.NET
Trivy supports .NET core and NuGet package managers.
The following scanners are supported.
| Artifact | SBOM | Vulnerability | License |
|---|---|---|---|
| .Net Core | ✓ | ✓ | - |
| NuGet | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
|---|---|---|---|---|---|
| .Net Core | *.deps.json | ✓ | Excluded | - | ✓ |
| NuGet | packages.config | ✓ | Excluded | - | - |
| NuGet | *Packages.props | - | Excluded | - | - |
| NuGet | packages.lock.json | ✓ | Included | ✓ | ✓ |
*.deps.json
Trivy parses *.deps.json files. Trivy currently excludes dev dependencies from the report.
Note
Trivy only includes runtime dependencies in the report.
packages.config
Trivy only finds dependency names and versions from packages.config files. To build dependency graph, it is better to use packages.lock.json files.
*Packages.props
Trivy parses *Packages.props files. Both legacy Packages.props and modern Directory.Packages.props are supported.
license detection
packages.config files don't have information about the licenses used.
Trivy uses *.nuspec files from global packages folder to detect licenses.
Note
The licenseUrl field is deprecated. Trivy doesn't parse this field and only checks the license field (license expression type only).
Currently only the default path and NUGET_PACKAGES environment variable are supported.
packages.lock.json
Don't forgot to enable lock files in your project.
Tip
Please make sure your lock file is up-to-date after modifying dependencies.
license detection
Same as packages.config