Endor Labs for .NET

Learn how to implement Endor Labs in repositories with .NET packages.

.NET is a free, cross-platform, open-source developer platform for building different types of applications. Endor Labs supports the scanning and monitoring of projects built on the .NET platform.

Using Endor Labs, developers can:

  • Test their software for potential issues and violations of organizational policy
  • Prioritize vulnerabilities in the context of their applications
  • Understand the relationships between software components in their applications

Scan .NET projects

To successfully scan your .NET projects

  1. Install software prerequisites
  2. Run a scan
  3. Understand the scan process
  4. Troubleshoot errors

Install software prerequisites

The following prerequisite must be fulfilled:

  • One or more .csproj files must be present in your repository.
  • The dotnet command or nuget command must be installed and available on the host system.
  • At least one .NET SDK installed on the system must be compatible with the project’s global.json file settings.

To check your available SDK versions you can run the command dotnet --info or dotnet --list-sdks.

Call graph requirements

  • The .NET SDK 7.0.101 or higher versions within the 7.x major version range must be installed on the host system.
  • Endor Labs’ call graph support for .NET is based on Microsoft’s Common Intermediate Language (CIL). Artifacts such as .exe or .dll files must be available in the project’s standard workspace through a build and restore or a restored cache.
  • When performing deep scans make sure that you have the following minimum system specification requirements:
    • 4-core processor with 16 GB RAM for small projects
    • 8-core processor with 32 GB RAM for mid-size projects
    • 16-core processor with 64 GB RAM for large projects

Run a scan

Use the following options to scan your repositories. Perform a scan after building the projects.

Option 1 - Quick scan

Perform a quick scan to get quick visibility into your software composition. This scan will not perform reachability analysis to help you prioritize vulnerabilities.

You must restore your .NET projects before running a quick scan. Additionally, ensure that the packages are downloaded into the local package caches and that the build artifacts are present in the standard locations.

  1. Run the following commands to resolve dependencies and create the necessary files to scan your .NET project.

To ensure that the build artifacts project.assets.json file is generated and dependencies are resolved run:

dotnet restore

If you use Nuget instead run:

nuget restore

To create a packages.lock.json file if your project uses a lock file run:

dotnet restore --use-lock-file

If project.assets.json or packages.lock.json are not present and if the project is buildable, endorctl will restore the project and create a project.assets.json or a packages.lock.json file to resolve dependencies.

  1. You can run a quick scan with the following commands:
endorctl scan --quick-scan

You can perform the scan from within the root directory of the git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan --quick-scan -o json | tee /path/to/results.json

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Option 2 - Deep scan

Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.

You must restore and build your .NET projects before running a deep scan. Additionally, ensure that the packages are downloaded into the local package caches and that the build artifacts are present in the standard locations.

  1. Run the following commands to restore and build your project. This may vary depending on your project’s configuration.
dotnet restore
dotnet build
  1. You can run a deep scan with the following commands:
endorctl scan

Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.

endorctl scan -o json | tee /path/to/results.json

.NET’s call graph support is currently in Beta.

When a deep scan is performed all private software dependencies are completely analyzed by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but will not impact subsequent scans.

Organizations might not own some parts of the software internally and findings are actionable by another team. These organizations can choose to disable this analysis using the flag disable-private-package-analysis. By disabling private package analysis, teams can enhance scan performance but may lose insights into how applications interact with first-party libraries.

Use the following command flag to disable private package analysis:

endorctl scan --disable-private-package-analysis

You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.

Configure Nuget private repositories

You can configure Endor Labs to fetch dependencies from private NuGet feeds after authenticating the endpoints.

  1. Sign in to Endor Labs and select Integrations under Manage from the left sidebar.
  2. From Package Managers, select Nuget and click Manage.
  3. Click Add Package Manager.
  4. Enter a package manager URL.
  5. To enable Endor Labs to authenticate to your registry, select Authenticate to this registry and enter the username and password of your private package manager repository.
  6. Click Add Package Manager to save your configuration.

Understand the scan process

A _.csproj file is an XML-based C# project file that contains information about the project, such as its source code files, references, build settings, and other configuration details. The dependencies and findings are listed individually for every _.csproj file.

Endor Labs discovers all *.csproj files and uses these files to resolve the appropriate dependency graph of your project. These dependencies are then monitored for known issues, such as vulnerabilities and project abandonment.

Endor Labs enriches your dependency graph to help you understand if your dependencies are secure, sustainable, and trustworthy. This includes Endor Labs risk analysis and scores, if a dependency is direct or transitive, and if the source code of the dependency is publicly auditable.

Software composition analysis for .NET is performed in the following ways:

How does dependency resolution happen using Project.assets.json

The Project.assets.json file is used in .NET projects to store metadata and information about the project’s dependencies and assets.

Endor Labs fetches resolved package versions, paths to the dependencies’ assets, such as assemblies and resources, and other related information from this file. If a project does not include a project.assets.json file, it is generated through the dotnet restore or the nuget restore command. This command uses all the configured sources to restore dependencies as well as project-specific tools that are specified in the project file.

NOTE: If the host machine has .NET Core or .NET 5+ installed, the dotnet restore command is used to generate the project.assets.json file. The nuget restore command is used to generate the project.asssets.json file for earlier versions of the .NET frameworks.

How does dependency resolution happen using package.lock.json

The package.lock.json file is used in .NET projects to lock dependencies and their specific versions. It is a snapshot of the exact versions of packages installed in a project, including their dependencies and sub-dependencies, requested versions, resolved versions, and contentHash. The lock file provides a more dependable, uniform, and accurate representation of the dependency graph.

In Endor Labs’ dependency management, the resolution of dependencies is primarily based on package.lock.json, which takes precedence over projects.assets.json to resolve dependencies.

Endor Labs fetches the dependency information from package.lock.json and creates a comprehensive dependency graph. The vulnerabilities associated with the dependencies are listed on the Endor Labs’ user interface.

If the package.lock.json file is not present in the repository, Endor Labs triggers the restore process to generate the package.lock.json file and uses it to perform the dependency scans.

How Endor Labs performs static analysis on the code

Endor Labs performs static analysis on the C# code based on the following factors:

  • Call graphs are created for your package. These are then combined with the call graphs of the dependencies in your dependency tree to form a comprehensive call graph for the entire project.
  • Endor Labs looks for the project’s .dll files typically located within the bin directory.
  • Endor Labs performs an inside-out analysis of the software to determine the reachability of dependencies in your project.
  • The static analysis time may vary depending on the number of dependencies in the package and the number of packages in the project.

Known Limitations

  • The following .NET programming languages are not currently supported for dependency resolution or call graph generation.
    • Projects written in F#
    • Projects written in Visual Basic
  • All private or internal dependencies should be resolved before running a scan.
  • The following attributes are not supported in the *.csproj files.
  • Call graph binary discovery may fail if you use environment variables to define the name of the package in your CSPROJ file.

Troubleshoot errors

Here are a few error scenarios that you can check for and attempt to resolve them.

  • Host system check failure errors: .NET or Nuget is not installed or not present in the PATH environment variable. Install Nuget and try again.
  • Unresolved dependency errors: This error occurs when the .csproj file can not be parsed or if it has syntax errors.