This repository is a complete demonstration project for software composition analysis with Trivy against a C# ASP.NET Core web application that uses NuGet dependencies.
The application displays mocked statistics for industrial machines. Each machine has generated sensor readings for temperature, vibration, energy and pressure. The dashboard has one start page only.
- ASP.NET Core Razor Pages web application on .NET 8.
- NuGet PackageReference based dependency management.
- More than ten runtime dependencies that are used by the application code.
- Unit test dependencies that are isolated in the test project with
PrivateAssets="all". - Generation of
packages.lock.jsonfiles for repeatable restores and better Trivy dependency graph analysis. - A deliberately outdated vulnerable package:
Newtonsoft.Jsonversion12.0.1. - macOS friendly local development with Nix.
From the repository root, start a development shell:
nix-shell -p dotnet-sdk_8 trivy jq gitTo restore packages, run tests and start the web application in one command:
nix-shell -p dotnet-sdk_8 trivy jq git --run 'dotnet restore --use-lock-file && dotnet test && ASPNETCORE_URLS=http://localhost:5080 dotnet run --project src/MachineStats.Web'Open the application at:
http://localhost:5080
The repository also contains a shell.nix, so this shorter command works as well:
nix-shell.
├── src
│ └── MachineStats.Web
│ ├── Models
│ ├── Services
│ ├── Mapping
│ ├── Validation
│ ├── Pages
│ └── wwwroot
├── tests
│ └── MachineStats.Web.Tests
├── scripts
│ └── scan-trivy.sh
├── Directory.Build.props
├── NuGet.config
├── MachineStatsDemo.sln
└── shell.nix
The web project intentionally references and uses these NuGet packages:
| Package | Version | Used for |
|---|---|---|
| Newtonsoft.Json | 12.0.1 | Deserializing mocked machine metadata. This is intentionally vulnerable for the demo. |
| AutoMapper | 12.0.1 | Mapping calculated domain statistics to dashboard view models. |
| AutoMapper.Extensions.Microsoft.DependencyInjection | 12.0.1 | Registering AutoMapper in ASP.NET Core dependency injection. |
| CsvHelper | 33.0.1 | Rendering a CSV preview of mocked sensor readings. |
| FluentValidation | 11.9.0 | Validating the dashboard time window query. |
| Humanizer | 2.14.1 | Formatting elapsed time and enum text for the dashboard. |
| MathNet.Numerics | 5.0.0 | Calculating mean values and standard deviation. |
| Microsoft.Extensions.Caching.Memory | 8.0.1 | Caching generated mock sensor readings for a short time. |
| NodaTime | 3.1.11 | Handling current instants in a testable way. |
| Polly | 7.2.4 | Wrapping mocked sensor loading in a retry policy. |
| Serilog.AspNetCore | 8.0.0 | Integrating Serilog with ASP.NET Core hosting. |
| Serilog.Sinks.Console | 5.0.1 | Writing structured logs to the console. |
The test project contains the following development only dependencies. They are only used by tests/MachineStats.Web.Tests and are marked with PrivateAssets="all".
| Package | Version | Used for |
|---|---|---|
| Microsoft.NET.Test.Sdk | 17.10.0 | .NET test host. |
| xunit | 2.8.1 | Unit test framework. |
| xunit.runner.visualstudio | 2.8.1 | Test discovery and execution integration. |
| FluentAssertions | 6.12.0 | Readable assertions in unit tests. |
| Moq | 4.20.70 | Mocking support for future test scenarios. |
| coverlet.collector | 6.0.2 | Code coverage collection. |
Lock file generation is enabled in Directory.Build.props:
<RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>Generate lock files with:
dotnet restore --use-lock-fileThis creates packages.lock.json inside each project directory. Commit these files when you want deterministic dependency restores.
For CI, use locked mode after the lock files have been generated and committed:
dotnet restore --locked-modeTrivy can analyze NuGet packages.lock.json files and use them to build a dependency graph. Generate the lock files before scanning.
Basic vulnerability scan:
dotnet restore --use-lock-file
trivy fs --scanners vuln --pkg-types library .Vulnerability and license scan:
trivy fs --scanners vuln,license --pkg-types library .JSON report:
trivy fs --scanners vuln,license --pkg-types library --format json -o trivy-report.json .Using the provided helper script:
./scripts/scan-trivy.shExpected finding: Trivy should report the intentionally outdated Newtonsoft.Json package. NuGet marks version 12.0.1 as affected by a high severity advisory, and NVD lists CVE 2024 21907 for Newtonsoft.Json versions before 13.0.1.
Trivy supports .NET and NuGet dependency scanning. For NuGet projects, packages.lock.json gives Trivy direct and transitive dependencies and the dependency graph. This is more useful than scanning only project files, especially for a software composition analysis demo.
dotnet testThe tests cover:
- Statistics calculation.
- Critical status detection.
- CSV export.
- Dashboard query validation.
ASPNETCORE_URLS=http://localhost:5080 dotnet run --project src/MachineStats.WebThen open:
http://localhost:5080
Newtonsoft.Json is intentionally pinned to 12.0.1 so that this repository produces a meaningful SCA finding. Do not copy this dependency version into a production application. After demonstrating the finding, update to a fixed version such as 13.0.1 or newer and regenerate the lock file.
- Trivy .NET and NuGet coverage: https://trivy.dev/docs/latest/coverage/language/dotnet/
- Microsoft dotnet restore lock file options: https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-restore
- NuGet PackageReference documentation: https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files
- NuGet page for Newtonsoft.Json 12.0.1: https://www.nuget.org/packages/Newtonsoft.Json/12.0.1
- NVD CVE 2024 21907: https://nvd.nist.gov/vuln/detail/CVE-2024-21907