nuget.md

NuGet Detection

Requirements

NuGet Detection depends on the following to successfully run:

• One or more *.nuspec, *.nupkg, *.packages.config, or .*csproj files.
• The files each NuGet detector searches for:
  • The NuGet detector looks for *.nupkg, *.nuspec, nuget.config, paket.lock
  • The NuGetPackagesConfig detector looks for packages.config
  • The NuGetProjectCentric detector looks for project.assets.json

Detection Strategy

NuGet Detection is performed by parsing any *.nuspec, *.nupkg, *.packages.config, or *.project.assets files found under the scan directory. By searching for all *.nuspec, *.nupkg files on disk the global NuGet cache gets searched which can include packages that are not included in the final build.

Known Limitations

• The NuGet detector is currently overreporting because the global NuGet cache gets searched. This is because of NuGet's restore behaviour which downloads all possible dependencies before resolving the final dependency graph. To solve this overreporting a new NuGet Detector approach will be rolled out. This new approach will now only parse *.packages.config and *.project.assets (*.csproj) files. This means any components that are only found in *.nuspec or *.nupkg files will not be detected with the new NuGet Detector approach.
• There are also dependencies from the .NET SDK that are underreported. The list of dependencies can be found here.