> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# .NET

> Learn how to implement Endor Labs in repositories with .NET packages.

.NET is a free, cross-platform, open-source developer platform for building different types of applications. Endor Labs supports the scanning and monitoring of projects built on the .NET platform.

Using Endor Labs, application security engineers and developers can:

* Scan their software for potential security issues and violations of organizational policy.
* Prioritize vulnerabilities in the context of their applications.
* Understand the relationships between software components in their applications.

## System specifications for deep scan

Before you proceed to run a deep scan, ensure that your system meets the following specification.

| Project Size      | Processor         | Memory |
| ----------------- | ----------------- | ------ |
| Small projects    | 4-core processor  | 16 GB  |
| Mid-size projects | 8-core processor  | 32 GB  |
| Large projects    | 16-core processor | 64 GB  |

## Software prerequisites

Before you begin, verify the following prerequisites:

* Make sure your repository includes one or more files with `.cs` extension.
* Endor Labs supports dependency resolution and reachability analysis only for SDK-style .NET projects.
* One or more `*.csproj` files must be present in your repository.
* Install the .NET command or NuGet command and make it available on the host system.
* At least one .NET SDK installed on the system must be compatible with the project's `global.json` file settings.

<Note>
  To check your available SDK versions you can run the command `dotnet --info` or `dotnet --list-sdks`.
</Note>

## Run a scan

Use the following options to scan your repositories. Perform a scan after building the projects.

### Option 1 - Quick scan

Perform a quick scan to get quick visibility into your software composition. This scan won't perform reachability analysis to help you prioritize vulnerabilities.

You must restore your .NET projects before running a quick scan. Also verify that packages exist in the local package caches and build artifacts exist in the standard locations.

1. Run the following commands to resolve dependencies and create the necessary files to scan your .NET project.

   To generate the build artifact `project.assets.json` and resolve dependencies, run:

   ```bash theme={null}
   dotnet restore
   ```

   If you use NuGet instead run:

   ```bash theme={null}
   nuget restore
   ```

   To create a `packages.lock.json` file if your project uses a lock file run:

   ```bash theme={null}
   dotnet restore --use-lock-file
   ```

   If `project.assets.json` or `packages.lock.json` are not present and if the project is buildable, endorctl will restore the project and create  a `project.assets.json` or a `packages.lock.json` file to resolve dependencies.

2. You can run a quick scan with the following commands:

   ```bash theme={null}
   endorctl scan --quick-scan
   ```

   You can perform the scan from within the root directory of the Git project repository, and save the local results to a `results.json` file. The results and related analysis information are available on the Endor Labs user interface.

   ```bash theme={null}
   endorctl scan --quick-scan -o json | tee /path/to/results.json
   ```

   You can sign in to the Endor Labs user interface and navigate to **Projects** from the left sidebar to review your project results.

### Option 2 - Deep scan

Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.

You must restore and build your .NET projects before running a deep scan. Also verify that packages exist in the local package caches and build artifacts exist in the standard locations.

1. Run the following commands to restore and build your project. This may vary depending on your project's configuration.

   ```bash theme={null}
   dotnet restore
   dotnet build
   ```

2. You can run a deep scan with the following commands:

   ```bash theme={null}
   endorctl scan
   ```

   Use the following flags to save the local results to a `results.json` file. The results and related analysis information are available on the Endor Labs user interface.

   ```bash theme={null}
   endorctl scan -o json | tee /path/to/results.json
   ```

During a deep scan, Endor Labs analyzes all private software dependencies in full by default if they have not been previously scanned. This is a one-time operation and will slow down initial scans, but won't impact subsequent scans.

Organizations might not own some parts of the software internally and findings are actionable by another team. These organizations can choose to disable this analysis using the flag `disable-private-package-analysis`. By disabling private package analysis, teams can enhance scan performance but may lose insights into how applications interact with first-party libraries.

Use the following command flag to disable private package analysis:

```bash theme={null}
endorctl scan --disable-private-package-analysis
```

You can sign into the Endor Labs user interface and select **Projects** from the left sidebar to review your project results.

### Configure private NuGet package repositories

Endor Labs supports fetching and scanning dependencies from private NuGet package registries. Endor Labs will fetch resources from authenticated endpoints and perform the scan, allowing you to view the resolved dependencies and findings. See [NuGet package manager integrations](/integrations/package-managers/nuget-private-package-manager) for more information on configuring private registries.

## Understand the scan process

A `*.csproj` file is an XML-based C# project file that contains information about the project, such as its source code files, references, build settings, and other configuration details. Endor Labs lists the dependencies and findings individually for every `.csproj` file. The scan discovers all `*.csproj` files and uses these files to resolve the appropriate dependency graph of your project.

(Beta) Endor Labs scans the .NET projects that are using the [Central Package Management feature](https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#enabling-central-package-management) of NuGet for the packages declared as:

* Package references in `Directory.Build.props` or `Directory.Packages.props` files.
* Package references in any `*.props` file that the `.csproj` file imports.
* Package references in  `*.Targets` file.

<Note>
  You may not be able to view the **Requested version** of the packages on the Endor Labs user interface

  * For the packages declared as package version in `*.Targets` file.
  * If you are importing the packages into the `*.csproj` file using MSBuild keywords in the path variables.
</Note>

Endor Labs enriches your dependency graph to help you understand if your dependencies are secure, sustainable, and trustworthy. This includes Endor Labs risk analysis and scores, if a dependency is direct or transitive, and if the source code of the dependency is publicly auditable.

Endor Labs performs software composition analysis for .NET in the following ways:

* [Using Project.assets.json](#how-does-dependency-resolution-happen-using-project-assets-json)
* [Using package.lock.json](#how-does-dependency-resolution-happen-using-package-lock-json)

### How does dependency resolution happen using Project.assets.json

.NET projects use the `project.assets.json` file to store metadata and information about the project's dependencies and assets.

Endor Labs fetches resolved package versions, paths to the dependencies' assets, such as assemblies and resources, and other related information from this file. If a project does not include a `project.assets.json` file, the `dotnet restore` or `nuget restore` command generates it. This command uses all configured sources to restore dependencies and project-specific tools that the project file specifies.

<Note>
  If the host machine has .NET Core or .NET 5+ installed, the dotnet restore command generates the `project.assets.json` file. The `nuget restore` command generates the `project.assets.json` file for earlier versions of the .NET frameworks.
</Note>

### How does dependency resolution happen using package.lock.json

.NET projects use the `package.lock.json` file to lock dependencies and their specific versions. It is a snapshot of the exact versions of packages installed in a project, including their dependencies and sub-dependencies, requested versions, resolved versions, and contenthash. The lock file provides a more dependable, uniform, and accurate representation of the dependency graph.

In Endor Labs' dependency management, the resolution of dependencies is primarily based on `package.lock.json`, which takes precedence over `projects.assets.json` to resolve dependencies.

Endor Labs fetches the dependency information from `package.lock.json` and creates a comprehensive dependency graph. Endor Labs lists the associated vulnerabilities on the Endor Labs user interface.

If the `package.lock.json` file is not present in the repository, Endor Labs triggers the restore process to generate the `package.lock.json` file and uses it to perform the dependency scans.

### Resolving package names from props files

endorctl evaluates MSBuild property values that contain variables, as long as the same file defines those variables for example, `Directory.Build.props`. This enables accurate resolution of package names and versions, even if they are not explicitly declared in the `.csproj` file.

For example, in a setup like

`test.csproj`

```bash theme={null}
<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFrameworks>net8</TargetFrameworks>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
  </ItemGroup>
</Project>
```

`Directory.Build.props`

```bash theme={null}
<Project>
  <PropertyGroup>
    <CompanyName>via-build-prop</CompanyName>
    <AssemblyName>$(CompanyName).$(MSBuildProjectName)</AssemblyName>
  </PropertyGroup>
</Project>
```

When generating package names for .NET projects, the system evaluates the `AssemblyName` property defined in the project’s `.props` file. Instead of using a generic name like `test`, the system applies the evaluated value, for example, `via-build-prop.test`. This approach enables consistent and customizable package naming based on MSBuild properties.

### How Endor Labs performs static analysis on the code

Endor Labs performs static analysis on the C# code based on the following factors:

* Endor Labs creates call graphs for your package and combines them with the dependency call graphs to form a comprehensive call graph for the entire project.
* Endor Labs looks for the project's `.dll` files typically located within the bin directory.
* Endor Labs performs an inside-out analysis of the software to determine the reachability of dependencies in your project.
* The static analysis time may vary depending on the number of dependencies in the package and the number of packages in the project.

### Known Limitations

* When using the GitHub app, either resolve all the private and internal dependencies, or [Configure private NuGet package repositories](#configure-private-nuget-package-repositories) before running a scan.
* When working with old-style MSBuild projects, we recommend scanning them through [Continuous Integration (CI)](/setup-deployment/ci-cd) after building the project to ensure that the .NET build system generates the required `obj/project.assets.json` file. For [monitoring scans](/setup-deployment/scm-integrations), support for restoring dependencies in Windows projects is limited. This may lead to **restore or build errors**, potentially causing unexpected scan results.

### Call graph limitations

* You must install .NET 7.0.1 (SDK 7.0.101) or later on the host system.
* The following .NET programming languages are not supported for dependency resolution or call graph generation:
  * Projects written in F#
  * Projects written in Visual Basic
* Endor Labs bases .NET call graph support on [Microsoft's Common Intermediate Language](https://learn.microsoft.com/en-us/dynamicsax-2012/appuser-itpro/compile-into-net-framework-cil) (CIL). Ensure that artifacts such as `.exe` or `.dll` files exist in the project's standard workspace through a build and restore or a restored cache.

## Troubleshoot errors

Here are a few error scenarios that you can check for and attempt to resolve them.

* **Host system check failure errors**:
  .NET or NuGet is not installed or not present in the PATH environment variable. Install NuGet and try again.
* **Unresolved dependency errors**:
  This error occurs when the `.csproj` file can not be parsed or if it has syntax errors.