semantics dotnet (owasp-dep-scan#412)

* Improved semantic reachability by tracking reached packages bundled in binaries. Improves detection for dotnet

Signed-off-by: Prabhu Subramanian <[email protected]>

* Dotnet repo tests

Signed-off-by: Prabhu Subramanian <[email protected]>

---------

Signed-off-by: Prabhu Subramanian <[email protected]>

Author: prabhu

.github/workflows/repotests-lifecycle-c.yml

@@ -38,6 +38,10 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Trim CI agent
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
       - name: Install depscan
         run: |
           python -m pip install --upgrade pip

.github/workflows/repotests-lifecycle-dotnet.yml

@@ -35,6 +35,10 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Trim CI agent
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
       - name: Install depscan
         run: |
           python -m pip install --upgrade pip
@@ -44,6 +48,7 @@ jobs:
       - name: lifecycle-test Damm-Vulnerable-dotNet-Application
         run: |
           mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/Damm-Vulnerable-dotNet-Application-lifecycle
+          dotnet build ${GITHUB_WORKSPACE}/repotests/Damm-Vulnerable-dotNet-Application/WebGoat.NET.sln
           uv run depscan --src ${GITHUB_WORKSPACE}/repotests/Damm-Vulnerable-dotNet-Application\
                           --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/Damm-Vulnerable-dotNet-Application\
                           -t dotnet\

.github/workflows/repotests-lifecycle-go.yml

@@ -35,6 +35,10 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Trim CI agent
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
       - name: Install depscan
         run: |
           python -m pip install --upgrade pip
@@ -44,6 +48,9 @@ jobs:
       - name: lifecycle-test damn-vulnerable-golang
         run: |
           mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/damn-vulnerable-golang-lifecycle
+          cd ${GITHUB_WORKSPACE}/depscan_reports/damn-vulnerable-golang-lifecycle
+          go build main.go
+          cd ${GITHUB_WORKSPACE}
           uv run depscan --src ${GITHUB_WORKSPACE}/repotests/damn-vulnerable-golang\
                           --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/damn-vulnerable-golang\
                           -t go\

.github/workflows/repotests-lifecycle-java.yml

@@ -30,6 +30,10 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '23.x'
+      - name: Trim CI agent
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
       - name: Install uv
         uses: astral-sh/setup-uv@v5
       - name: Setup Python

.github/workflows/repotests.yml

@@ -31,6 +31,10 @@ jobs:
         with:
           repository: 'HooliCorp/vulnerable-aws-koa-app'
           path: 'repotests/vulnerable-aws-koa-app'
+      - uses: actions/checkout@v4
+        with:
+          repository: 'microsoft/dotnet-podcasts'
+          path: 'repotests/dotnet-podcasts'
       - uses: actions/setup-go@v5
         with:
           go-version: '1.23'
@@ -57,6 +61,14 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '8.x'
+      - name: Trim CI agent
+        run: |
+          chmod +x contrib/free_disk_space.sh
+          ./contrib/free_disk_space.sh
+        if: ${{ matrix.os != 'windows-latest' }}
       - name: Install depscan
         run: |
           python -m pip install --upgrade pip
@@ -72,13 +84,26 @@ jobs:
         shell: bash
         env:
           BLINTDB_HOME: ${{ runner.temp }}/blintdb-home
+      - name: repotests dotnet-podcasts
+        run: |
+          mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts1 ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts2
+          dotnet build ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts/NetPodcast.Services.sln
+          dotnet build ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts/NetPodcast.sln
+          dotnet build ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts/Podcast.Web.sln
+          uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts -t dotnet --bom-engine CdxgenGenerator
+          uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts1 --profile research -t dotnet --bom-engine CdxgenGenerator --reachability-analyzer FrameworkReachability --explain
+          uv run depscan --src ${GITHUB_WORKSPACE}/repotests/dotnet-podcasts --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/dotnet-podcasts2 --profile research -t dotnet --bom-engine CdxgenGenerator --reachability-analyzer SemanticReachability --explain
+          rm -rf ${GITHUB_WORKSPACE}/depscan_reports
+        shell: bash
+        env:
+          BLINTDB_HOME: ${{ runner.temp }}/blintdb-home
       - name: repotests vulnerable-aws-koa-app
         run: |
           mkdir -p ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app
           uv run depscan --src ${GITHUB_WORKSPACE}/repotests/vulnerable-aws-koa-app --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app -t js --bom-engine CdxgenGenerator
           uv run depscan --src ${GITHUB_WORKSPACE}/repotests/vulnerable-aws-koa-app --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app -t js --bom-engine CdxgenGenerator --reachability-analyzer FrameworkReachability --explain
           uv run depscan --src ${GITHUB_WORKSPACE}/repotests/vulnerable-aws-koa-app --reports-dir ${GITHUB_WORKSPACE}/depscan_reports/vulnerable-aws-koa-app -t js --bom-engine CdxgenGenerator --reachability-analyzer SemanticReachability --explain
-          rm -rf ${GITHUB_WORKSPACE}/depscan_reports ${BLINTDB_HOME}
+          rm -rf ${GITHUB_WORKSPACE}/depscan_reports
         shell: bash
         env:
           BLINTDB_HOME: ${{ runner.temp }}/blintdb-home

contrib/depscanGPT/README.md

@@ -25,7 +25,7 @@ Answer only questions about:
 If the user’s question is about creating a BOM or general CycloneDX mechanics (rather than analysing an existing report), redirect them to cdxgenGPT:
 “For BOM generation, please try the dedicated assistant here → https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen ”
 
-For anything else, respond: “I’m sorry, but I can only help with BOM‑related queries.”
+For anything else, respond: “I’m sorry, but I can only help with BOM and VDR‑related queries.”
 
 ## Interaction flow
 1.	Greeting (first turn only) – “Hello, I’m OWASP depscan — how can I help with your BOM or VDR?”
@@ -37,7 +37,7 @@ For anything else, respond: “I’m sorry, but I can only help with BOM‑relat
 - SBOM/CBOM/OBOM/ML‑BOM: use components, purl, licenses, properties, etc.
 - SaaSBOM: use services, endpoints, authenticated, data.classification.
 - Infer ecosystem from purl (pkg:npm → npm, pkg:pypi → Python).
-- If coverage is unclear, suggest regenerating with cdxgen --profile ml.
+- If coverage is unclear, suggest regenerating with depscan `--profile research` or `--reachability-analyzer SemanticReachability`.
 
 ## Understanding depscan reports
 

contrib/free_disk_space.sh

@@ -33,7 +33,6 @@ echo "Listing 100 largest packages"
 dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n | tail -n 100
 df -h
 echo "Removing large packages"
-sudo apt-get remove -y '^dotnet-.*'
 sudo apt-get remove -y '^llvm-.*'
 sudo apt-get remove -y 'php.*'
 sudo apt-get remove -y '^mongodb-.*'
@@ -44,10 +43,8 @@ sudo apt-get clean
 df -h
 echo "Removing large directories"
 
-sudo rm -rf /usr/share/dotnet/
 sudo rm -rf /usr/local/graalvm/
 sudo rm -rf /usr/local/.ghcup/
 sudo rm -rf /usr/local/share/powershell
 sudo rm -rf /usr/local/share/chromium
-sudo rm -rf /usr/local/lib/android
 df -h

depscan/lib/bom.py

@@ -424,7 +424,9 @@ def create_lifecycle_boms(cdxgen_lib, src_dir, options):
     coptions["deep"] = False
     coptions["use_blintdb"] = False
     coptions["lifecycles"] = ["post-build"]
-    res = create_blint_bom(postbuild_bom_file, src_dir, options=coptions)
+    # What if the build directory is different to the source
+    build_dir = os.getenv("DEPSCAN_BUILD_DIR") or options.get("build_dir") or src_dir
+    res = create_blint_bom(postbuild_bom_file, build_dir, options=coptions)
     if not res or not os.path.exists(postbuild_bom_file):
         LOG.debug(
             "The blint invocation was unsuccessful. Try building this project prior to invoking depscan. Alternatively, check if this project generates binary artefacts."

documentation/docs/env-var.mdx

@@ -2,15 +2,17 @@
 title: Environment Variables
 sidebar_position: 7
 ---
+
 # Customization through environment variables
 
 The following environment variables can be used to customize the behavior.
 
--   VDB_HOME - Directory to use for caching database. For docker-based execution, this directory should get mounted as a volume from the host
--   VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdbxz:v6, which includes both app and OS vulnerabilities. For a smaller app-only database, use `ghcr.io/appthreat/vdbxz-app:v6`
--   USE_VDB_10Y - Set to true to use the larger 10-year vulnerability database with both app and OS vulnerabilities. Default download url: ghcr.io/appthreat/vdbxz-10y:v6. For an app-only 10 year database use `ghcr.io/appthreat/vdbxz-app-10y:v6`
--   VDB_AGE_HOURS - Set the age threshold for the vulnerability database before it is re-downloaded. The default is 24 hours.
--   DEPSCAN_TEMP_DIR - Temporary directory to use.
--   DEPSCAN_SOURCE_DIR_IMAGE - Alternative to `--src` argument to pass the source directory or image name.
--   DEPSCAN_REPORTS_DIR - Alternative to `--reports-dir` to pass the output reports directory.
--   DEPSCAN_SOURCE_IMAGE - Source image name to use for lifecycle analysis.
+- VDB_HOME - Directory to use for caching database. For docker-based execution, this directory should get mounted as a volume from the host
+- VDB_DATABASE_URL - Vulnerability DB URL. Defaults to: ghcr.io/appthreat/vdbxz:v6, which includes both app and OS vulnerabilities. For a smaller app-only database, use `ghcr.io/appthreat/vdbxz-app:v6`
+- USE_VDB_10Y - Set to true to use the larger 10-year vulnerability database with both app and OS vulnerabilities. Default download url: ghcr.io/appthreat/vdbxz-10y:v6. For an app-only 10 year database use `ghcr.io/appthreat/vdbxz-app-10y:v6`
+- VDB_AGE_HOURS - Set the age threshold for the vulnerability database before it is re-downloaded. The default is 24 hours.
+- DEPSCAN_TEMP_DIR - Temporary directory to use.
+- DEPSCAN_SOURCE_DIR_IMAGE - Alternative to `--src` argument to pass the source directory or image name.
+- DEPSCAN_REPORTS_DIR - Alternative to `--reports-dir` to pass the output reports directory.
+- DEPSCAN_SOURCE_IMAGE - Source image name to use for lifecycle analysis. Same as the key `source_image` in the configuration file.
+- DEPSCAN_BUILD_DIR - Build directory to use for lifecycle analysis. Blint sbom command will be executed with this directory. Defaults to the source directory (`--src`). Same as the key `build_dir` in the configuration file.

packages/analysis-lib/src/analysis_lib/__init__.py

@@ -1,6 +1,6 @@
 from abc import ABC, abstractmethod
 from dataclasses import dataclass
-import glob
+from pathlib import Path
 from importlib.metadata import distribution
 from logging import Logger
 from typing import Dict, List, Optional
@@ -12,9 +12,10 @@ def get_all_bom_files(from_dir):
     """
     Method to collect all BOM files from a given directory.
     """
-    return glob.glob(f"{from_dir}/**/*bom*.json", recursive=True) + glob.glob(
-        f"{from_dir}/**/*.cdx.json", recursive=True
-    )
+    base = Path(from_dir)
+    patterns = ["*bom*.json", "*.cdx.json"]
+    files = {str(p.resolve()) for pattern in patterns for p in base.rglob(pattern)}
+    return sorted(files)
 
 
 @dataclass
@@ -121,21 +122,17 @@ def __post_init__(self):
         # Collect bom files
         if not self.bom_files and self.bom_dir:
             self.bom_files = get_all_bom_files(self.bom_dir)
-        # collect available slices files
+        # Collect available slices files
         if not self.slices_files and self.bom_dir:
-            self.slices_files = glob.glob(
-                f"{self.bom_dir}/**/*slices.json", recursive=True
+            self.slices_files = sorted(
+                str(p.resolve()) for p in Path(self.bom_dir).rglob("*slices.json")
             )
-        # collect the openapi spec files
+        # Collect the openapi spec files
         if not self.openapi_spec_files:
-            if self.bom_dir:
-                self.openapi_spec_files = glob.glob(
-                    f"{self.bom_dir}/*openapi*.json", recursive=False
-                )
-            elif self.src_dir:
-                self.openapi_spec_files = glob.glob(
-                    f"{self.src_dir}/*openapi*.json", recursive=False
-                )
+            search_dir = Path(self.bom_dir) if self.bom_dir else Path(self.src_dir)
+            self.openapi_spec_files = sorted(
+                str(p.resolve()) for p in search_dir.glob("*openapi*.json")
+            )
 
 
 @dataclass