it. You can then review and merge your fixes.
Snyk integrations
🔗 For integrated development environments, see Use Snyk in your IDE.
🔗 If you prefer continuous integration/continuous delivery workflows, you can scan with Snyk based on the integration with your automation software (see Snyk CI/CD and Snyk API).
Help
For best practices and troubleshooting, see Help.
Last updated