Dependency Scanning for .NET projects without packages.lock.json (aka Direct support for .csproj)

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Note to wider-community, sales, support and customer success

As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

Problem to solve

Dependency Scanning support for NuGet/.NET projects is limited to git repositories having package.lock.json, a lock file generated by NuGet. However, the lock file is optional, and users might not want to add it to their repositories.

Currently the Dependency Scanning docs link to NuGet docs, which explains how to generate a lock file.

Warning! Not using a lock file might result in a gap between the packages detected during the scan, and the ones deployed to production; the versions might not be the same.

Proposal

Add support for NuGet/.NET projects that don't have a lock file, so that they can be scan right away without any additional setup.

Technically, Gemnasium could be changed to run dotnet command to generate packages.lock.json prior to scanning it; this would be implemented using a builder. Support might be limited to specific versions of .NET, unless we publish multiple images to support multiple versions. See #347291 (comment 1136889431)

Alternatively, support for .NET projects w/o packages.lock.json might be implemented in the SBOM generators, which gives more complexity and reduces maintenance cost. See #347291 (comment 1137378141) and Extract SBoM making jobs from Dependency Scanning (&8206 - closed).

Workaround (And Possible Solution Code)

Here is a recent working example of making packages.lock.json dynamic. It is compatible with scanner changes since the original above. This command is for .NET Framework 4.x. This job documents the dotnet.exe command line needed for modern .net: https://gitlab.com/guided-explorations/microsoft/azure-aks/aks-windows/-/blob/master/gitlab-ci-libs/nuget-dependency-scanning.ci.yml