C# - NuGet and Paket

  • 12 January 2023
  • 1 reply
  • 725 views

Debricked currently supports tracking C# dependencies via:

  • NuGet, using .csproj, packages.lock.json and packages.config files

  • Paket, using paket.lock file

  • File fingerprinting, to find dependencies not defined in manifest-files

If you have a modern NuGet project where dependencies are defined in .csproj files, we recommend using the packages.lock.json file. This will allow Debricked to parse out the dependency tree and recommend root fixes. This file is not generated by NuGet by default, but can be generated by either using the High Performance Scans technology with the Debricked CLI or by enabling repeatable package restores and then committing the generated file. By running the resolve command, the Debricked CLI automatically detects all manifest files without the recommended lock files and generates the files as needed.

In older NuGet projects, dependencies are typically stored in a packages.config file. If this is the case, we recommend users to generate the needed lock file (for dependency trees and root fixes) by using High Performance Scans with the Debricked CLI. This command (debricked resolve) will generate a packages.lock.json style file by using NuGet to translate the packages.config into a .csproj file, from which the lock file is then generated. When complete, the .csproj file is deleted, leaving just the newly created lock file. In order to prevent potential conflicts with NuGet, we have named this specially created NuGet lock file packages.config.nuget.debricked.lock.

By default, in all integrations other than the GitHub app, the debricked scan command will automatically attempt to generate the needed lock files before sending your dependency files for scanning.

We also support sending just .csproj or packages.config files for scanning, but the packages.lock.json or packages.config.nuget.debricked.lock file is still preferred, as it provides the most accurate tracking of dependency versions and trees and enables root fixes.

Since High Performance Scans for NuGet use native commands when resolving and includes all dependencies defined with NuGet, we also support those included through the Central Package Management (CPM).

If at least one of the supported files is committed to your repository, it will be automatically scanned for dependencies when you have done any of our integrations to your CI/CD pipeline.

 

 

File fingerprinting

Debricked supports scanning for C# dependencies not defined in manifest files through file fingerprinting. Our database contains the hashes of .nupkg files as well as their unpacked contents (including .dll files) for all packages in the NuGet gallery. This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

For more information on the file fingerprinting feature and how to get set up, see file fingerprinting

 

 

Supported file formats and features:

 

Language

Package Manager

Supported File Formats

Root dependencies 

Indirect dependencies

Dependency trees

Security Scanning

License Scanning

Root Fix

C#

NuGet

.csproj

package.lock.json

packages.config

   

 

Paket

paket.lock

 

 
- fingerprinted files*    

 

*for more information on what files we match on, see file fingerprinting.

 

Have a look at the overview of all supported languages.


1 reply

Badge

Debricked currently supports tracking C# dependencies via:

  • NuGet, using .csproj, packages.lock.json and packages.config files

  • Paket, using paket.lock file

 

Older NuGet projects typically contain a packages.config file and no further action from you is required. If you have a more modern NuGet project we recommend using the packages.lock.json instead. This file is not generated by default - instead, you first have to enable repeatable package restores and then commit the generated file.
We also support the use of .csproj files, but the packages.lock.json file is still preferred, as it provides the most accurate tracking of dependency versions.

If at least one of the supported files is committed to your repository, it will be automatically scanned for dependencies when you have done any of our integrations to your CI/CD pipeline.

 

Supported file formats and features:

 

Language

Package Manager

Supported File Formats

Root dependencies 

Indirect dependencies

Dependency trees

Security Scanning

License Scanning

Root Fix

C#

NuGet

.csproj

 

package.lock.json

 

packages.config

   

 

Paket

paket.lock

 

 

 

Have a look at the overview of all supported languages.

 

Reply