Prisma Cloud Application Security: Checkov gives empty results when scanning Azure Repos with .NET framework 8.0 in csproj files
259
Created On 08/16/24 16:00 PM - Last Modified 04/22/26 19:39 PM
Symptom
Let's say you are scanning an Azure directory and there are multiple csproj files that detail package information for the repository.
If the target framework in these files is "net 6.0", Checkov can scan the repository fine and will show you package information. If the framework listed is "net 8.0", then Checkov will produce empty results.
Target framework specification in .csproj files:
Environment
- Prisma Cloud
- Microsoft Azure
- Checkov
Cause
In the .csproj files, the target framework specified is "net 8.0". In other file, it's "net 6.0".
When running a Checkov scan on both files, the file with framework "net 6.0" results in package information, as expected. However, "net 8.0" produces empty scan results.
Using .NET 8.0
checkov -d ./src --support --hard-fail-on HIGH --framework sca_package --bc-api-key **************::************** --prisma-api-url https://api.prismacloud.io --output spdx --output json --output-file-path "SCA/" --repo-id "****/****" --branch "****"
{
"passed": 0,
"failed": 0,
"skipped": 0,
"parsing_errors": 0,
"resource_count": 0,
"checkov_version": "3.2.219"
}
--- OUTPUT DELIMITER ---
## Document Information
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: checkov-sbom
DocumentNamespace: https://spdx.org/spdxdocs/checkov-sbom-3.2.219-454a024b-d83b-4152-bf58-8e26789deb93
## Creation Information
Creator: Tool: checkov
Creator: Organization: bridgecrew (meet@bridgecrew.io)
Created: 2024-08-09T16:47:05Z
Using .NET 6.0
checkov -d ./src --support --hard-fail-on HIGH --framework sca_package --bc-api-key **************::************** --prisma-api-url https://api.prismacloud.io --output spdx --output json --output-file-path "SCA/" --repo-id "****/****" --branch "****"
## Package Information PackageName: ag.framework.validators SPDXID: SPDXRef-ag.framework.validators PackageVersion: 1.2.0 PackageFileName: /Ag.Pmkt.Api.Test/Ag.Pmkt.Test.csproj PackageDownloadLocation: NONE FilesAnalyzed: true ## Package Information PackageName: coverlet.collector SPDXID: SPDXRef-coverlet.collector PackageVersion: 3.1.2 PackageFileName: /Ag.Pmkt.Api.Test/Ag.Pmkt.Test.csproj PackageDownloadLocation: NONE FilesAnalyzed: true ## Package Information PackageName: fluentvalidation.validators.unittestextension SPDXID: SPDXRef-fluentvalidation.validators.unittestextension PackageVersion: 1.11.0.2 PackageFileName: /Ag.Pmkt.Api.Test/Ag.Pmkt.Test.csproj PackageDownloadLocation: NONE FilesAnalyzed: true ...
Resolution
As of now, we only support .NET 7.0 or lower. Once the target framework satisfies this, then Checkov will be able to scan the files.
We are currently working on having compatibility with a higher .NET version.