Skip to main content
.NET is a free, cross-platform, open-source developer platform for building different types of applications. Endor Labs supports the scanning and monitoring of projects built on the .NET platform. Using Endor Labs, application security engineers and developers can:
  • Scan their software for potential security issues and violations of organizational policy.
  • Prioritize vulnerabilities in the context of their applications.
  • Understand the relationships between software components in their applications.

System specifications for deep scan

Before you proceed to run a deep scan, ensure that your system meets the following specification.
Project SizeProcessorMemory
Small projects4-core processor16 GB
Mid-size projects8-core processor32 GB
Large projects16-core processor64 GB

Software prerequisites

Before you begin, verify the following prerequisites:
  • Make sure your repository includes one or more files with .cs extension.
  • Endor Labs supports dependency resolution and reachability analysis only for SDK-style .NET projects.
  • One or more *.csproj files must be present in your repository.
  • Install the .NET command or NuGet command and make it available on the host system.
  • At least one .NET SDK installed on the system must be compatible with the project’s global.json file settings.
To check your available SDK versions you can run the command dotnet --info or dotnet --list-sdks.

Run a scan

Use the following options to scan your repositories. Perform a scan after building the projects.

Option 1 - Quick scan

Perform a quick scan to get quick visibility into your software composition. This scan won’t perform reachability analysis to help you prioritize vulnerabilities. You must restore your .NET projects before running a quick scan. Also verify that packages exist in the local package caches and build artifacts exist in the standard locations.
  1. Run the following commands to resolve dependencies and create the necessary files to scan your .NET project. To generate the build artifact project.assets.json and resolve dependencies, run: 
    dotnet restore
    If you use NuGet instead run: 
    nuget restore
    To create a packages.lock.json file if your project uses a lock file run: 
    dotnet restore --use-lock-file
    If project.assets.json or packages.lock.json are not present and if the project is buildable, endorctl will restore the project and create a project.assets.json or a packages.lock.json file to resolve dependencies.
  2. You can run a quick scan with the following commands: 
    endorctl scan --quick-scan
    You can perform the scan from within the root directory of the Git project repository, and save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface. 
    endorctl scan --quick-scan -o json | tee /path/to/results.json
    You can sign in to the Endor Labs user interface and navigate to Projects from the left sidebar to review your project results.

Option 2 - Deep scan

Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully. You must restore and build your .NET projects before running a deep scan. Also verify that packages exist in the local package caches and build artifacts exist in the standard locations.
  1. Run the following commands to restore and build your project. This may vary depending on your project’s configuration. 
    dotnet restore
dotnet build
  2. You can run a deep scan with the following commands: 
    endorctl scan
    Use the following flags to save the local results to a results.json file. The results and related analysis information are available on the Endor Labs user interface. 
    endorctl scan -o json | tee /path/to/results.json
During a deep scan, Endor Labs analyzes all private software dependencies in full by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but won’t impact subsequent scans. Organizations might not own some parts of the software internally and findings are actionable by another team. These organizations can choose to disable this analysis using the flag disable-private-package-analysis. By disabling private package analysis, teams can enhance scan performance but may lose insights into how applications interact with first-party libraries. Use the following command flag to disable private package analysis: 
endorctl scan --disable-private-package-analysis
You can sign into the Endor Labs user interface and select Projects from the left sidebar to review your project results.

Configure private NuGet package repositories

Endor Labs supports fetching and scanning dependencies from private NuGet package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See NuGet package manager integrations for more information on configuring private registries.

Understand the scan process

A *.csproj file is an XML-based C# project file that contains information about the project, such as its source code files, references, build settings, and other configuration details. Endor Labs lists the dependencies and findings individually for every .csproj file. The scan discovers all *.csproj files and uses these files to resolve the appropriate dependency graph of your project. (Beta) Endor Labs scans the .NET projects that are using the Central Package Management feature of NuGet for the packages declared as:
  • Package references in Directory.Build.props or Directory.Packages.props files.
  • Package references in any *.props file that the .csproj file imports.
  • Package references in *.Targets file.
You may not be able to view the Requested version of the packages on the Endor Labs user interface
  • For the packages declared as package version in *.Targets file.
  • If you are importing the packages into the *.csproj file using MSBuild keywords in the path variables.
Endor Labs enriches your dependency graph to help you understand if your dependencies are secure, sustainable, and trustworthy. This includes Endor Labs risk analysis and scores, if a dependency is direct or transitive, and if the source code of the dependency is publicly auditable. Endor Labs performs software composition analysis for .NET in the following ways:

How does dependency resolution happen using Project.assets.json

.NET projects use the project.assets.json file to store metadata and information about the project’s dependencies and assets. Endor Labs fetches resolved package versions, paths to the dependencies’ assets, such as assemblies and resources, and other related information from this file. If a project does not include a project.assets.json file, the dotnet restore or nuget restore command generates it. This command uses all configured sources to restore dependencies and project-specific tools that the project file specifies.
If the host machine has .NET Core or .NET 5+ installed, the dotnet restore command generates the project.assets.json file. The nuget restore command generates the project.assets.json file for earlier versions of the .NET frameworks.

How does dependency resolution happen using package.lock.json

.NET projects use the package.lock.json file to lock dependencies and their specific versions. It is a snapshot of the exact versions of packages installed in a project, including their dependencies and sub-dependencies, requested versions, resolved versions, and contenthash. The lock file provides a more dependable, uniform, and accurate representation of the dependency graph. In Endor Labs’ dependency management, the resolution of dependencies is primarily based on package.lock.json, which takes precedence over projects.assets.json to resolve dependencies. Endor Labs fetches the dependency information from package.lock.json and creates a comprehensive dependency graph. Endor Labs lists the associated vulnerabilities on the Endor Labs user interface. If the package.lock.json file is not present in the repository, Endor Labs triggers the restore process to generate the package.lock.json file and uses it to perform the dependency scans.

Resolving package names from props files

endorctl evaluates MSBuild property values that contain variables, as long as the same file defines those variables for example, Directory.Build.props. This enables accurate resolution of package names and versions, even if they are not explicitly declared in the .csproj file. For example, in a setup like test.csproj 
<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFrameworks>net8</TargetFrameworks>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
  </ItemGroup>
</Project>
Directory.Build.props 
<Project>
  <PropertyGroup>
    <CompanyName>via-build-prop</CompanyName>
    <AssemblyName>$(CompanyName).$(MSBuildProjectName)</AssemblyName>
  </PropertyGroup>
</Project>
When generating package names for .NET projects, the system evaluates the AssemblyName property defined in the project’s .props file. Instead of using a generic name like test, the system applies the evaluated value, for example, via-build-prop.test. This approach enables consistent and customizable package naming based on MSBuild properties.

How Endor Labs performs static analysis on the code

Endor Labs performs static analysis on the C# code based on the following factors:
  • Endor Labs creates call graphs for your package and combines them with the dependency call graphs to form a comprehensive call graph for the entire project.
  • Endor Labs looks for the project’s .dll files typically located within the bin directory.
  • Endor Labs performs an inside-out analysis of the software to determine the reachability of dependencies in your project.
  • The static analysis time may vary depending on the number of dependencies in the package and the number of packages in the project.

Known Limitations

  • When using the GitHub app, either resolve all the private and internal dependencies, or Configure private NuGet package repositories before running a scan.
  • When working with old-style MSBuild projects, we recommend scanning them through Continuous Integration (CI) after building the project to ensure that the .NET build system generates the required obj/project.assets.json file. For monitoring scans, support for restoring dependencies in Windows projects is limited. This may lead to restore or build errors, potentially causing unexpected scan results.

Call graph limitations

  • You must install .NET 7.0.1 (SDK 7.0.101) or later on the host system.
  • The following .NET programming languages are not supported for dependency resolution or call graph generation:
    • Projects written in F#
    • Projects written in Visual Basic
  • Endor Labs bases .NET call graph support on Microsoft’s Common Intermediate Language (CIL). Ensure that artifacts such as .exe or .dll files exist in the project’s standard workspace through a build and restore or a restored cache.

Troubleshoot errors

Here are a few error scenarios that you can check for and attempt to resolve them.
  • Host system check failure errors: .NET or NuGet is not installed or not present in the PATH environment variable. Install NuGet and try again.
  • Unresolved dependency errors: This error occurs when the .csproj file can not be parsed or if it has syntax errors.