Homepage: https://github.com/aboutcode-org/nuget-inspector and https://www.aboutcode.org/
nuget-inspector is a utility to:
- resolve .NET project nuget packages dependencies
- parse various project and package manifests and lockfiles such as .csproj files, and several related formats (including legacy formats)
- query NuGet.org APIs for package information to support dependency resolution
It grew out of the need to have a reliable way to analyze .NET code projects and their dependencies independently of the availability of a dotnet SDK installed on the machine that runs this analysis; and that could run on Linux, Windows and macOS.
The goal of nuget-inspector is to be a comprehensive tool that can handle every style of .NET and NuGet projects and package layouts, manifests and lockfiles.
WARNING! this tool is under heavy development and its CLI options and output format are evolving quickly.
Install the dotnet SDK 6.x for your platform from Microsoft https://learn.microsoft.com/en-us/dotnet/core/install/
Download and extract the pre-built binary release archive from the release page https://github.com/aboutcode-org/nuget-inspector for your operating system. (Linux-only for now)
Run the command line utility with:
nuget-inspector --help
For instance, you can fetch nuget-inspector own project file at:
https://raw.githubusercontent.com/nexB/nuget-inspector/main/src/nuget-inspector/nuget-inspector.csproj
And then run:
nuget-inspector --project-file nuget-inspector.csproj --json nuget-inspector.json
And review the nuget-inspector.json JSON output file with its resolved dependencies.
Note that the output data structure is evolving and not final.
Copyright (c) nexB Inc. and others.
Copyright (c) the .NET Foundation, Microsoft and others.
Portions Copyright (c) 2018 Black Duck Software, Inc.
Portions Copyright (c) Mario Rivis https://github.com/dxworks
Portions Copyright (c) 2016 Andrei Marukovich https://github.com/Dropcraft/Dropcraft
SPDX-License-Identifier: Apache-2.0 AND MIT
This project is based on, depends on or embeds several fine libraries and tools. Here are credits for some of these key projects without which it would not exist:
NuGet.Client,MSBuildandupgrade-assistantfrom the .NET Foundation which are the core .NET tools and libraries to handled .NET and NuGet projects. https://github.com/NuGet/NuGet.Client/ https://github.com/dotnet/msbuild/ https://github.com/dotnet/upgrade-assistantnuget-dotnet5-inspectorfrom Synopsys as forked by Mario Rivis https://github.com/dxworks/nuget-dotnet5-inspectoraudit.netNugetAuditorandDevAuditfrom Sonatype https://github.com/sonatype-nexus-community/DevAudit/ https://github.com/sonatype-nexus-community/audit.netbuild-infoandnuget-deps-treefrom JFrog https://github.com/jfrog/build-info https://github.com/jfrog/nuget-deps-tree/Component DetectionandOSSGadgetfrom Microsoft https://github.com/microsoft/component-detection/ https://github.com/microsoft/OSSGadgetcyclonedx-dotnetfrom the OWASP Foundation https://github.com/CycloneDX/cyclonedx-dotnetDependencyCheckfrom Jeremy Long https://github.com/jeremylong/DependencyCheckDependencyCheckerfrom Fabrice Andréïs https://github.com/chwebdude/DependencyCheckerdotnet-oudatedfrom Jerrie Pelser and contributors https://github.com/dotnet-outdated/dotnet-outdatedNugetDefensefrom Curtis Carter https://github.com/digitalcoyote/NuGetDefensesnyk-nuget-pluginanddotnet-deps-parserfrom Snyk https://github.com/snyk/snyk-nuget-plugin https://github.com/snyk/dotnet-deps-parserverademo-dotnetandverademo-dotnetcoreand from Veracode https://github.com/veracode/verademo-dotnet https://github.com/veracode/verademo-dotnetcoredropcraftfrom Andrei Marukovich https://github.com/Dropcraft/Dropcraft
These projects are used either in the built executables, at build time or for testing (a large number are used for testing). The built executables are designed to be self-contained exes that do not require additional libraries to run on the target system, beyond a dotnet SDK.