github.com/joey-fossa/fossa-cli@v0.7.34-0.20190708193710-569f1e8679f0/docs/integrations/dotnet.md

github.com/joey-fossa/fossa-cli@v0.7.34-0.20190708193710-569f1e8679f0/docs/integrations/dotnet.md (about)

     1  # .NET
     2  
     3  ## Installation
     4  
     5  .NET support in FOSSA CLI only depends on the presence of .NET related manifest files in the directory.
     6  
     7  ## Configuration
     8  
     9  Automatic: Run `fossa init` to walk the file tree and find any directories that contain a Package Reference file, NuSpec file, `packages.config`, `project.json`, or `paket.lock`.
    10  
    11  Manual: Add a module with `type` set to `nuget`, `target` to the path of the manifest file, and `dir` set to the location of the manifest file.
    12  
    13  ```yaml
    14  analyze:
    15    modules:
    16      - name: NugetModule
    17        type: nuget
    18        target: MyProject/Manifest.csproj
    19        dir: MyProject
    20        options:
    21          strategy: package-reference
    22  ```
    23  
    24  ## Options
    25  
    26  | Option     |  Type  | Name                         | Common Use Case                    |
    27  | ---------- | :----: | ---------------------------- | ---------------------------------- |
    28  | `strategy` | string | [Strategy](#strategy-string) | Specify a .NET analysis strategy. |
    29  
    30  #### `strategy: <string>`
    31  
    32  Manually specify the .NET analysis strategy to be used. Supported options:
    33  - `paket`: Parse `paket.lock` file.
    34  - `package-reference`: Parse a Package Reference file.
    35  - `nuspec`: Parse a NuSpec file.
    36  - `packages-config`: Parse `packages.config` file.
    37  - `project-json`: Parse `project.json` file.
    38  
    39  ## Analysis
    40  
    41  Default .NET analysis follows a series of fallbacks which attempts to determine a dependency graph by starting with the most accurate method and falling to the least accurate:
    42  
    43  1. Paket: Look for `paket.lock` and read for dependencies.
    44  2. Resolving method: Attempt to resolve any existing NuGet lockfile created by your build (at `{module.path}/obj/project.assets.json`). It will parse this file for installed dependencies and compare them to the Package Reference file in order to determine an accurate dependency graph.
    45  3. Package Reference: Look for a file that matches the Package Reference file format and read for dependencies.
    46  4. NuSpec: Look for a NuSpec file and read for dependencies.
    47  5. Packages Config: Look for `packages.config` and read for dependencies.
    48  6. Project JSON: Look for `project.json` and read for dependencies.
    49  
    50  ## Known limitations
    51  
    52  - Doesn't support conditional direct dependencies (e.g. conditioned on target framework) -- will get all references regardless of target framework.
    53  - Only supports top-level itemgroup/packagereferences (not e.g. those under choose element).
    54  - Currently, `fossa` supports NuGet lockfiles of `v2` and `v3` schemas.