.NET for open source
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
Refer to the .NET details for supported package managers and features.
The following summarizes Snyk Open Source support for NuGet and Paket,
| Package managers Features | CLI support | Git support | License scanning | Fix PRs |
|---|---|---|---|---|
Snyk does not support PackageReference without a version attribute. If your Project lacks this, Snyk may fail to open a PR for your Project. The current workaround is to add versions to all PackageReferences.
The project.assets.json file is required for scanning. Project files can be combined with lock files for a more deterministic project.assets.json resolution.
Examples of supported Project files that resolve into project.assets.json include:
*.csproj
*.vbproj
*.fsproj
If needed, restore dependencies in the .NET project by running dotnet restore and ensure that obj/project.assets.json was created by the previous command. Then run snyk test.
For information about the snyk test options for use with NuGet, see Options for NuGet projects in the Test help. For the snyk monitor options, see Options for NuGet projects in the Monitor help.
To use Paket with the Snyk CLI, be sure a paket.lock file is present in combination with a paket.dependencies file. Then run snyk test.
Import .NET Projects from any of the Git services Snyk supports.
When your Projects have been imported, Snyk analyzes your Projects based on their supported manifest files and then builds the dependency tree and displays it in the Snyk Web UI, similar to the following:
Using the Snyk Web UI, you can configure Snyk to scan your entire Project, including the build dependencies, or skip the build dependencies.
You can also update your language preferences.
Log in to your account and navigate to the relevant Group and Organization you want to manage.
Navigate to Settings and select settings for .NET.
To scan all development dependencies, be sure that Scan build dependencies are checked.
After you select a NuGet project for import, Snyk builds the dependency tree based on these manifest files:
For .NET Core, the *.proj files
For .NET Framework, the *.proj file, and packages.config
Examples of supported Project files include:
*.csproj
*.vbproj
*.fsproj
A .NET Project can target multiple target frameworks. Snyk creates a separate dependency tree for each target framework, displaying each as a separate Snyk Project from the interface. This makes it easier to understand why a dependency is being used and also to assess the fix strategy.
Snyk does not support Project import for Paket.
While there are two approaches for dependencies managed by packages.config., the following is the recommended approach because it will yield the most accurate results:
First, install the dependencies into the packages folder by running nuget install -OutputDirectory packages and make sure the packages directory has been created by the previous command. Then run snyk test.
Examples of supported project files that resolve into packages include: packages.config
While you should also be able to run snyk test without previously installing dependencies this will result in less accurate vulnerability results.
Other support includes project.json (no longer recommended, refer to Microsoft documentation).
To build the dependency tree, Snyk analyzes the paket.dependencies and paket.lock files.
For a general understanding of how Snyk helps you fix Open Source vulnerabilities within your Projects, see Fix your vulnerabilities.
Feature availability The Fix PR feature is available only for Snyk SCM integrations.
If you are currently managing your Project dependencies with NuGet and using PackageReference or packages.config, Snyk can automatically update the dependency version in your manifest file, provided there is an actual fix for it. You can then review and merge your fixes.
✔︎
✔︎
✔︎
✔︎
✔︎
