C# - Nuget, Paket

See a breakdown of the file formats and features supported in C#.

Debricked currently supports the tracking of C# dependencies through:

  • NuGet, using .csproj, packages.lock.json and packages.config files

  • file fingerprinting, to find dependencies not defined in manifest-files

  • Paket, using paket.lock file

If there is a modern NuGet project where dependencies are defined in .csproj files, Debricked recommends using the packages.lock.json file. This file allows Debricked to analyze the dependency tree and suggest root fixes. By default, NuGet does not generate this file, but you can create it using the High Performance Scans technology with the Debricked CLI or by enabling repeatable package restores and then committing the generated file. When you run the resolve command, the Debricked CLI automatically detects all manifest files that lack the recommended lock files and generates them as needed.

In older NuGet projects, dependencies are typically stored in a packages.config ile. Debricked recommends that users generate the necessary lock file for dependency management and root fixes using High Performance Scans with the Debricked CLI. The command debricked resolve will create a packages.lock.json style file by first translating the packages.config into a .csproj file using NuGet. From there, the lock file is generated. Once the process is complete, the .csproj file is deleted, leaving only the newly created lock file. To avoid potential conflicts with NuGet, the specially created NuGet lock file is named as packages.config.nuget.debricked.lock.

By default, in all integrations except the GitHub app, the Debricked scan command will automatically try to generate the necessary lock files before sending your dependency files for scanning.

Debricked also supports sending only .csproj or packages.config files for scanning, but the packages.lock.json or packages.config.nuget.debricked.lock file is preferred, as it provides the most accurate tracking of dependency versions and trees, enabling root fixes.

High Performance Scans for NuGet utilize native commands when resolving and include all dependencies defined with NuGet, including those managed through Central Package Management (CPM).

If at least one of the supported files is committed to your repository, it will be automatically scanned for dependencies when you have done any of our integrations to your CI/CD pipeline.

File fingerprinting

Debricked supports scanning for C# dependencies not defined in manifest files through file fingerprinting. Debricked database contains the hashes of .nupkg files as well as their unpacked contents (including .dll files) for all packages in the NuGet gallery. This is used when comparing with the contents of your application, to ensure as accurate matches as possible. For more information on file fingerprinting and how to set it up, see file fingerprinting.

Supported file formats and features

Package Manager
Supported File Formats
Root dependencies
Indirect dependencies
Dependency trees
Security Scanning
License Scanning
Root Fix
Pull Request
Vulnerable Functionality
High Performance Scan

Nuget

.csproj

Yes

Nuget

package.lock.json

Yes*

Nuget

packages.config

Yes

Paket

paket.lock

Yes*

-

fingerprinted files (.dll, .nupkg and more**)

-

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

**When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, Debricked matches .dll files for C# and .class files within .jar files for Java, along with similar files from other programming languages.

Last updated

Was this helpful?