C Sharp Missing Package Lock
Description
Detects when NuGet package dependencies are declared without a corresponding packages.lock.json file. Missing lock files allow dependency versions to float, potentially enabling supply chain attacks through dependency confusion or unintended version updates.
Detection Strategy
• Scans for NuGet package declarations by checking for '<packages>' tag in project files
• Verifies if a packages.lock.json file exists in the same directory as the package declarations
• Reports a vulnerability if package declarations are found but the lock file is missing
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.