NuGet Package Scanner

The NuGet package scanner automatically detects and extracts all third-party dependencies declared in your .NET projects that use NuGet as their package manager.

What It Does

Default file: .csproj

When you enable the NuGet scanner during SBOM creation, CAST SBOM Manager will:

• Process NuGet dependency files
• Support multiple NuGet formats from different .NET Framework and .NET Core versions
• Extract package references with their exact versions
• Parse project files (*.csproj, *.fsproj, *.vbproj)
• Parse legacy formats (packages.config, project.json)

NuGet File Formats

The NuGet scanner supports three different file formats, reflecting the evolution of .NET dependency management:

• Project files (*.csproj, *.fsproj, *.vbproj) - Modern format used by .NET Framework 2016+ and .NET Core/5+
• packages.config - Legacy XML format used by .NET Framework 2010-2016
• project.json - Early .NET Core format (2015-2017), now deprecated

All formats declare direct dependencies only. The scanner processes each format independently and captures the package references as declared.

Version handling:

• Legacy formats (packages.config, project.json) always specify exact versions
• Modern PackageReference typically specifies exact versions, but may use version ranges (e.g., [1.0,2.0))
• Version ranges and wildcards are captured as declared, not as resolved versions

Dependency classification:

• All PackageReference entries are captured regardless of their purpose (runtime, development, build-time, analyzers, etc.)
• The scanner does not distinguish between package sources (nuget.org, private feeds, or local sources)

What Gets Detected

The NuGet scanner identifies dependencies from the following file formats:

Project Files (.csproj, .fsproj, .vbproj)

Supported for:

• .NET Framework 2016 and later
• .NET Core 2017 and later
• .NET 5+ (modern .NET)

From project files, the scanner extracts:

• Direct dependencies only - PackageReference elements declared in the project file
• Package names and exact versions
• Both simple and complex reference formats

Supported formats:

Simple PackageReference:

<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />

Inline version attribute:

<PackageReference Include="Microsoft.Extensions.Logging, Version=6.0.0" />

The scanner handles both XML attribute formats and extracts the package name and version correctly.

packages.config

Supported for:

• .NET Framework 2010-2016
• .NET Core 2017 and later (legacy support)

From packages.config files, the scanner extracts:

• Direct dependencies only - package elements declared in the configuration file
• Package IDs and exact versions from id and version attributes
• Legacy NuGet package declarations

Format:

<packages>
  <package id="Newtonsoft.Json" version="13.0.1" />
  <package id="EntityFramework" version="6.4.4" />
</packages>

project.json

Supported for:

• .NET Core Initial (2015-2017)
• Legacy early .NET Core projects

From project.json files, the scanner extracts:

• Direct dependencies only - packages declared in the dependencies object
• Package names and exact version strings
• Early .NET Core JSON-based dependency declarations

Format:

{
  "dependencies": {
    "Microsoft.AspNetCore.Mvc": "1.0.0",
    "Newtonsoft.Json": "9.0.1"
  }
}

How It Works

Project File Processing (.csproj, .fsproj, .vbproj)

When scanning a project file, the scanner:

1. Parses the XML structure using a hardened XML parser (with protections against XXE attacks and external entities)
2. Locates all <PackageReference> elements
3. For each reference:
   • Extracts the Include attribute (package name)
   • Extracts the Version attribute
   • Handles inline version format (e.g., Include="Package, Version=1.0")
   • Splits package name and version when both are in the Include attribute
4. Creates a dependency entry with the package name and version

Note: The processor recognizes files matching *.csproj, *.fsproj, or *.vbproj (case-insensitive) and selects the appropriate parsing logic.

packages.config Processing

When scanning a packages.config file, the scanner:

1. Parses the XML structure
2. Locates all <package> elements
3. For each package:
   • Extracts the id attribute (package name)
   • Extracts the version attribute
4. Creates a dependency entry with the package ID and version

project.json Processing

When scanning a project.json file, the scanner:

1. Parses the JSON structure
2. Locates the dependencies object
3. For each property in the dependencies object:
   • Uses the property name as the package name
   • Uses the property value as the version string
4. Creates a dependency entry with the package name and version

Deduplication

The scanner deduplicates packages within each file based on package name and version:

• Uses the format packageName@version as the unique key
• If the same package with the same version appears multiple times in the same file, only one entry is created
• Ensures clean dependency lists from each processed file

What It Doesn't Detect

The NuGet scanner focuses on declared package references. It does not detect:

• Assembly references - Direct DLL references without NuGet packages
• Project references - References to other projects in your solution
• COM references - Legacy COM component references
• Framework assemblies - .NET Framework built-in assemblies
• Global tool packages - NuGet tools installed globally
• Transitive dependencies - Only direct package references are captured; transitive dependencies resolved at restore time are not included
• Manually copied DLLs not managed by NuGet
• Embedded or copy-pasted code from open source projects

For a complete view of all resolved dependencies (including transitives), you would need to inspect the project's project.assets.json or packages.lock.json files, which are not currently processed by this scanner.

For complete open source detection including undeclared components and copied code, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify all open source usage.