SupportSnyk LearnAPI referenceProduct updatesSign up for free

.NET for open source

See the .NET page for details about supported package managers, features, frameworks, and libraries.

Supported .NET versions for open source

.NET for open source supports:

Open source and licensing

The following summarizes Snyk Open Source support for NuGet and Paket,

Package managers Features
CLI support
SCM support
License scanning
Fix PRs

NuGet

✔︎

✔︎

✔︎

✔︎

Paket

✔︎

Snyk does not support PackageReference entries that lack a version attribute. If your Project is missing this attribute, Snyk may fail to open a pull request for it. To resolve this issue, ensure that versions are added to all PackageReference entries.

Snyk CLI and Snyk for .NET

For information about the snyk test options for use with NuGet, see Options for NuGet projects in the Test help.

For the snyk monitor options, see Options for NuGet projects in the Monitor help.

NuGet

The project.assets.json file is required for scanning. Project files can be combined with NuGet locking dependencies for a more deterministic project.assets.json resolution.

Examples of supported Project files that resolve into project.assets.json include:

  • *.csproj

  • *.vbproj

  • *.fsproj

If needed, restore dependencies in the .NET project by running dotnet restore and ensuring that obj/project.assets.json was created using the previous command. Then run snyk test.

Although you can run snyk test without restoring dependencies first, this may lead to less accurate vulnerability results.

Support for project.json

project.json files are supported, but Microsoft no longer recommends them.

Support for packages.config

  • Install the dependencies into the packages folder by running nuget install -OutputDirectory packages

  • Ensure that the packages directory has been created by the previous command.

  • Run snyk test.

Examples of supported Project files that resolve into packages include the packages.config file.

Paket

To use Paket with the Snyk CLI, follow these steps:

  • Ensure a paket.lock file is present in combination with a paket.dependencies file.

  • Run snyk test.

SCM integrations and Snyk for .NET

Snyk supports only NuGet with SCM integrations.

Import .NET Projects from any of the SCM integrations Snyk supports.

When your Projects have been imported, Snyk analyzes your Projects based on their supported manifest files and then builds the dependency tree and displays it in the Snyk Web UI.

You can use the Snyk Web UI to:

  • Scan your entire Project, including the build dependencies, or skip them.

  • Update your language preferences

Follow the next steps to enable the Scan build dependencies for .NET, using the Snyk Web UI:

  1. Log in to your account and navigate to the relevant Group and Organization you want to manage.

  2. Navigate to Settings and select settings for .NET.

  3. To scan all development dependencies, ensure that Scan build dependencies are checked.

After you select a NuGet project for import, Snyk builds the dependency tree based on these manifest files:

  • For .NET Core, the *.proj files

  • For .NET Framework, the *.proj file, and packages.config

Examples of supported Project files include:

  • *.csproj

  • *.vbproj

  • *.fsproj

A .NET project can use different frameworks. Snyk creates a separate list of dependencies for each framework, showing each one as its own Snyk Project. This setup helps you understand why you need certain dependencies and makes it easier to plan how to fix any issues.

Fixing vulnerabilities for .NET

See the Fix your vulnerabilities page for a general understanding of how Snyk helps you fix Open Source vulnerabilities within your Projects.

If you are managing your Project dependencies with NuGet and using PackageReference or packages.config, Snyk can automatically update the dependency version in your manifest file, provided there is an actual fix for it. You can then review and merge your fixes.

Previous.NET for code analysisNextImproved .NET scanning

Last updated

Was this helpful?