Scan a .NET application

2024/3/11 |

This article describes how to scan a .NET application using Lucent Sky AVM.

In this article, you will learn how to:

  • Scan a .NET application.

At the end, you will be able to scan a .NET application.

ASP.NET Web Application

ASP.NET Web Application has a project file (.csproj or .vbproj) and may be part of a solution.

  • If the web application is a single project, navigate to the root of the project directory, and create an archive file with the project file in the root of the archive file.
  • If the web application is a project that is part of a solution, navigate to the root of the solution directory, and create an archive file with the solution file (.sln) in the root of the archive file. Specify the relative path to the project file within the archive in Analysis Target when creating a scan.

ASP.NET Web Forms Site (previously known as Web Site)

ASP.NET Web Forms Site does not have a project file.

Navigate to the root of the web site, and create an archive file with the top-most web.config in the root of the archive file.

Windows Desktop project and WCF project

Windows Desktop project includes WPF App, Windows Forms App, Console App, Class Library, Windows Service, and various kinds of Control Library. WCF project includes WCF Service Library and WCF Service Application. It has a project file (.csproj or .vbproj) and may be part of a solution.

  • If the project is a single project, navigate to the root of the project directory, and create an archive file with the project file in the root of the archive file.
  • If the web application is a project that is part of a solution, navigate to the root of the solution directory, and create an archive file with the solution file (.sln) in the root of the archive file. Specify the relative path to the project file within the archive in Analysis Target when creating a scan.

.NET, .NET Core project, and .NET Standard project

.NET and .NET Core project includes .NET Console App, .NET Class Library, ASP.NET Core Web Application, and more. .NET Standard project includes .NET Standard Class Library. It has a project file (.csproj or .vbproj) and may be part of a solution.

  • If the project is a single project, navigate to the root of the project directory, and create an archive file with the project file in the root of the archive file.
  • If the web application is a project that is part of a solution, navigate to the root of the solution directory, and create an archive file with the solution file (.sln) in the root of the archive file. Specify the relative path to the project file within the archive in Analysis Target when creating a scan.

.NET, .NET Core, and .NET Standard projects are only compatible with .NET or .NET Core build tools, so make sure to select a compatible runtime. Select .NET Core 3.1 for .NET Core and .NET Standard projects, and .NET 6.0 for .NET projects. Using these runtimes ensure that the latest MSBuild available on the system will be used to build these projects.

Other considerations

  • Base directory

    Scan arguemnts such as BuildOutputPath are relative to the base directories of the application. When the analysis target is a project file, the base directory is the parent directory of the project file. For example, if the analysis target is the project file ContosoApi\Contoso.Api.csproj, the base directory is ContosoApi. When the analysis target is a solution, the base directories are the parent directories of its project files and/or web.config files. For example, if the analysis target is the solution file Contoso.sln and it contains two projects, Contoso.Api\Contoso.Api.csproj and Contoso.Web\web.config, the base directories are Contoso.Api and Contoso.Web, respectively.

  • MSBuild versions

    For projects targeting .NET Framework, Lucent Sky AVM uses the MSBuild bundled with their respective version of .NET Framework. For projects targeting .NET, .NET Core, and .NET Standard, Lucent Sky AVM uses the latest MSBuild availalbe on the system that is version 12 or later. To use the latest MSBuild avalable on the system for .NET Framework projects, Include MsBuild,latest in scan arguments. To use a specific version of MSBuild, specify the version number in the MsBuild scan argument, such as MSBuild,15.

  • Build artifacts

    Lucent Sky AVM analyzes MSBuild output to locate build artifacts for binary analysis. If the analysis target is a solution, the build artifacts of all its projects will be used for binary analysis. To make Lucent Sky AVM look for build artifacts for binary analysis in specific locations, use the BuildOutputPath scan argument to specify the path to build output directories or the path to the build artifacts, relative to its base directories. For example, if the base directory is ContosoWeb and the build artifacts are located in the ContosoWeb\bin directory, include BuildOutputPath,bin in scan arguments; if the base directories are Contoso.Api and Contoso.Web, and the build artifacts are located in their respective Debug\bin directories, include BuildOutputPath,Debug\bin in scan arguments.

    For ASP.NET projects, Lucent Sky AVM uses the artifacts from ASP.NET compilation and ignores the BuildOutputPath scan argument.

  • MSBuild properties

    Some projects use MSBuild properties defined outside of the project file, such as in environment properties, registry properties, or global properties. Use the BuildProperties scan argument to supply these properties. The value of the argument should be the value of MSBuild's -property switch, except that each property should be separated by a comma and not a semicolon. For example, PropA=Aye,PropB=Bee.

  • Packages and dependencies

    • NuGet

      If the project uses NuGet to manage its referenced packages, make sure the system can access the feeds used by the project.

    • SDKs and runtimes

      If the project relies on SDKs and runtimes that are installed on the development and build environments, make sure those SDKs and runtimes are installed on the system, packaged along with the source code, or available in a custom runtime.

  • Direct binary analysis

    Lucent Sky AVM can directly scan the binary files of .NET applications, with or without the accompanying source code. Using direct binary analysis speeds up scans, and also enable the complete analysis of applications that cannot be built due to various reasons such as missing source code or SDKs. To scan a .NET application using direct binary analysis, specify the relative path to the primary binary file within the archive in Analysis Target when creating a scan.

    To learn more about how to scan an application using direct binary analysis, view the following article in the Lucent Sky Knowledge Base:
    Scan an application using direct binary analysis

  • Performance

    If the application has a large number data files in JSON or XML format, or large number of backup files, it is recommended to either remove them prior to scan or set the ExcludeFileTypes scan argument to Backup, Config, or Backup,Config to exclude these files from analysis and improve analysis performance.

    If the application has a large number of media files, it is recommended to remove them prior to scan to reduce the amount of storage space required.