.NET (C#, F# VB)

FOSSA supports .NET (C#, F#, Visual Basic, etc...) projects through NuGet.

ToolQuick Import (app.fossa.com)CLI (fossa-cli)
NuGet.csproj/.xproj, packages.config, project.json or .nuspec.csproj/.xproj, packages.config, project.lock.json, obj/project.assets.json, project.json or .nuspec

Quick Import (app.fossa.com)

FOSSA will attempt to resolve any dependencies listed under the following files:

  • .csproj/.xproj
  • packages.config
  • project.json
  • .nuspec

FOSSA does not currently inspect project.lock.json files or support files, references, or frameworkAssemblies specified in the .nuspec file.

Other Limitations

  • .nuspec files must be in utf8 encoding.
  • FOSSA currently ignores Frameworks specified in the project.json/packages.config file
  • FOSSA currently ignores the NuGet.config file

CLI (fossa-cli)

To get started, install the latest release of fossa-cli from our GitHub releases page:

curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash

fossa-cli will build your project with dotnet or nuget. Afterwards, it will parse the lockfiles left from your build as well as analyzes what you've installed in your packages directory, producing dependency data to upload to fossa.

View our extended NuGet documentation on the fossa-cli GitHub page.


You can configure FOSSA to fetch dependencies from private NuGet feeds published through tools like Artifactory or Sonatype Nexus.

In order for FOSSA to reach private feeds, go to your DotNet Language Settings under Account Settings > Languages > .NET and add your login credentials:


Nuget Authentication View

Afterwards, you will be able to resolve private NuGet dependencies in FOSSA.

Package Data

When FOSSA discovers a NuGet artifact, it will scan all data provided in the package metadata as well as perform a full code scan of any files that are associated / provided with a NuGet archive.

In addition, if a license file is provided as a URL (in a .nuspec file via the licenseUrl property) FOSSA will attempt to crawl the URL and scan the endpoint for license data.

In the FOSSA UI, matches against licenses retrieved via web crawling will be labeled as LICENSE_<license-name>.txt.

Any missing data will be enriched by associated codebases that can be resolved to known artifacts.