Capabilities

.NET

.NET package analysis and vulnerability scanning capabilities

Package analysis

Cataloger + EvidenceLicenseDependenciesPackage Manager Claims
DepthEdgesKindsFilesDigestsIntegrity Hash
dotnet-deps-binary-cataloger
*.deps.json, *.dll, *.exe
TransitiveCompleteRuntime
dotnet-deps-cataloger deprecated
*.deps.json
TransitiveCompleteRuntime
dotnet-packages-lock-cataloger
packages.lock.json
TransitiveCompleteRuntime, Dev, Build
dotnet-portable-executable-cataloger deprecated
*.dll, *.exe

Syft Configuration
Configuration KeyDescription
dotnet.dep-packages-must-claim-dllAllows for deps.json packages to be included only if there is a runtime/resource DLL claimed in the deps.json targets section. This does not require such claimed DLLs to exist on disk. The behavior of this
dotnet.dep-packages-must-have-dllAllows for deps.json packages to be included only if there is a DLL on disk for that package.
dotnet.propagate-dll-claims-to-parentsAllows for deps.json packages to be included if any child (transitive) package claims a DLL. This applies to both the claims configuration and evidence-on-disk configurations.
dotnet.relax-dll-claims-when-bundling-detectedWill look for indications of IL bundle tooling via deps.json package names and, if found (and this config option is enabled), will relax the DepPackagesMustClaimDLL value to `false` only in those cases.

When scanning a .NET application evidence from deps.json (compiler output) as well as any built binaries are used together to identify packages. This way we can enrich missing data from any one source and synthesize a more complete and accurate package graph.

Vulnerability scanning

Data SourceDisclosuresFixesTrack by
Source
Package
AffectedDateVersionsDate
GitHub Security Advisories (GHSA)
National Vulnerability Database (NVD)

Grype Configuration
Configuration KeyDescription
match.dotnet.using-cpesUse CPE package identifiers to find vulnerabilities

Next steps

Last modified November 26, 2025: allow local too invocation (d20d613)