.NET for open source

Support for .NET for open source

Package managers: NuGet, Paket

Package registry: nuget.org

Import your app through SCM: NuGet

Test or monitor your app through CLI and IDE: Available

Test your app's SBOM: Available, pkg:nuget

Test your app's packages: Available, pkg:nuget

Features:

• Fix PRs (NuGet)

• License scanning

• Reports

Open source and licensing

The following summarizes Snyk Open Source support for NuGet and Paket,

Snyk does not support PackageReference without a version attribute. If your Project lacks this, Snyk may fail to open a PR for your Project. The current workaround is to add versions to all PackageReferences.

Snyk support for the Nuget package manager

The project.assets.json file is required for scanning. Project files can be combined with lock files for a more deterministic project.assets.json resolution.

Examples of supported Project files that resolve into project.assets.json include:

• *.csproj

• *.vbproj

• *.fsproj

If needed, restore dependencies in the .NET project by running dotnet restore and ensure that obj/project.assets.json was created by the previous command. Then run snyk test.

Snyk CLI and Snyk for .NET

For information about the snyk test options for use with NuGet, see Options for NuGet projects in the Test help. For the snyk monitor options, see Options for NuGet projects in the Monitor help.

To use Paket with the Snyk CLI, be sure a paket.lock file is present in combination with a paket.dependencies file. Then run snyk test.

Git repositories and Snyk for .NET

Import .NET Projects from any of the Git services Snyk supports.

When your Projects have been imported, Snyk analyzes your Projects based on their supported manifest files and then builds the dependency tree and displays it in the Snyk Web UI, similar to the following:

Using the Snyk Web UI, you can configure Snyk to scan your entire Project, including the build dependencies, or skip the build dependencies.

You can also update your language preferences.

1. Log in to your account and navigate to the relevant Group and Organization you want to manage.

2. Navigate to Settings and select settings for .NET.

3. To scan all development dependencies, be sure that Scan build dependencies are checked.

After you select a NuGet project for import, Snyk builds the dependency tree based on these manifest files:

• For .NET Core, the *.proj files

• For .NET Framework, the *.proj file, and packages.config

Examples of supported Project files include:

• *.csproj

• *.vbproj

• *.fsproj

A .NET Project can target multiple target frameworks. Snyk creates a separate dependency tree for each target framework, displaying each as a separate Snyk Project from the interface. This makes it easier to understand why a dependency is being used and also to assess the fix strategy.

Snyk does not support Project import for Paket.

Dependencies managed by packages.config

While there are two approaches for dependencies managed by packages.config., the following is the recommended approach because it will yield the most accurate results:

First, install the dependencies into the packages folder by running nuget install -OutputDirectory packages and make sure the packages directory has been created by the previous command. Then run snyk test.

Examples of supported project files that resolve into packages include: packages.config

CLI options for use with other dependencies

Other support includes project.json (no longer recommended, refer to Microsoft documentation).

To build the dependency tree, Snyk analyzes the paket.dependencies and paket.lock files.

Fixing vulnerabilities for .NET

For a general understanding of how Snyk helps you fix Open Source vulnerabilities within your Projects, see Fix your vulnerabilities.

If you are currently managing your Project dependencies with NuGet and using PackageReference or packages.config, Snyk can automatically update the dependency version in your manifest file, provided there is an actual fix for it. You can then review and merge your fixes.