Sign up:

Scanning .NET and Nuget projects for known vulnerabilities

 We recently completed version 1 of our .NET scanner. The goal is to take any .NET project and determine if it contains any references to software libraries with known-vulnerabilities.

For this blog post we thought we’d take our scanner out for a spin and see how it compares against the competition.

Results Summary:

  • MergeBase – 18 vulnerabilities, 0 false positives.
  • Snyk – 7 vulns and 5 false, or 4 vulns and 0 false (depends on scanner setup).
  • WhiteSource – 12 vulns, 0 false.
  • OWASP Dependency Check – 12 vulns, 17 false.
  • Dotnet Retire – 2 vulns, 0 false.
  • Sonatype – 0 vulns, 0 false.
  • Dependabot – 0 vulns, 0 false.


We chose the .NET Orleans project as a subject project to be scanned. It’s active, complex, and it builds successfully (August 6th, 2020, master = 2e10856f7b7ed9443c). We also liked how this project contained a mix of Nuget styles (e.g., older “packages.config” style as well as the newer “<PackageReference/>” style).

We type “dotnet build” before scanning. This way scanners can use the generated “obj/project.assets.json” files to supplement their scan data if they want to, and “dotnet build” is such a critical step for building any .NET project that we think it’s safe for an SCA tool to assume this command has completed successfully.

As for comparing results, we count CVE’s. If the scan outputs 1 or 300 or 9,000,000 hits against CVE-2018-8292, we count that as a single CVE. We then do a quick “desk check” to categorize the result as either a true-hit, a false-negative, or an ambiguous result (where it’s hard to say one way or the other). The “desk check” is very much based on my own decades of experience as a software engineer – I encourage others to rerun these scans and see if they agree or disagree.

Because this is a .NET scan, we ignore any results the scanners find from other file-types lying on the file system (e.g., “VotingWeb/wwwroot/lib/jquery/jquery.min.js”). We do, however, count results found from nuget references into other language artifacts (e.g., “GPSTracker.Web/packages.config” contains a nuget reference to “<package id=”bootstrap” version=”3.0.0″ targetFramework=”net45″ />” in its packages.config file – we’ll count this.)

Here is the exact sequence of steps:

  1. git clone
  2. dotnet build
  3. Deploy The Scanners!
  4. Validate the results.

A note about ambiguous results:

We classify some results as ambiguous. This means there’s definitely some smoke, so we can’t rule immediately it out as a false negative after examining the metadata, but on the other hand, there’s enough uncertainty to also make us uncomfortable considering it a true hit.


The vulnerability references “bootstrap” in the scan report but the CVE description talks about “bootstrap-sass”. Maybe? Or in another case the CVE description starts out with the words (in all caps) “DISPUTED”.


I’ll save the best for first! Here’s what MergeBase finds:

1. MergeBase

18 vulnerabilities found (and two ambiguous hits).

Drop the scanner into the Orleans subdirectory. Type “java -jar mergebase.jar .” and the results are pretty straightforward: 2 critical CVE’s, 5 high ones, and 11 mediums. A quick spot-check of the metadata looked good (no false positives and two ambiguous results).

2. Github Dependabot

Zero vulnerabilities found.

Dependabot not doing too much here, despite being a Microsoft product (albeit recently acquired):

3. Dotnet Retire

Two vulnerabilities found: CVE-2018-8292 and CVE-2018-8416. MergeBase also found these two among the 18 vulnerabilities it identified.

4. Sonatype

Zero .NET vulnerabilities found!

Sonatype does detect a small handful of JavaScript vulnerabilities (since Orleans contains things like “VotingWeb/wwwroot/lib/jquery/jquery.min.js”), but nothing for .NET. To be fair, their scanner instructions did say “you must copy all .NET packages you depend on into the zip file you are scanning beforehand.” I typed “dotnet build” and zipped the result (660MB). As far as I’m concerned, I was doing them a favour by even zipping up orleans post-build in the first place – no other scanner required that.

Note-to-self: Probably MergeBase should also scan those JavaScript packages! (Our current logic looks for NPM and Yarn lock files, but maybe it’s time to roll up our sleeves and consider scanning raw *.js and *.min.js files, too.)

5. Snyk

“It’s Complicated!” The problem with Snyk is that there’s two different ways to invoke the Snyk scanner, and each way returns wildly different results.

Snyk Approach #1 – Github Integration:

15 vulnerabilities found. 5 of those are false positives (all because Microsoft.NETCore.App was flagged as a dependency, but it’s not). 3 are ambiguous. 7 are true hits.

A few NPM and Docker vulnerabilities also found, but seeing as this bakeoff is only about .NET we ignored those.

Snyk Approach #2 – Command Line Invocation:

7 vulnerabilities found. 3 are ambiguous, leaving 4 true hits, including 1 true hit that Snyk approach #1 above did not find (CVE-2020-1469).

No NPM or Docker vulnerabilities found via this approach.

6. Whitesource Bolt

12 true CVE vulns.

3 ambigs.

7. OWASP Dependency Check

12 true CVE vulns.

3 true NON-CVE vulns.

2 ambigs.

17 falses

Unfortunately OWASP Dependency Check is currently unable to handle .NET’s property substitution (e.g., when a *.csproj file references “Directory.Build.props”), a common convention for developers maintaining these files. This causes some frustrating false positives, such as reporting that “Google.Protobuf:$(GoogleProtobufVersion)” is vulnerable to CVE-2015-5237.

OWASP Dependency Check also considers version 0.61.0 of the .NET MySqlConnector package to be vulnerable to 14 CVE’s – these are certainly all false positives. This is probably happening because Dependency Check considers version “0.61.0” to come before releases from MySQL’s popular version 5.x series against which many CVE’s have been filed over the years. However, version “0.61.0” of this package is less than 10 months old, making it impossible that it’s vulnerable to these ancient CVE’s.


Our own offering looks compelling in the .NET space. We were one of the top performers in this mini-benchmark, with Snyk, Whitesource, and the open source OWASP Dependency Check tool also providing reasonable results. We were surprised to see Sonatype and Dependabot perform so poorly here. Software developers currently using the popular open source “Dotnet Retire” tool for this problem should definitely consider other options.

As always with benchmarks such as these and security tools in general your mileage can vary a lot based on the tools you’re using and your own particular context. I think a lot of companies become complacent with their existing tools. Similar to with the smoke detectors in your house, it’s a good idea to benchmark your existing tools periodically, just to ensure that they are still working properly!

Introducing CodeGreen for Bitbucket

Recommended pre-reading:
Intro to SCA – Software Composition Analysis (

Atlassian Marketplace Link:
MergeBase CodeGreen (


One of the main challenges with known-vulnerabilities is how they mess with standard software lifecycles. A lot of traditional quality engineering relies on the old saying, “if it’s not broken, don’t touch it.” Known-vulnerability announcements for popular open source libraries completely go against that, since they are discovered and announced more or less at random. A good known-vulnerability SCA solution needs to deal with three very different cadences through which known-vulnerabilities will manifest themselves in your software:

If you’re serious about reducing open-source known-vulnerabilities within your software assets, CodeGreen is a tool for getting real results company wide. CodeGreen puts known-vulnerability software composition analysis (SCA) scans directly in front of software engineer eyeballs. A lot of application security work is done by following checklists and invoking security tools and uploading artifacts to cloud URLs during coding and reviewing tasks. CodeGreen short circuits all that by inserting itself directly into your company’s software engineering workflow (as a Bitbucket plugin). From there CodeGreen can inject a range of interventions customized to your corporate application security policy, from low-friction informational reports all the way to outright blocking. These interventions help you quickly get all of your software engineering teams onto the same page.

By attaching directly to the enterprise source-control system (as a Bitbucket plugin) GodeGreen is able to improve application security posture across the board for an entire organization. Your application security will improve within hours after your local Bitbucket administrator installs the CodeGreen plugin through Atlassian’s marketplace.

Vulnerabilities Arrive On Different Cadences

  1. New vulnerability announcements. Your application is not broken, in fact it’s working great! Clients love it. Management is happy. But a known vulnerability has been discovered and published that could be exploited by criminals and bring your brand down. You have to fix it! You must upgrade the insecure library to a safer version.
  2. Accidental vulnerability import (“developer-as-vector”). Under this scenario one of your developers unwittingly introduces a bad library version (that contains known-vulnerabilities) into one of your systems. Just because a “known-vulnerability” is known to the cyber security world at large does not mean it’s known to your own development staff!
  3. That terrifying first scan. This scenario is essentially a combination of the above two scenarios, albeit after several years of unmonitored vulnerability accumulation. The experience of running a first vulnerability scan can be so overwhelming and demoralising for staff that good SCA tools must account for this and provide strategies to manage the first scan.

CodeGreen is a unique tool in the SCA space in that it provides mitigations, reports, and controls designed specifically for these 3 cadences. The rest of this blog post goes into those capabilities in-depth.

For New-Vulnerability-Announcements: Add A Little Friction (Cadence #1)

Developers need to be aware of how newly discovered vulnerabilities affect their systems, but finding time to address these is always a balancing act based on risk, urgency, and other priorities. This is where CodeGreen can apply a little friction.

For Developer-As-Vector: Slam On The Brakes! (Cadence #2)

For cadence #2 (developer-as-vector), once awareness is in place, vulnerabilities should never come into software via this vector. The vast majority of software vulnerabilities are announced alongside a patched (fixed) release of the library. This means developers should never introduce vulnerable libraries into a software project unless such is absolutely unavoidable. This is where CodeGreen can slam on the brakes.

Managing That Terrifying First Scan (Cadence #3)

A lot of security tools are sold and marketed based on a simplified models of their operation – the tool is presented similar to a flashlight. Turn on the light, see into the darkness. But under the hood the tool might offer dials and controls and subtleties to users to help make its operation more successful. CodeGreen is no exception here!

Under ideal operation CodeGreen would be configured to apply maximum friction to encourage developers to eliminate all vulnerabilities, but that’s not tractable for most organizations, at least not at first.

To help make CodeGreen more practical we allow repository administrators to adjust the CVSS thresholds at which the various CodeGreen mitigations become active:

We recommend setting these to more permissive values during your initial rollout, and tightening them to more restrictive values as your teams’ application-security maturity improves.

For example, in the beginning you might want to enable only the CodeGreen double-push friction and set it to a CVSS 9.0 threshold and disable everything else. Make it an overt term goal to clear out all 9.0 vulnerabilities and above.

(But always enable “block-net-new-vulnerabilities” because that’s the dreaded cadence #2!)

Once you’ve achieved that, increase the “double-push” control to use a CVSS threshold of 8.0, so it catches more vulnerabilities.

Meanwhile, enable the “requires dual-approval” control (a much higher friction compared to double-push) and set that one to 9.0.

The end result here is interesting: any newly announced vulnerabilities will suddenly dramatically slow down development teams. The developer has a choice: find someone to approve their work, leaving the vulnerability in place, or just patch the brand new 9.8 vulnerability and avoid the dual-approval.

Which would you choose?

It’s a lot like thoroughly cleaning a house methodically from top to bottom: once a given room is clean, you can lock its door to prevent any additional mess from occurring in the already cleaned room. Similarly here you can clean out all the 9.0’s and above, and then “lock the door” on them by turning on the dual-approval control.


GodeGreen improves application security posture across the board for your entire organization by embedding open-source known-vulnerability scans directly into your centralized git source control. Your application security will improve within hours after your local Bitbucket administrator installs it!

Intro to SCA software composition analysis


Commercial and industrial software is now primarily constructed from components. Open source components, to be exact. Open source software licenses dramatically decrease business frictions that arise from incorporating and integrating software developed by external entities. No more contract negotiation or in-house legal review!

Add to this the fact that many software use cases are more or less identical across systems: http connectivity, encryption, spell checking, transaction management, database object mapping, unit testing, etc. The end result is predictable: in less time than it takes to read the 2-clause BSD open source software license, your developers are copying externally developed software libraries into your proprietary systems. Because: why not? The license allows it, and developers achieve their objectives with fewer bugs and time to spare.

Software developers can now easily obtain pre-fabricated high-quality software libraries to help implement significant portions of their software. Your colleagues only need to write a small amount of glue code to wire these libraries into the larger system. Software, like automobiles, is now made mostly from parts.

But unlike cars, the supply chain in the software world is complete mayhem and chaos. Consider this common clause found in the majority of open software licenses:

Unless required by applicable law or agreed to in writing, Licensor provides the Work on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND

Business-to-business provisioning policy would normally never allow such clauses to stand in a legal review. But the advantages of open source software outweigh the risk of running without warranties. You get what you pay for. But there are costs. People often say there is no such thing as a free lunch – the same is true of open source software.

The Upgrade Problem

Some people, when confronted with a problem, think “I know, I’ll use an open source software library.” Now they have two problems.

When I build my systems, I choose specific versions of open source libraries to incorporate into these systems. These versions quickly become stale as open source authors continuously update and evolve their libraries, issuing new releases periodically.

At first glance, the problem looks pretty simple and straight-forward. Somewhere in my build script my software will contain a line like this:





If I’m using JavaScript / NPM, then it would look a little different, but essentially the same:

 "dependencies": {

   "apache-struts2": "^2.5.22"


To avoid any vulnerability to the infamous cyber security bug that took down Equifax in 2017, I just have to change the “<version>” line in the text above to this:


Then I click “save” and “build” in my coding editor and voila! My software is now safe. In the NPM example things are even better thanks to that “^” character. The “^” symbol tells the build script to upgrade the library to 2.5.23 automatically.

However, despite how simple the example above appears, in actual practice this problem is a complete f’ing nightmare. For several reasons:

  1. How do I even find out that the libraries I’m using have updates available?
  2. My system currently operates correctly (to the best of my knowledge). Could a library update break my system (regression risk)?
  3. Sometimes libraries change their own calling protocols and requirements in subtle or even not-so-subtle ways. How much work will I need to do updating my glue code to integrate a particular library’s newest version into my software system?
  4. Related to item #3, do the library authors themselves have any recommendations regarding long term plans? For example, the authors of the popular “Apache HttpClient 3.x” library decided they hated maintaining it and rewrote the library completely from scratch. They actively encouraged consumers of their library to switch to their new rewrite (“Apache HttpComponents 4.x”), and stopped all maintenance of the older library, but unfortunately switching to this newer version required significant effort for consumers.
  5. Does the current version of the library I’m using have any critical security flaws in it? Normal bugs prevent or perturb normal usage patterns, but I’ve already established that the library operates correctly within my system, and so I’m not too concerned about normal bug fixes. Security bugs are a whole different animal, since they often allow malicious users to cause the library to misbehave in ways that can degrade or even breach and exploit the larger running system.
  6. Are any of the critical security flaws widely known to the public at large? E.g., are they referenced by specific CVE (Common Vulnerability and Exposure) advisories within the U.S. Government’s NVD (National Vulnerability Database)? Upgrading library versions that are associated to CVE records should be considered a high priority, since cyber security breaches via these vectors are often perceived as engineering negligence by the public.
  7. Can we confirm exploitability based on our current configuration? If we can prove our specific setup is non-exploitable, that can buy us time to postpone the upgrade for now. But sometimes even establishing non-exploitability requires more work than simply upgrading the library.
  8. Bear in mind we must tackle this problem repeatedly for every library currently incorporated into our larger software system. Most minimally useful commercial systems will bring in at least 30 libraries; I figure the average is around 80 libraries; and I’ve personally seen systems that contain more than 300 distinct libraries.
  9. Some practioners recommend upgrading libraries when new library versions contain useful features that you would like to incorporate into your system, especially if such new features would allow you to delete some of your own code. I am on the fence on this matter, since in my opinion the maxim “if it ain’t broke, don’t fix it” outweighs this. However, should a library update happen to obviate code you are using in a different library, allowing you to completely remove one of the library dependencies from your system, I do recommend taking that upgrade. Good luck ever noticing such obviations, however.

The list above enumerates the tensions and problems we face when upgrading software components. So what are people doing about it? First hand “in the field” I’ve seen three different approaches applied to this upgrade problem.

  • PURE MANUAL BEST EFFORTS. Under this approach the engineering team tries their best to keep library versions up to date when possible, and they try to keep an eye on any associated CVE records in the NVD database through google searches and peripheral awareness. END RESULT: typically these systems are severely stale and rife with vulnerabilities.
  • AUTOMATED ALWAYS UPGRADE EVERYTHING ALWAYS. These systems are less affected by CVE’s or other known-vulnerabilities, since known-vulnerability announcements tend to correspond to version updates, and systems under this regime take in updates immediately. This approach does not deal well with incompatible library upgrades, and such usually end up in a “Pure Manual Best Efforts” pile. END RESULT: these systems tend to have fewer known vulnerabilities, but they can be vulnerable to broken builds and regression bugs. They are also vulnerable to supply-chain attacks such as the event-stream NPM attack that occurred in late 2018.
  • TOOL ASSISTED SOFTWARE COMPOSITION ANALYSIS. Engineering teams can use SCA (Software Composition Analysis) tools to tackle the upgrade problem. Despite their name, SCA tools should really be called recall notifiers, since that is their primary function: to determine all public recalls associated with any of the software component versions referenced in a given system. These tools operate similar to the computer at your car dealership when the dealer types in your VIN and determines if your car has any outstanding recalls for any of its constituent parts. SCA tools immediately surface all library versions within your system that correspond to item 6 of my list above, helping software engineers prioritise their upgrading efforts to focus on the most urgent library updates.

SCA tools sometimes include additional features such as copyright license analysis and staleness checks. MergeBase’s own SCA toolchain focuses exclusively on the recall problem.

In summary, the “Upgrade Problem” is a fundamental tension inherent to any software development practice that builds on reuseable software components. The problem is not easy to resolve, but ultimately some libraries MUST be upgraded. Personally I recommend tying the library upgrade decision to two factors: first, consider the library version’s current cyber security risk profile, and second, consider if the library’s own development team is relatively active and responsive.

In a nutshell, leave the library version alone (do not update it) if the following two factors hold (“if it ain’t broke”):

  1. The library is actively maintained.
  2. There are currently no public known-vulnerability security advisories tied to the version my system is using.

Otherwise, upgrade the library! In particular, if factor #1 no longer holds, migrate as soon as possible to an actively maintained competing library. Dead open source libraries like httpclient-3.x and apache-axis are notorious for accumulating CVE’s, and emergency migrations with such defunct libraries become high-effort and high-risk – a terrible combination.

An SCA tool (such as MergeBase Detect) is critical for determining if a library should be upgraded. In my own experience the “upgrade problem” is simply not tractable for manual best-effort approaches, and always-upgrade is too much work with too little benefit.

There’s one major caveat though. If you’ve been using the “PURE MANUAL BEST EFFORTS” approach for a long time, you need to both don a safety mask and buckle your seat belt before first running an SCA tool against your system. The initial report is going to be intimidating and overwhelming.

Discover More from MergeBase

Core Product

BuildGreen is a powerful solution for identifying the real risk of open source at build time or in existing applications

Learn how BuildGreen can protects your Enterprise

Add RunTime Protection

RunGreen detects and defends against known-vulnerabilities at runtime.

Learn why Runtime Protection Matters

Optional Developer Add-on

CodeGreen is an early-warning defence for your in-house development and integrates directly into code repositories

Quick Start - For Free