1. Snyk
  2. Language support
  3. Language & package manager support

Articles in this section

Snyk for .NET

Snyk offers security scanning to test your projects for vulnerabilities, both through your CLI and through different integrations from our UI.

The following describes how to use Snyk to scan your .NET projects:

Features

Note

Features might not be available, depending on your subscription plan.

 

Package managers/Features

CLI support

Git support

License scanning

Remediation

Runtime monitoring

i_icon_nuget.png

NuGet 

✔︎

✔︎

✔︎

    

i_icon_paket.png

Paket

✔︎

✔︎

✔︎

    
 

How it works

 
 

Once we’ve built the tree, we can use our vulnerability database to find vulnerabilities in any of the packages anywhere in the dependency tree.

Note

In order to scan your dependencies, you must ensure you have first installed the relevant package manager, and that your project contains the supported manifest files.

The way by which Snyk analyzes and builds the tree varies depending on the language and package manager of the project, as well as the location of your project:

 

Snyk CLI tool for .NET projects

The following manifest files are supported:

  • project.json

  • packages.config

  • paket.dependencies + paket.lock

  • project.assets.json

 

Note: In addition *.csproj file may be used if present to collect TargetFramework.

While the manifest files provide some information on dependencies it also necessary to analyse the packages folder and build artefacts to get full dependency tree. So the project/solution must be fully built before the Snyk scan.

Nuget
Follow the same instructions as Snyk CLI tool for .NET projects
 
Paket

In order to build the dependency tree, Snyk analyzes the paket.dependencies and paket.lock files.

 
CLI parameters for .NET

This section describes the unique CLI options available when working with .NET-based projects.

Prerequisites

  • The project must be fully built so that the installed packages can be analyzed. While manifest files provide some information on which dependencies the projects uses, some dependencies are only resolved after the project is fully built. In some cases packages folder & build artefacts are also analyzed.

  • When running Snyk test, we check the first file we find for testing. If you want to check all of the .NET manifest files included in a single solution, then use the --file parameter, similar to the following:

    $ snyk test --file=myApp.sln

    • Ensure you've installed the relevant package manager before you begin using the Snyk CLI tool.

    • Ensure you've included the relevant manifest files supported by Snyk before testing.

    • Install and authenticate the Snyk CLI to start analyzing projects from your local environment. Read more about our CLI in Getting started with the CLI as well.

 
Parameters

Option

Description

--assets-project-name

When monitoring a .NET project using NuGet, the PackageReference key uses the project name in indicated in the project.assets.json.

--packages-folder

This is the folder in which your dependencies are installed. If you’ve assigned a unique name to this folder, then Snyk can only find it if you enter a custom path. 

Use the absolutely or relative path, including the name of the folder where your dependencies reside.

--file=<your_solution>.sln

Test all .NET projects included in the given .sln file

--file=packages.config

Test an individual .NET project.
 
 
 

Git services for .NET projects

.NET projects can be imported from any of the Git services we support.

Once imported, Snyk analyzes your projects based on their supported manifest files and then builds the dependency tree and displays it from our app, similar to the following:

dependency_tree.png
Nuget 

Once you select a project for import, we build the dependency tree based on these manifest files: 

  • For .NET Core, the *.proj files 

  • For .NET Framework, the *.proj file and packages.config 

A .NET project can target multiple target frameworks. Snyk creates a separate dependency tree for each target framework, displaying each as a separate Snyk project from the interface. In this way, it’s easier to understand why a dependency is being used and also to asses the fix strategy. 

 
Paket

No import support currently.

 
Git settings for .NET

From the Snyk UI, you can configure whether Snyk should scan your entire project, including the build dependencies, or if the build dependencies should be skipped.

Prerequisites

  • A .NET build file is required for the Snyk test so that Snyk can analyze target frameworks for this project.

  • For CLI: When running Snyk test, we check the first file we find for testing. If you want to check all of the .NET manifest files included in a single solution, then use the --file parameter, similar to the following:

    $ snyk test--file=myApp.sln

    • Ensure you've installed the relevant package manager before you begin using the Snyk CLI tool.

    • Ensure you've included the relevant manifest files supported by Snyk before testing.

    • Install and authenticate the Snyk CLI to start analyzing projects from your local environment. Read more about our CLI in Getting started with the CLI as well.

 
Update language preferences
  1.  

    Log in to your account and navigate to the relevant group and organization that you want to manage.

    AddProjectMenu.gif

  2. Go to Settings=>Languages and click Edit settings for .NET

    Scan build dependencies - If checked, Snyk scans all development dependencies.