NuGet Detection depends on the following to successfully run:
- One or more
*.nuspec,*.nupkg,*.packages.config, or.*csprojfiles. - The files each NuGet detector searches for:
NuGet Detection is performed by parsing any *.nuspec, *.nupkg, *.packages.config, or *.project.assets files found under the scan directory. By searching for all *.nuspec, *.nupkg files on disk the global NuGet cache gets searched which can include packages that are not included in the final build.
The NuGetProjectCentric detector raises NuGet components referenced by projects that use the latest NuGet (v3 or later) and build-integrated PackageReference items. These components represent both direct dependencies and transitive dependencies brought in by references from direct package and project references. Packages that contribute no assets to the project or exclusively contribute Compile assets are treated as development dependencies.
The .NET SDK will perform conflict resolution for all packages during the build. This process will remove assets from packages that overlap with assets of the same name that come from the .NET framework that's used by the project. For example if a project references System.Text.Json version 6.0.0 and targets net8.0 which includes a newer System.Text.Json the .NET SDK will ignore all the assets provided by the System.Text.Json package and only use those provided by the framework. Unfortunately the result of this process is not persisted in any build artifact. To approximate this we capture a list of packages per framework version that would lose to the framework assets. When examining packages referenced by a project for a given framework, if we find that its included in the list we'll mark it as a development dependency.
Future versions of the .NET SDK have moved this framework conflict resolution into NuGet via the PrunePackageReference feature. This feature will apply similar rules to conflict resolution during restore and avoid even downloading the package. As a result the packages will not appear at all in the assets file since they are no longer used.
The NuGetPackagesConfig detector raises NuGet components referenced by projects or solutions that use the older NuGet (v2) packages.config file.
- Any components that are only found in
*.nuspecor*.nupkgfiles will not be detected with the latest NuGet Detector approach, because the NuGet detector that scans*.nuspecor*.nupkgfiles overreports. This is due to of NuGet's [restore behaviour][8] which downloads all possible dependencies before [resolving the final dependency graph][9].