NuGet Application Analysis

Evaluation: Advanced Binary Fingerprinting (ABF)

The primary open-source repository for .NET components is NuGet. A NuGet package is an archive file with the .nupkg extension. These packages contain compiled code in the form of Pecoff (PE = Portable Executable, COFF = Common Object File Format) files, related files, and a descriptive manifest. Developers may add complete packages to their applications or directly utilize the Pecoff files from the package. The .NET build process will remove non-essential files connecting individual Pecoff files back to their parent components.

Analysis of NuGet packages includes Security, License, and Identity data.
Lifecycle scanners support both binaries and manifest files but will default to binaries when they are present in scan target.
Lifecycle ABF scans identify both NuGet packages (.nupkg) and the following Pecoff extensions: .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp
Pecoff data: License data is associated with Nuget packages and may be inherited by their component files. Pecoff files often belong to common libraries that exist in many NuGet projects. When the declared NuGet project cannot be determined, only Security and Identity data will be available for the component. Because pecoff does not provide license information, you might notice a decrease in license identifications. To obtain this information, we recommend either scanning the .nupkg file directly or creating a BOM using CycloneDX.
During build time: NuGet dependencies can be outputted to a directory for a more complete analysis of the required open-source components. These commands will result in the most accurate representation of the open-source used but may include more versions (assemblies) than what will be deployed in the application.
- nuget restore -OutputDirectory packages
- dotnet restore --packages packages
Developers local build: A script may be used by the Visual Studio plugin to download all of the NuGet dependencies for analysis. These code snippets may be used as a possible starting point.
- Find-Package <PackageName> -IncludeDependencies
- get-package-list <PackageName> | select dependencies
CycloneDX SBOM: an sbom from CycloneDX/cyclonedx-dotnet can be used to accurately identify the direct and transitive dependencies declared in the .NET project file. The sbom will be included in the analysis when present in the binary scan.

Scanning MSI Packages

An MSI (Microsoft Software Installer) file is a package file that contains instructions for installing, updating, configuring, and removing software on Windows. The contents that go into an MSI are compressed and modified so may not be scanned effectively. Analyzing .msi files is not currently supported.

Scan the contents of your application before packaging your application into the .msi format.

Evaluation: Project files

A Lifecycle analysis can be run from source control by directly scanning the project (.csproj) and packages.config files. Both are package file options used in NuGet projects.

Only components with an exact version specified are evaluated.
Transitive dependencies are not included.

.csproj

The include and version fields will be evaluated.

Include: Contoso.Utility.UsefulStuff
Version: 3.6.0

.csproj

<Project Sdk="Microsoft.NET.Sdk">
        <ItemGroup Condition = "'$(TargetFramework)' == 'net452'">
                <PackageReference Include="Contoso.Utility.UsefulStuff" Version="3.6.0" />
                <PackageReference Include="Contoso.Utility.UsefulStuff" Version="3.6.*" />
        </ItemGroup>
</Project>

packages.config

The id and version fields will be evaluated.

id: 7zip
version: 4.23.0

packages.config

 <?xml version="1.0" encoding="utf-8"?>
<packages>
  <package id="7zip" version="4.23.0" targetFramework="net46" developmentDependency="true" />
  <package id="bootstrap" version="4.0.0-beta" targetFramework="net46" developmentDependency="true" />
</packages>

Steps to analyze using the Sonatype IQ CLI

Invoke a Sonatype IQ CLI analysis of a directory or subdirectories containing .csproj files. When binaries are included in the scan path the analysis will default to an ABF scan from above.

.csproj

<Project Sdk="Microsoft.NET.Sdk">
  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore" Version="1.1.1" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="1.1.1" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="1.1.1" />
  </ItemGroup>
</Project>

Steps to analyze using the Jenkins plugin

The Sonatype Platform Plugin for Jenkins will not evaluate the packages.config or .csproj files by default. Custom Scan Targets are needed to target these files.

Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/*.csproj'], [scanPattern: '**/packages.config']], iqStage:  'build'