FOSSA supports .NET (C#, F#, Visual Basic, etc...) projects through NuGet.
FOSSA will attempt to resolve any dependencies listed under the following files:
FOSSA does not currently inspect
project.lock.json files or support
frameworkAssemblies specified in the
.nuspecfiles must be in
- FOSSA currently ignores
Frameworksspecified in the
- FOSSA currently ignores the
CI/CD Scanning relies on
fossa-cli v0.5.0+. To get started, install the latest release of
fossa-cli from our GitHub releases page:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
fossa-cli will build your project with
nuget. Afterwards, it will parse the lockfiles left from your build as well as analyzes what you've installed in your
packages directory, producing dependency data to upload to fossa.
View our extended NuGet documentation on the
fossa-cli GitHub page.
You can configure FOSSA to fetch dependencies from private NuGet feeds published through tools like Artifactory or Sonatype Nexus.
In order for FOSSA to reach private feeds, go to your DotNet Language Settings under Account Settings > Languages > .NET and add your login credentials:
Afterwards, you will be able to resolve private NuGet dependencies in FOSSA.
When FOSSA discovers a NuGet artifact, it will scan all data provided in the package metadata as well as perform a full code scan of any files that are associated / provided with a NuGet archive.
In addition, if a license file is provided as a URL (in a
.nuspec file via the
licenseUrl property) FOSSA will attempt to crawl the URL and scan the endpoint for license data.
In the FOSSA UI, matches against licenses retrieved via web crawling will be labeled as
Any missing data will be enriched by associated codebases that can be resolved to known artifacts.
Updated 10 months ago