Skip to content

.NET

Trivy supports .NET core and NuGet package managers.

The following scanners are supported.

Artifact SBOM Vulnerability License
.Net Core -
NuGet

The following table provides an outline of the features Trivy offers.

Package manager File Transitive dependencies Dev dependencies Dependency graph Position
.Net Core *.deps.json Excluded -
NuGet packages.config Excluded - -
NuGet *Packages.props - Excluded - -
NuGet packages.lock.json Included

*.deps.json

Trivy parses *.deps.json files. Trivy currently excludes dev dependencies from the report.

packages.config

Trivy only finds dependency names and versions from packages.config files. To build dependency graph, it is better to use packages.lock.json files.

*Packages.props

Trivy parses *Packages.props files. Both legacy Packages.props and modern Directory.Packages.props are supported.

license detection

packages.config files don't have information about the licenses used. Trivy uses *.nuspec files from global packages folder to detect licenses.

Note

The licenseUrl field is deprecated. Trivy doesn't parse this field and only checks the license field (license expression type only).

Currently only the default path and NUGET_PACKAGES environment variable are supported.

packages.lock.json

Don't forgot to enable lock files in your project.

Tip

Please make sure your lock file is up-to-date after modifying dependencies.

license detection

Same as packages.config