Enhancements to Nuget (.NET) Scanning in Nexus Lifecycle

If you updated to IQ 95 recently, you might have noticed a change in your Nuget (.NET) scans in Nexus Lifecycle. As of IQ Release 95, we introduced a new data source to enhance our Nuget data, impacting how it is scanned and represented in Nexus LIfecycle.

In order to see these changes, you must be on IQ 95 or greater. Those on a version of IQ 94 or before will not have access to the enhanced data.

What is different now?

Our Nuget data is now enhanced with pecoff data, allowing us to identify the following extensions: .acm, .ax, .cpl, .dll, .drv, .efi, .exe, .mui, .ocx, .scr, .sys, .tsp.

Developers will also need to use their IDE/tooling to figure out which package brought the DLL into their application.

What is pecoff data?

Pecoff (PE = Portable Executable, COFF = Common Object File Format) is how Sonatype categorizes Nuget metadata. This is how the file format will be labeled in your scans and reflected in PURL Spec, the CIP, and the component identified.

How will I view this data change?

Pecoff data will be displayed on a graph in the CIP like any other ecosystem.

There are two ways the data will appear in the CIP. The first is with “type” categorized as “nuget”:

The second is with “type” categorized as “pecoff”:

What is the impact of these improvements to my organization?

You will see more results/identifications and subsequently less unknown results in your scans. There is also a chance that you will see duplicate findings caused by a Nuget package supporting various versions and folders. Future enhancements will address this duplicate issue.

Because pecoff does not provide license information, you might notice a decrease in license identifications. To obtain this information, we recommend either scanning the .nupkg file directly or creating a BOM using CycloneDX.

Are there proactive measures to help prepare for the update?

No. If you would like to start seeing these results immediately, just make sure you are upgraded to IQ 95.

How has remediating policy violations and applying waivers changed?

Upgrading to IQ 95 could cause an increase in violations caused by pecoff because of its potential to change the underlying violation causing any existing waiver and remediation to longer match.

If you run into this issue, use this guide.

Where can I ask additional questions?

You can reply directly to this post. If you are not already registered to the Sonatype User Community, you will be prompted to create an account. This will empower you to create and reply to other threads initiated by both the Sonatype team and your community peers. Notifications can be easily configured to ensure you are aware of updates for a specific thread and/or important announcements within the Community.

Additional Resources