You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently, it seems that ODC scans only the csproj files. Doing so, it is blind to transitive dependencies. For exemple, there is a CVE for the package System.Text.Json but you rarely reference it directly as it part of meta package..
Describe the solution you'd like
Since .net 2.1, one can enable RestorePackagesWithLockFile. This produces a packages.lock.json file alongisde each csproj with the full dependency tree. This file is usually commited to enable a repeatable build process.
When a package lock file is found, the MSbuild analyser should use it instead of resolving package references from the csproj.
Is your feature request related to a problem? Please describe.
Currently, it seems that ODC scans only the
csprojfiles. Doing so, it is blind to transitive dependencies. For exemple, there is a CVE for the packageSystem.Text.Jsonbut you rarely reference it directly as it part of meta package..Describe the solution you'd like
Since .net 2.1, one can enable
RestorePackagesWithLockFile. This produces apackages.lock.jsonfile alongisde eachcsprojwith the full dependency tree. This file is usually commited to enable a repeatable build process.When a package lock file is found, the MSbuild analyser should use it instead of resolving package references from the csproj.
Describe alternatives you've considered
N/A
Additional context
An exemple of implementation in a sbom tools : https://github.com/CycloneDX/cdxgen/blob/ab161c3561eeac2447a2902fb3d15b60610d6a33/lib/helpers/utils.js#L8316
The text was updated successfully, but these errors were encountered: