.NET
Trivy supports .NET core
and NuGet
package managers.
The following scanners are supported.
Artifact | SBOM | Vulnerability | License |
---|---|---|---|
.Net Core | ✓ | ✓ | - |
NuGet | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
---|---|---|---|---|---|
.Net Core | *.deps.json | ✓ | Excluded | - | ✓ |
NuGet | packages.config | ✓ | Excluded | - | - |
NuGet | *Packages.props | - | Excluded | - | - |
NuGet | packages.lock.json | ✓ | Included | ✓ | ✓ |
*.deps.json
Trivy parses *.deps.json
files. Trivy currently excludes dev dependencies from the report.
packages.config
Trivy only finds dependency names and versions from packages.config
files. To build dependency graph, it is better to use packages.lock.json
files.
*Packages.props
Trivy parses *Packages.props
files. Both legacy Packages.props
and modern Directory.Packages.props
are supported.
license detection
packages.config
files don't have information about the licenses used.
Trivy uses *.nuspec files from global packages folder to detect licenses.
Note
The licenseUrl
field is deprecated. Trivy doesn't parse this field and only checks the license field (license expression
type only).
Currently only the default path and NUGET_PACKAGES
environment variable are supported.
packages.lock.json
Don't forgot to enable lock files in your project.
Tip
Please make sure your lock file is up-to-date after modifying dependencies.
license detection
Same as packages.config