Improved .NET scanning
Release status and feature availability
Improved Snyk Open Source scanning for NuGet .NET applications is in Early Access and available only to Enterprise plan customers. For more information, see Plans and pricing.
You can enable the feature by using Snyk Preview.
While in Early Access, this feature potentially can cause scans to fail or produce different results. Snyk recommends gradually enabling this feature, for example, starting with a subset of your Organizations. For more information, see Enterprise setup.
You can report issues by submitting a support ticket.
Limitations of existing solution
The existing .NET scanning solution for SCM integration in the Snyk Web UI and CLI uses two different approaches. The Dependency Analysis for SCM integrations can produce false positives that have no remediation available and must be manually ignored.
If you use the CLI to scan Projects, you can expect more accurate results compared to importing the same Project using an SCM integration. You can encounter errors when scanning Projects that use specific .NET features.
Scanning improvements
Snyk improved the .NET scanning process to ensure that dependency results are consistent across the CLI and SCM integrations. This update also eliminates false positives from runtime dependencies that were previously displayed in the UI. The approach involves using the internal workings of the .NET ecosystem.
The improved .NET scanning also provides the capability of scanning any Project that can be successfully built by the dotnet
SDK itself, removing the previous limitations of not being able to scan Projects using certain .NET features, such as .props
files, global.json
, or Central Package Management.
.NET scanning improvements for SCM integrations
Snyk Broker is not supported.
The .NET scanning improvements are available when importing Projects using Git repository integrations.
Follow these steps to enable the improvements:
Activate improved .NET scanning for your Organization or Group through the Snyk Preview menu.
Re-import any repositories with .NET applications; re-testing existing Projects is not sufficient.
Private package repository integration
Since the improved .NET solution will build your .NET Project, Snyk requires access to any private NuGet repositories.
The recommended approach is to use nuget.config
files along with registering the credentials in Snyk NuGet private package repository integration (Settings > Integrations > NuGet).
If you are not using nuget.config
, but another way of informing the .NET ecosystem of where to look for private packages, Snyk will attempt to add all private NuGet repository credentials defined in the private package repository integration as a dotnet nuget
source before restoring the Project.
Limitations on improved .NET scanning for SCM integrations
Directory.Build.props
,global.json
and other .NET-specific manifest files are supported, but the file names must use upper and lower case, as Microsoft describes.For
global.json
, Snyk does not support allmajor.minor.patch
versions that are currently supported by Microsoft, only a subset thereof. For more information, see this error code.The operations are performed on a case-sensitive file system, meaning manifest definitions like your
<ProjectReference>
s strings must match files and folders with the same case.Snyk does not support Projects that use Visual Studio Build Tools.
Snyk does not support Windows-specific frameworks (WPF, WCF) for .NET Projects.
.NET scanning improvements for the Snyk CLI
The .NET scanning improvements are also available in the Snyk CLI for both the snyk test and snyk monitor
commands.
Follow these steps to enable the improvements:
Install the latest version of the CLI.
Run
dotnet restore.
Scan your .NET Projects using
snyk test
orsnyk monitor
as usual, but add the--dotnet-runtime-resolution
option.
The --dotnet-runtime-resolution
option works with--all-projects
.
Example: snyk test --dotnet-runtime-resolution
The Improved .NET scanning for the CLI supports multiple target frameworks in your build manifests.
By default, the solution scans all target frameworks. If you want to scan individual target frameworks, you must add the --dotnet-target-framework=<targetFramework>
option to your CLI command.
Example: snyk test --dotnet-runtime-resolution --dotnet-target-framework=net8.0
.Net scanning methods for CLI and SCM
When Snyk scans your Project with Improved .NET, an environment variable named SnykTest
becomes available. You can use this environment variable to create conditionals to avoid executing tools that might break the scan. The following example uses the SnykTest
variable to avoid running the swagger command:
Supported .NET versions
The improved .NET scanning feature supports all versions of .NET core that are supported by Microsoft.
If you import an unsupported .NET Project using an SCM integration, the improved .NET scanning feature will not be enabled and will fall back to the legacy scanning method.
The <TargetFramework>
moniker used must be compatible with what is currently supported by Microsoft in order to be correctly picked up by Snyk scanners.
Last updated