C# - Nuget, Paket

See a breakdown of the file formats and features supported in C#.

Debricked currently supports tracking C# dependencies via:

  • NuGet, using .csproj, packages.lock.json and packages.config files

  • file fingerprinting, to find dependencies not defined in manifest-files

  • Paket, using paket.lock file

If you have a modern NuGet project where dependencies are defined in .csproj files, we recommend using the packages.lock.json file. This will allow Debricked to parse out the dependency tree and recommend root fixes. This file is not generated by NuGet by default, but can be generated by either using the High Performance Scans technology with the Debricked CLI or by enabling repeatable package restores and then committing the generated file. By running the resolve command, the Debricked CLI automatically detects all manifest files without the recommended lock files and generates the files as needed.

In older NuGet projects, dependencies are typically stored in a packages.config file. If this is the case, we recommend users to generate the needed lock file (for dependency trees and root fixes) by using High Performance Scans with the Debricked CLI. This command (debricked resolve) will generate a packages.lock.json style file by using NuGet to translate the packages.config into a .csproj file, from which the lock file is then generated. When complete, the .csproj file is deleted, leaving just the newly created lock file. In order to prevent potential conflicts with NuGet, we have named this specially created NuGet lock file packages.config.nuget.debricked.lock.

By default, in all integrations other than the GitHub app, the debricked scan command will automatically attempt to generate the needed lock files before sending your dependency files for scanning.

We also support sending just .csproj or packages.config files for scanning, but the packages.lock.json or packages.config.nuget.debricked.lock file is still preferred, as it provides the most accurate tracking of dependency versions and trees and enables root fixes.

Since High Performance Scans for NuGet use native commands when resolving and includes all dependencies defined with NuGet, we also support those included through Central Package Management (CPM).

If at least one of the supported files is committed to your repository, it will be automatically scanned for dependencies when you have done any of our integrations to your CI/CD pipeline.

File fingerprinting

Debricked supports scanning for C# dependencies not defined in manifest files through file fingerprinting. Our database contains the hashes of .nupkg files as well as their unpacked contents (including .dll files) for all packages in the NuGet gallery. This is used when comparing with the contents of your application, to ensure as accurate matches as possible. For more information on file fingerprinting and how to set it up, see file fingerprinting.

Supported file formats and features

Package ManagerSupported File FormatsRoot dependencies Indirect dependenciesDependency treesSecurity ScanningLicense ScanningRoot FixPull RequestVulnerable FunctionalityHigh Performance Scan

Nuget

.csproj

Yes

Nuget

package.lock.json

Yes*

Nuget

packages.config

Yes

Paket

paket.lock

Yes*

-

fingerprinted files (.dll, .nupkg and more**)

-

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

**When building our knowledge base, we download files, unpack them, and fingerprint all file contents besides a few excluded patterns. This is a list of the files we download from each source, we fingerprint all contents of each file. Some examples are matching on .dll files for C# and others for other languages, such as .class files contained in a .jar file from Java.

Last updated