.NET is a free, cross-platform, open-source developer platform for building different types of applications. Endor Labs supports the scanning and monitoring of projects built on the .NET platform.
Using Endor Labs, developers can:
- Test their software for potential issues and violations of organizational policy
- Prioritize vulnerabilities in the context of their applications
- Understand the relationships between software components in their applications
Scan .NET projects
To successfully scan your .NET projects
Install software prerequisites
The following prerequisite must be fulfilled:
- Make sure your repository includes one or more files with
.cs
extension. - One or more *.csproj files must be present in your repository.
- The .NET command or Nuget command must be installed and available on the host system.
- At least one .NET SDK installed on the system must be compatible with the project’s global.json file settings.
Note
To check your available SDK versions you can run the commanddotnet --info
or dotnet --list-sdks
.
Call graph requirements
- You must install .NET 7.0.1 (SDK 7.0.101) or later on the host system.
- Endor Labs’ call graph support for .NET is based on Microsoft’s Common Intermediate Language (CIL). Artifacts such as .exe or .dll files must be available in the project’s standard workspace through a build and restore or a restored cache.
- When performing deep scans make sure that you have the following minimum system specification requirements:
- 4-core processor with 16 GB RAM for small projects
- 8-core processor with 32 GB RAM for mid-size projects
- 16-core processor with 64 GB RAM for large projects
Run a scan
Use the following options to scan your repositories. Perform a scan after building the projects.
Option 1 - Quick scan
Perform a quick scan to get quick visibility into your software composition. This scan won’t perform reachability analysis to help you prioritize vulnerabilities.
You must restore your .NET projects before running a quick scan. Additionally, ensure that the packages are downloaded into the local package caches and that the build artifacts are present in the standard locations.
- Run the following commands to resolve dependencies and create the necessary files to scan your .NET project.
To ensure that the build artifacts project.assets.json
file is generated and dependencies are resolved run:
dotnet restore
If you use Nuget instead run:
nuget restore
To create a packages.lock.json
file if your project uses a lock file run:
dotnet restore --use-lock-file
If project.assets.json
or packages.lock.json
are not present and if the project is buildable, endorctl will restore the project and create a project.assets.json
or a packages.lock.json
file to resolve dependencies.
2. You can run a quick scan with the following commands:
endorctl scan --quick-scan
You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan --quick-scan -o json | tee /path/to/results.json
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Option 2 - Deep scan
Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.
You must restore and build your .NET projects before running a deep scan. Additionally, ensure that the packages are downloaded into the local package caches and that the build artifacts are present in the standard locations.
- Run the following commands to restore and build your project. This may vary depending on your project’s configuration.
dotnet restore
dotnet build
- You can run a deep scan with the following commands:
endorctl scan
Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface.
endorctl scan -o json | tee /path/to/results.json
When a deep scan is performed all private software dependencies are completely analyzed by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but won’t impact subsequent scans.
Organizations might not own some parts of the software internally and findings are actionable by another team. These organizations can choose to disable this analysis using the flag disable-private-package-analysis
. By disabling private package analysis, teams can enhance scan performance but may lose insights into how applications interact with first-party libraries.
Use the following command flag to disable private package analysis:
endorctl scan --disable-private-package-analysis
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project to review its results.
Configure Nuget private repositories
You can configure Endor Labs to fetch dependencies from private NuGet feeds after authenticating the endpoints.
- Sign in to Endor Labs and select Integrations under Manage from the left sidebar.
- From Package Managers, select Nuget and click Manage.
- Click Add Package Manager.
- Enter a package manager URL.
- To enable Endor Labs to authenticate to your registry, select Authenticate to this registry and enter the username and password of your private package manager repository.
- Click Add Package Manager to save your configuration.
Understand the scan process
A *.csproj file is an XML-based C# project file that contains information about the project, such as its source code files, references, build settings, and other configuration details. The dependencies and findings are listed individually for every csproj file. The scan discovers all *.csproj**
files and uses these files to resolve the appropriate dependency graph of your project.
(Beta) Endor Labs scans the .NET projects that are using the Central Package Management feature of Nuget for the packages declared as:
- Package references in
Directory.Build.props
orDirectory.Packages.props
files. - Package references in any *.props file and the prop file is imported in the csproj file.
- Package references in
*.Targets
file.
Note
You may not be able to view the Requested version of the packages on the Endor Labs user interface
- For the packages declared as package version in *.Targets file.
- If you are importing the packages into the *.csproj file using MSbuild keywords in the path variables.
Endor Labs enriches your dependency graph to help you understand if your dependencies are secure, sustainable, and trustworthy. This includes Endor Labs risk analysis and scores, if a dependency is direct or transitive, and if the source code of the dependency is publicly auditable.
Software composition analysis for .NET is performed in the following ways:
How does dependency resolution happen using Project.assets.json
The Project.assets.json file is used in .NET projects to store metadata and information about the project’s dependencies and assets.
Endor Labs fetches resolved package versions, paths to the dependencies’ assets, such as assemblies and resources, and other related information from this file. If a project does not include a project.assets.json file, it is generated through the dotnet restore
or the nuget restore
command. This command uses all the configured sources to restore dependencies as well as project-specific tools that are specified in the project file.
Note
If the host machine has .NET Core or .NET 5+ installed, the dotnet restore command is used to generate the project.assets.json file. The nuget restore command is used to generate the project.asssets.json file for earlier versions of the .NET frameworks.How does dependency resolution happen using package.lock.json
The package.lock.json file is used in .NET projects to lock dependencies and their specific versions. It is a snapshot of the exact versions of packages installed in a project, including their dependencies and sub-dependencies, requested versions, resolved versions, and contenthash. The lock file provides a more dependable, uniform, and accurate representation of the dependency graph.
In Endor Labs’ dependency management, the resolution of dependencies is primarily based on package.lock.json, which takes precedence over projects.assets.json to resolve dependencies.
Endor Labs fetches the dependency information from package.lock.json and creates a comprehensive dependency graph. The vulnerabilities associated with the dependencies are listed on the Endor Labs’ user interface.
If the package.lock.json file is not present in the repository, Endor Labs triggers the restore process to generate the package.lock.json file and uses it to perform the dependency scans.
How Endor Labs performs static analysis on the code (Beta)
Endor Labs performs static analysis on the C# code based on the following factors:
- Call graphs are created for your package. These are then combined with the call graphs of the dependencies in your dependency tree to form a comprehensive call graph for the entire project.
- Endor Labs looks for the project’s .dll files typically located within the bin directory.
- Endor Labs performs an inside-out analysis of the software to determine the reachability of dependencies in your project.
- The static analysis time may vary depending on the number of dependencies in the package and the number of packages in the project.
Note
.NET’s call graph support and reachability analysis are in Beta.Known Limitations
- The following .NET programming languages are not currently supported for dependency resolution or call graph generation.
- Projects written in F#
- Projects written in Visual Basic
- When using the GitHub app, either resolve all the private and internal dependencies, or Configure Nuget private repositories before running a scan.
- Call graph binary discovery may fail if you use environment variables to define the name of the package in your *.csproj file.
Troubleshoot errors
Here are a few error scenarios that you can check for and attempt to resolve them.
- Host system check failure errors: .NET or Nuget is not installed or not present in the PATH environment variable. Install Nuget and try again.
- Unresolved dependency errors: This error occurs when the .csproj file can not be parsed or if it has syntax errors.