.NET Scanning

SourceClear Software Composition Analysis

Finding Vulnerabilities in .NET repositories

Finding vulnerabilities in your .NET repositories using SourceClear is simple. This page includes steps for running a SourceClear scan using the SourceClear Command Line Interface, but you can scan with any of the SourceClear CI Integrations as well.


Scanning a repository that uses .NET and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes the following requirements based on the various package managers:

.NET Requirements

  • Requirements for the SourceClear agent
  • .NET, Nuget CLI, or MSBuild installed
  • CSPROJ, FSPROJ , or VBPROJ files present in the repository

Running a Scan

You can use SourceClear to scan any code repository to which you have access and fulfills the above requirements. To demonstrate how to run a scan, you can clone one of SourceClear's public repositories:
git clone https://github.com/srcclr/example-dotnet  
Note: You can also scan code repositories hosted on Git by using the --url argument with the CLI agent (see documentation for usage), but for the purposes of this guide it will be assumed you have the code stored locally.

Once the code has been cloned to your desktop, point the SourceClear CLI agent at the directory of the repository and scan:

# Replace "example-dotnet" with your project folder name
srcclr scan path/to/example-dotnet

To view more verbose output during the scan process, you can add the --loud argument:

srcclr scan path/to/example-dotnet --loud

The SourceClear agent uses the native package managers to identify the dependencies and their versions in your project. The command used varies depending on the build or package manager. When the agent evaluates the open source libraries in use, a summary of the scan results is produced that includes counts for total libraries used, vulnerable libraries, percentage of third party code, and a list of the vulnerabilities found.

Viewing Scan Results

After completing a scan, the bottom of the output in your terminal includes a link to the SourceClear platform to view the scan results in more detail:

Unique Library Licenses              3
Libraries Using GPL                  0
Libraries With No License            1

Full Report Details                  https://acmedemo.sourceclear.io/teams/X33hObV/scans/2188500

Navigating to this link allows you to view the results of your scan in its entirety.

The scan results are broken down into the following categories:

  • Issues - This category includes out-of-date libraries, license violations, and vulnerabilities uniquely associated to a specific version of a library within a specific repository.
  • Vulnerabilities - This list represents the set of unique vulnerabilities across a specific project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
  • Libraries - Libraries consist of each open source library that SourceClear has identified within a code project.
  • Licenses - Licenses allow users to view the software license information associated with each open-source library in use.

You can find more details on these categories in the Issues, Vulnerabilities, Libraries, and Licenses overview.

Fixing Vulnerability Issues

After viewing the scan results, you can access the clear instructions for fixing vulnerability issues that SourceClear provides through the web interface.

Fixing a Direct Vulnerability

When a library is specifically referenced in your configuration file, SourceClear refers to the library as a direct dependency. Fixing a vulnerability in a direct dependency using SourceClear is simple. Using the open source projects mentioned in Running a Scan and after having navigated to the project scan results within the SourceClear UI, you can filter down to Vulnerability issues which are included only in Direct Libraries.

After filtering the scan results, you can drill into an issue to find out how to fix it by clicking the issue ID next to the vulnerability name. Clicking the ID brings you to the issue details page, where you will find information on fixing the vulnerability. In general, the best way to fix a vulnerability in a direct dependency is to update the version in use to the version recommended by SourceClear. SourceClear recommends a version that is not associated with the vulnerability you are subject to, in addition to any other vulnerabilities which might result from switching to a different version. In order to prevent the update from having significant impact on your code, the recommended version is the closest to your current version while still not being associated with other vulnerabilities.
Note: Some libraries include vulnerabilities that have not yet been fixed. Therefore SourceClear cannot provide a version to update to. In these cases, Veracode recommends you either create a pull request to the unfixed library or use a different library in your code.

Validating a Fixed Vulnerability

Validate a fix you have made to your repository by running a SourceClear scan prior to committing your code changes by adding the --allow-dirty option to ignore uncommitted changes within your code:

srcclr scan /path/to/example-dotnet --allow-dirty

When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability and you can proceed to commit your code.