LogoLogo
WebsitePricingBlog
  • Debricked Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for Debricked tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • Debricked CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • Debricked APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • Debricked CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
Powered by GitBook
LogoLogo

Company

  • Pricing
  • Blog

Support

  • Privacy Policy
  • Terms & Conditions
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • File fingerprinting
  • Supported file formats and features

Was this helpful?

Export as PDF
  1. Overview
  2. Language support

C# - Nuget, Paket

See a breakdown of the file formats and features supported in C#.

Last updated 7 days ago

Was this helpful?

OpenText Core SCA currently supports the tracking of C# dependencies through:

  • , using .csproj, packages.lock.json and packages.config files

  • , to find dependencies not defined in manifest-files

  • Paket, using paket.lock file

If there is a modern NuGet project where dependencies are defined in .csproj files, OpenText Core SCA recommends using the packages.lock.json file. This file allows OpenText Core SCA to analyze the dependency tree and suggest root fixes. By default, NuGet does not generate this file, but you can create it using the technology with the OpenText Core SCA CLI or by enabling and then committing the generated file. When you run the resolve command, the OpenText Core SCA CLI automatically detects all manifest files that lack the recommended lock files and generates them as needed.

In older NuGet projects, dependencies are typically stored in a packages.config ile. OpenText Core SCA recommends that users generate the necessary lock file for dependency management and root fixes using High Performance Scans with the Debricked CLI. The command debricked resolve will create a packages.lock.json style file by first translating the packages.config into a .csproj file using NuGet. From there, the lock file is generated. Once the process is complete, the .csproj file is deleted, leaving only the newly created lock file. To avoid potential conflicts with NuGet, the specially created NuGet lock file is named as packages.config.nuget.debricked.lock.

By default, in all integrations except the GitHub app, the Debricked scan command will automatically try to generate the necessary lock files before sending your dependency files for scanning.

OpenText Core SCA also supports sending only .csproj or packages.config files for scanning, but the packages.lock.json or packages.config.nuget.debricked.lock file is preferred, as it provides the most accurate tracking of dependency versions and trees, enabling root fixes.

for NuGet utilize native commands when resolving and include all dependencies defined with NuGet, including those managed through .

If at least one of the supported files is committed to your repository, it will be automatically scanned for dependencies when you have done any of our integrations to your CI/CD pipeline.

File fingerprinting

OpenText Core SCA supports scanning for C# dependencies not defined in manifest files through file fingerprinting. OpenText Core SCA database contains the hashes of .nupkg files as well as their unpacked contents (including .dll files) for all packages in the NuGet gallery. This is used when comparing with the contents of your application, to ensure as accurate matches as possible. For more information on file fingerprinting and how to set it up, see .

Supported file formats and features

Package manager
Supported file formats
Root dependencies
Indirect dependencies
Dependency trees
Security scanning
License scanning
Root fix
Pull Request
Reachability Analysis
High Performance Scan

Nuget

.csproj

Yes

Nuget

package.lock.json

Yes*

Nuget

packages.config

Yes

Paket

paket.lock

Yes*

-

fingerprinted files (.dll, .nupkg and more**)

-

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

**When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, Debricked matches .dll files for C# and .class files within .jar files for Java, along with similar files from other programming languages.

NuGet
file fingerprinting
High Performance Scans
repeatable package restores
High Performance Scans
Central Package Management (CPM)
file fingerprinting