Skip to main content

NuGet Application Analysis

Evaluation: Advance Binary Fingerprinting (ABF)

The primary open-source repository for .NET components is NuGet. A NuGet package is an archive file with the .nupkg extension. These packages contain compiled code in the form of Pecoff (PE = Portable Executable, COFF = Common Object File Format) files, related files, and a descriptive manifest. Developers may add complete packages to their applications or directly utilize the Pecoff files from the package. The .NET build process will remove non-essential files connecting individual Pecoff files back to their parent components.

  • Analysis of NuGet packages includes Security, License, and Identity data.

  • Lifecycle scanners support both binaries and manifest files but will default to binaries when they are present in scan target.

  • Lifecycle ABF scans identify both NuGet packages (.nupkg) and the following Pecoff extensions: .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp

  • Pecoff data: License data is associated with Nuget packages and may be inherited by their component files. Pecoff files often belong to common libraries that exist in many NuGet projects. When the declared NuGet project cannot be determined, only Security and Identity data will be available for the component. Because pecoff does not provide license information, you might notice a decrease in license identifications. To obtain this information, we recommend either scanning the .nupkg file directly or creating a BOM using CycloneDX.

  • During build time: NuGet dependencies can be outputted to a directory for a more complete analysis of the required open-source components. These commands will result in the most accurate representation of the open-source used but may include more versions (assemblies) than what will be deployed in the application.

    • nuget restore -OutputDirectory packages

    • dotnet restore --packages packages

  • Developers local build: A script may be used by the Visual Studio plugin to download all of the NuGet dependencies for analysis. These code snippets may be used as a possible starting point.

  • CycloneDX SBOM: an sbom from CycloneDX/cyclonedx-dotnet can be used to accurately identify the direct and transitive dependencies declared in the .NET project file. The sbom will be included in the analysis when present in the binary scan.

Evaluation: Project files

A Lifecycle analysis can be run from source control by directly scanning the project (.csproj) and packages.config files. Both are package file options used in NuGet projects.

  • Only components with an exact version specified are evaluated.

  • Transitive dependencies are not included.


The include and version fields will be evaluated.

  • Include: Contoso.Utility.UsefulStuff

  • Version: 3.6.0


<Project Sdk="Microsoft.NET.Sdk">
        <ItemGroup Condition = "'$(TargetFramework)' == 'net452'">
                <PackageReference Include="Contoso.Utility.UsefulStuff" Version="3.6.0" />
                <PackageReference Include="Contoso.Utility.UsefulStuff" Version="3.6.*" />


The id and version fields will be evaluated.

  • id: 7zip

  • version: 4.23.0


 <?xml version="1.0" encoding="utf-8"?>
  <package id="7zip" version="4.23.0" targetFramework="net46" developmentDependency="true" />
  <package id="bootstrap" version="4.0.0-beta" targetFramework="net46" developmentDependency="true" />

Steps to analyze using the Sonatype IQ CLI

Invoke a Sonatype IQ CLI scan of a directory or subdirectories containing .csproj files. If binaries are included in the scan path the analysis will default to an ABF scan from above.


<Project Sdk="Microsoft.NET.Sdk">
    <PackageReference Include="Microsoft.AspNetCore" Version="1.1.1" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
    <PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="1.1.1" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="1.1.1" />

Steps to analyze using the Jenkins plugin

The Sonatype Platform Plugin for Jenkins will not evaluate the packages.config or .csproj files by default. A custom Scan Target is needed to target these files.

Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication:  'SampApp' , iqScanPatterns: [[scanPattern:  '**/*.csproj'], [scanPattern:  '**/packages.config']], iqStage:  'build'