.NET¶
Tunnel supports .NET core and NuGet package managers.
The following scanners are supported.
| Artifact | SBOM | Vulnerability | License |
|---|---|---|---|
| .Net Core | ✓ | ✓ | - |
| NuGet | ✓ | ✓ | ✓ |
The following table provides an outline of the features Tunnel offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position |
|---|---|---|---|---|---|
| .Net Core | *.deps.json | ✓ | Excluded | - | ✓ |
| NuGet | packages.config | ✓ | Excluded | - | - |
| NuGet | *Packages.props | - | Excluded | - | - |
| NuGet | packages.lock.json | ✓ | Included | ✓ | ✓ |
*.deps.json¶
Tunnel parses *.deps.json files. Tunnel currently excludes dev dependencies from the report.
Note
Tunnel only includes runtime dependencies in the report.
packages.config¶
Tunnel only finds dependency names and versions from packages.config files. To build dependency graph, it is better to use packages.lock.json files.
*Packages.props¶
Tunnel parses *Packages.props files. Both legacy Packages.props and modern Directory.Packages.props are supported.
license detection¶
packages.config files don't have information about the licenses used.
Tunnel uses *.nuspec files from global packages folder to detect licenses.
Note
The licenseUrl field is deprecated. Tunnel doesn't parse this field and only checks the license field (license expression type only).
Currently only the default path and NUGET_PACKAGES environment variable are supported.
packages.lock.json¶
Don't forgot to enable lock files in your project.
Tip
Please make sure your lock file is up-to-date after modifying dependencies.
license detection¶
Same as packages.config