Goal
Add a Tier-3 (package-level) reachability analyzer for .NET / NuGet projects.
Mapping
C# / F# / VB use using Namespace; (or Imports in VB) where Namespace is declared in NuGet packages without a fixed convention. The relationship is similar to Java's: many namespaces per package, no naming rule that holds in general.
Approach: curated longest-prefix namespace → NuGet package id map covering the top ~80 packages (Microsoft.AspNetCore.*, Microsoft.EntityFrameworkCore.*, Newtonsoft.Json, AutoMapper.*, Serilog.*, NUnit.*, Xunit.*, etc.). Same shape as jvmreach.
Scope
- New package
internal/analyzers/nugetreach/.
- Source walk:
.cs / .fs / .vb files. Skip bin/, obj/, packages/, .vs/, VCS dirs.
- Scanner: line-oriented
using X.Y; (C#) / open X.Y (F#) / Imports X.Y (VB).
- Mapping: longest-prefix match against curated table. Drop stdlib roots (
System.\*, Microsoft.Win32.\* core BCL portions).
- Per-project FileCache invalidating on
packages.lock.json / .csproj / .fsproj / .vbproj content change.
Smoke fixture
A small ASP.NET Core sample with stale Newtonsoft.Json pin, or a Veracode example-dotnet repo if one exists.
References
- Template: internal/analyzers/jvmreach
- Detector:
internal/detectors/nuget (already in tree).
- SDK:
LanguageCSharp / LanguageFSharp / LanguageVB + PackageManagerNuGet exist.
Note on stdlib coverage
.NET's BCL (Base Class Library) is huge and split across many System.* namespaces. Conservative stdlib drop list covers System.* and Microsoft.Win32.*; deeper accuracy can come later.
Goal
Add a Tier-3 (package-level) reachability analyzer for .NET / NuGet projects.
Mapping
C# / F# / VB use
using Namespace;(orImportsin VB) where Namespace is declared in NuGet packages without a fixed convention. The relationship is similar to Java's: many namespaces per package, no naming rule that holds in general.Approach: curated longest-prefix
namespace → NuGet package idmap covering the top ~80 packages (Microsoft.AspNetCore.*, Microsoft.EntityFrameworkCore.*, Newtonsoft.Json, AutoMapper.*, Serilog.*, NUnit.*, Xunit.*, etc.). Same shape asjvmreach.Scope
internal/analyzers/nugetreach/..cs/.fs/.vbfiles. Skipbin/,obj/,packages/,.vs/, VCS dirs.using X.Y;(C#) /open X.Y(F#) /Imports X.Y(VB).System.\*,Microsoft.Win32.\*core BCL portions).packages.lock.json/.csproj/.fsproj/.vbprojcontent change.Smoke fixture
A small ASP.NET Core sample with stale Newtonsoft.Json pin, or a Veracode example-dotnet repo if one exists.
References
internal/detectors/nuget(already in tree).LanguageCSharp/LanguageFSharp/LanguageVB+PackageManagerNuGetexist.Note on stdlib coverage
.NET's BCL (Base Class Library) is huge and split across many
System.*namespaces. Conservative stdlib drop list coversSystem.*andMicrosoft.Win32.*; deeper accuracy can come later.