nuget.md

NuGet Detection

Requirements

NuGet Detection depends on the following to successfully run:

• One or more *.nuspec, *.nupkg, *.packages.config, or .*csproj files.
• The files each NuGet detector searches for:
  • The NuGet detector looks for *.nupkg, *.nuspec, nuget.config, paket.lock
  • The NuGetPackagesConfig detector looks for packages.config
  • The NuGetProjectCentric detector looks for project.assets.json

Detection Strategy

NuGet Detection is performed by parsing any *.nuspec, *.nupkg, *.packages.config, or *.project.assets files found under the scan directory. By searching for all *.nuspec, *.nupkg files on disk the global NuGet cache gets searched which can include packages that are not included in the final build.

Known Limitations

• Any components that are only found in *.nuspec or *.nupkg files will not be detected with the latest NuGet Detector approach, because the NuGet detector that scans *.nuspec or *.nupkg files overreports. This is due to of NuGet's restore behaviour which downloads all possible dependencies before resolving the final dependency graph.
• Dependencies from the .NET SDK that are underreported. The list of dependencies can be found here.