Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add support for "dotnet-retire"
See original GitHub issueI’ve just found RetireNet. This tools produces massive more information and also finds some vulnerabilities.
- It scans all transitive dependencies,
- It includes .NET Framework / .NET Core version aswell
- I think this is very important, because MSFT mostly publish vulnerabilities for a specific .netcore version
Maybe you can include dotnet-retire and create a bom.xml out of scan results from dotnet-retire. Or add parameter to add additional input from output
Regarding CycloneDX Spec, it’s also possibile to add vulnerabilities to the bom.xml
What do you think?
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:7 (4 by maintainers)
Top Results From Across the Web
RetireNet/dotnet-retire: Open source vulnerability scanner ...
Open source vulnerability scanner for .NET Core projects - GitHub - RetireNet/dotnet-retire: Open source vulnerability scanner for .NET Core projects.
Read more >.NET and .NET Core official support policy
The .NET and .NET Core support lifecycle offers support for each release. The length of time and degree of support vary based on...
Read more >The Retirement of SpecFlow+ Runner
Adding support for a new .NET version (which happens every year) is a fair amount of work for multiple developers.
Read more >Asp net vulnerability scanner github. Supports: Java, … You
Such tools can help you detect issues during software development. ... NET Core projects - GitHub - RetireNet/dotnet-retire: Add it to your ASP....
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Ideally, RetireNet would produce a valid CycloneDX BOM, similar to what Retire.js already does. So it could be used as an alternative way to create BOMs from .NET projects and optionally generate the vulnerabilities in the BOMs as well.
But in order for their BOM to be useful, the project needs to support Package URL. Refer to https://github.com/RetireNet/dotnet-retire/issues/33, and optionally CPE.
I would recommend creating an enhancement request for that project to support the output of CycloneDX with the vulnerability info.
If RetireNet ever supports Package URL, then yes, I plan to support it as an analyzer in Dependency-Track. Their data feed is missing a few things however.
If their data improves, there’s a lot of potential for integration.