feat: add cataloger for NuGet packages (#3484)

* add cataloger for dotnet packages.lock.json files Signed-off-by: Kemosabert <bert.coppens14@gmail.com> * add entry for dotnet packages.lock files Signed-off-by: Kemosabert <bert.coppens14@gmail.com> * add unit test for dotnet packages.lock cataloger Signed-off-by: Kemosabert <bert.coppens14@gmail.com> * add test for faulty packages.lock.json file Signed-off-by: Kemosabert <bert.coppens14@gmail.com> * add missing name metadata Signed-off-by: Kemosabert <bert.coppens14@gmail.com> * ensure package appears with version Signed-off-by: Kemosabert <bert.coppens14@gmail.com> * add example of conflicting dependencies Signed-off-by: Kemosabert <bert.coppens14@gmail.com> * fix linting Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * bump json schema and fix tests Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * move section Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Kemosabert <bert.coppens14@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-17 08:23:15 +01:00 · 2025-01-16 20:57:17 +01:00 · 2025-01-16 20:57:17 +01:00 · 512319337f
commit 512319337f
parent 6b2d73d4b7
14 changed files with 3235 additions and 4 deletions
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -1,5 +1,6 @@
 issues:
  max-same-issues: 25
+  uniq-by-line: false

  # TODO: enable this when we have coverage on docstring comments
 #  # The list of ids of default excludes to include or disable.
@ -60,8 +61,6 @@ linters-settings:
  gosec:
    excludes:
      - G115
-output:
-  uniq-by-line: false
 run:
  timeout: 10m
  tests: false
--- a/internal/constants.go
+++ b/internal/constants.go
@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.18"
+	JSONSchemaVersion = "16.0.19"
 )
--- a/internal/task/package_tasks.go
+++ b/internal/task/package_tasks.go
@ -114,6 +114,7 @@ func DefaultPackageTaskFactories() PackageTaskFactories {
 		newSimplePackageTaskFactory(ocaml.NewOpamPackageManagerCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "ocaml", "opam"),

 		// language-specific package for both image and directory scans (but not necessarily declared) ////////////////////////////////////////
+		newSimplePackageTaskFactory(dotnet.NewDotnetPackagesLockCataloger, pkgcataloging.DeclaredTag, pkgcataloging.ImageTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "dotnet", "c#"),
 		newSimplePackageTaskFactory(dotnet.NewDotnetPortableExecutableCataloger, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, pkgcataloging.LanguageTag, "dotnet", "c#", "binary"),
 		newSimplePackageTaskFactory(python.NewInstalledPackageCataloger, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, pkgcataloging.LanguageTag, "python"),
 		newPackageTaskFactory(
--- a/schema/json/schema-16.0.19.json
+++ b/schema/json/schema-16.0.19.json
--- a/schema/json/schema-latest.json
+++ b/schema/json/schema-latest.json
@ -1,6 +1,6 @@
 {
  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.18/document",
+  "$id": "anchore.io/schema/syft/json/16.0.19/document",
  "$ref": "#/$defs/Document",
  "$defs": {
    "AlpmDbEntry": {
@ -492,6 +492,29 @@
        "hashPath"
      ]
    },
+    "DotnetPackagesLockEntry": {
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "version": {
+          "type": "string"
+        },
+        "contentHash": {
+          "type": "string"
+        },
+        "type": {
+          "type": "string"
+        }
+      },
+      "type": "object",
+      "required": [
+        "name",
+        "version",
+        "contentHash",
+        "type"
+      ]
+    },
    "DotnetPortableExecutableEntry": {
      "properties": {
        "assemblyVersion": {
@ -1648,6 +1671,9 @@
            {
              "$ref": "#/$defs/DotnetDepsEntry"
            },
+            {
+              "$ref": "#/$defs/DotnetPackagesLockEntry"
+            },
            {
              "$ref": "#/$defs/DotnetPortableExecutableEntry"
            },
--- a/syft/format/internal/spdxutil/helpers/originator_supplier_test.go
+++ b/syft/format/internal/spdxutil/helpers/originator_supplier_test.go
@ -19,6 +19,7 @@ func Test_OriginatorSupplier(t *testing.T) {
 		pkg.ConaninfoEntry{},
 		pkg.DartPubspecLockEntry{},
 		pkg.DotnetDepsEntry{},
+		pkg.DotnetPackagesLockEntry{},
 		pkg.ELFBinaryPackageNoteJSONPayload{},
 		pkg.ElixirMixLockEntry{},
 		pkg.ErlangRebarLockEntry{},
--- a/syft/internal/packagemetadata/generated.go
+++ b/syft/internal/packagemetadata/generated.go
@ -17,6 +17,7 @@ func AllTypes() []any {
 		pkg.ConaninfoEntry{},
 		pkg.DartPubspecLockEntry{},
 		pkg.DotnetDepsEntry{},
+		pkg.DotnetPackagesLockEntry{},
 		pkg.DotnetPortableExecutableEntry{},
 		pkg.DpkgDBEntry{},
 		pkg.ELFBinaryPackageNoteJSONPayload{},
--- a/syft/internal/packagemetadata/names.go
+++ b/syft/internal/packagemetadata/names.go
@ -109,6 +109,7 @@ var jsonTypes = makeJSONTypes(
 	jsonNamesWithoutLookup(pkg.RustBinaryAuditEntry{}, "rust-cargo-audit-entry", "RustCargoPackageMetadata"), // the legacy value is split into two types, where the other is preferred
 	jsonNames(pkg.WordpressPluginEntry{}, "wordpress-plugin-entry", "WordpressMetadata"),
 	jsonNames(pkg.LuaRocksPackage{}, "luarocks-package"),
+	jsonNames(pkg.DotnetPackagesLockEntry{}, "dotnet-packages-lock-entry"),
 )

 func expandLegacyNameVariants(names ...string) []string {
--- a/syft/pkg/cataloger/dotnet/cataloger.go
+++ b/syft/pkg/cataloger/dotnet/cataloger.go
@ -19,3 +19,7 @@ func NewDotnetPortableExecutableCataloger() pkg.Cataloger {
 	return generic.NewCataloger("dotnet-portable-executable-cataloger").
 		WithParserByGlobs(parseDotnetPortableExecutable, "**/*.dll", "**/*.exe")
 }
+
+func NewDotnetPackagesLockCataloger() pkg.Cataloger {
+	return generic.NewCataloger("dotnet-packages-lock-cataloger").WithParserByGlobs(parseDotnetPackagesLock, "**/packages.lock.json")
+}
--- a/syft/pkg/cataloger/dotnet/parse_dotnet_packages_lock.go
+++ b/syft/pkg/cataloger/dotnet/parse_dotnet_packages_lock.go
@ -0,0 +1,159 @@
+package dotnet
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"slices"
+	"sort"
+
+	"github.com/anchore/packageurl-go"
+	"github.com/anchore/syft/internal/log"
+	"github.com/anchore/syft/internal/relationship"
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/generic"
+)
+
+var _ generic.Parser = parseDotnetPackagesLock
+
+type dotnetPackagesLock struct {
+	Version      int                                         `json:"version"`
+	Dependencies map[string]map[string]dotnetPackagesLockDep `json:"dependencies"`
+}
+
+type dotnetPackagesLockDep struct {
+	Type         string            `json:"type"`
+	Requested    string            `json:"requested"`
+	Resolved     string            `json:"resolved"`
+	ContentHash  string            `json:"contentHash"`
+	Dependencies map[string]string `json:"dependencies,omitempty"`
+}
+
+func parseDotnetPackagesLock(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { //nolint:funlen
+	var pkgs []pkg.Package
+	var pkgMap = make(map[string]pkg.Package)
+	var relationships []artifact.Relationship
+
+	dec := json.NewDecoder(reader)
+
+	// unmarshal file
+	var lockFile dotnetPackagesLock
+	if err := dec.Decode(&lockFile); err != nil {
+		return nil, nil, fmt.Errorf("failed to parse packages.lock.json file: %w", err)
+	}
+
+	// collect all deps here
+	allDependencies := make(map[string]dotnetPackagesLockDep)
+
+	var names []string
+	for _, dependencies := range lockFile.Dependencies {
+		for name, dep := range dependencies {
+			depNameVersion := createNameAndVersion(name, dep.Resolved)
+
+			if slices.Contains(names, depNameVersion) {
+				continue
+			}
+
+			names = append(names, depNameVersion)
+			allDependencies[depNameVersion] = dep
+		}
+	}
+
+	// sort the names so that the order of the packages is deterministic
+	sort.Strings(names)
+
+	// create artifact for each pkg
+	for _, nameVersion := range names {
+		name, _ := extractNameAndVersion(nameVersion)
+
+		dep := allDependencies[nameVersion]
+		dotnetPkg := newDotnetPackagesLockPackage(name, dep, reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation))
+		if dotnetPkg != nil {
+			pkgs = append(pkgs, *dotnetPkg)
+			pkgMap[nameVersion] = *dotnetPkg
+		}
+	}
+
+	// fill up relationships
+	for depNameVersion, dep := range allDependencies {
+		parentPkg, ok := pkgMap[depNameVersion]
+		if !ok {
+			log.Debug("package \"%s\" not found in map of all pacakges", depNameVersion)
+			continue
+		}
+
+		for childDepName, childDepVersion := range dep.Dependencies {
+			childDepNameVersion := createNameAndVersion(childDepName, childDepVersion)
+
+			// try and find pkg for dependency with exact name and version
+			childPkg, ok := pkgMap[childDepNameVersion]
+			if !ok {
+				// no exact match found, lets match on name only, lockfile will contain other version of pkg
+				cpkg, ok := findPkgByName(childDepName, pkgMap)
+				if !ok {
+					log.Debug("dependency \"%s\" of package \"%s\" not found in map of all packages", childDepNameVersion, depNameVersion)
+					continue
+				}
+
+				childPkg = *cpkg
+			}
+
+			rel := artifact.Relationship{
+				From: parentPkg,
+				To:   childPkg,
+				Type: artifact.DependencyOfRelationship,
+			}
+			relationships = append(relationships, rel)
+		}
+	}
+
+	// sort the relationships for deterministic output
+	relationship.Sort(relationships)
+
+	return pkgs, relationships, nil
+}
+
+func newDotnetPackagesLockPackage(name string, dep dotnetPackagesLockDep, locations ...file.Location) *pkg.Package {
+	metadata := pkg.DotnetPackagesLockEntry{
+		Name:        name,
+		Version:     dep.Resolved,
+		ContentHash: dep.ContentHash,
+		Type:        dep.Type,
+	}
+
+	return &pkg.Package{
+		Name:      name,
+		Version:   dep.Resolved,
+		Type:      pkg.DotnetPkg,
+		Metadata:  metadata,
+		Locations: file.NewLocationSet(locations...),
+		Language:  pkg.Dotnet,
+		PURL:      packagesLockPackageURL(name, dep.Resolved),
+	}
+}
+
+func packagesLockPackageURL(name, version string) string {
+	var qualifiers packageurl.Qualifiers
+
+	return packageurl.NewPackageURL(
+		packageurl.TypeNuget, // See explanation in syft/pkg/cataloger/dotnet/package.go as to why this was chosen.
+		"",
+		name,
+		version,
+		qualifiers,
+		"",
+	).ToString()
+}
+
+func findPkgByName(pkgName string, pkgMap map[string]pkg.Package) (*pkg.Package, bool) {
+	for pkgNameVersion, pkg := range pkgMap {
+		name, _ := extractNameAndVersion(pkgNameVersion)
+		if name == pkgName {
+			return &pkg, true
+		}
+	}
+
+	return nil, false
+}
--- a/syft/pkg/cataloger/dotnet/parse_dotnet_packages_lock_test.go
+++ b/syft/pkg/cataloger/dotnet/parse_dotnet_packages_lock_test.go
@ -0,0 +1,199 @@
+package dotnet
+
+import (
+	"testing"
+
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest"
+)
+
+func Test_corruptDotnetPackagesLock(t *testing.T) {
+	pkgtest.NewCatalogTester().
+		FromFile(t, "test-fixtures/glob-paths/src/packages.lock.json").
+		WithError().
+		TestParser(t, parseDotnetDeps)
+}
+
+func TestParseDotnetPackagesLock(t *testing.T) {
+	fixture := "test-fixtures/packages.lock.json"
+	fixtureLocationSet := file.NewLocationSet(file.NewLocation(fixture))
+
+	autoMapperPkg := pkg.Package{
+		Name:      "AutoMapper",
+		Version:   "13.0.1",
+		PURL:      "pkg:nuget/AutoMapper@13.0.1",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "AutoMapper",
+			Version:     "13.0.1",
+			ContentHash: "/Fx1SbJ16qS7dU4i604Sle+U9VLX+WSNVJggk6MupKVkYvvBm4XqYaeFuf67diHefHKHs50uQIS2YEDFhPCakQ==",
+			Type:        "Direct",
+		},
+	}
+
+	bootstrapPkg := pkg.Package{
+		Name:      "bootstrap",
+		Version:   "5.0.0",
+		PURL:      "pkg:nuget/bootstrap@5.0.0",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "bootstrap",
+			Version:     "5.0.0",
+			ContentHash: "NKQFzFwrfWOMjTwr+X/2iJyCveuAGF+fNzkxyB0YW45+InVhcE9PUxoL1a8Vmc/Lq9E/CQd4DjO8kU32P4w/Gg==",
+			Type:        "Direct",
+		},
+	}
+
+	log4netPkg := pkg.Package{
+		Name:      "log4net",
+		Version:   "2.0.5",
+		PURL:      "pkg:nuget/log4net@2.0.5",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "log4net",
+			Version:     "2.0.5",
+			ContentHash: "AEqPZz+v+OikfnR2SqRVdQPnSaLq5y9Iz1CfRQZ9kTKPYCXHG6zYmDHb7wJotICpDLMr/JqokyjiqKAjUKp0ng==",
+			Type:        "Direct",
+		},
+	}
+
+	log4net1Pkg := pkg.Package{
+		Name:      "log4net",
+		Version:   "1.2.15",
+		PURL:      "pkg:nuget/log4net@1.2.15",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "log4net",
+			Version:     "1.2.15",
+			ContentHash: "KPajjkU1rbF6uY2rnakbh36LB9z9FVcYlciyOi6C5SJ3AMNywxjCGxBTN/Hl5nQEinRLuWvHWPF8W7YHh9sONw==",
+			Type:        "Direct",
+		},
+	}
+
+	dependencyInjectionAbstractionsPkg := pkg.Package{
+		Name:      "Microsoft.Extensions.DependencyInjection.Abstractions",
+		Version:   "9.0.0",
+		PURL:      "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@9.0.0",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "Microsoft.Extensions.DependencyInjection.Abstractions",
+			Version:     "9.0.0",
+			ContentHash: "xlzi2IYREJH3/m6+lUrQlujzX8wDitm4QGnUu6kUXTQAWPuZY8i+ticFJbzfqaetLA6KR/rO6Ew/HuYD+bxifg==",
+			Type:        "Transitive",
+		},
+	}
+
+	extensionOptionsPkg := pkg.Package{
+		Name:      "Microsoft.Extensions.Options",
+		Version:   "9.0.0",
+		PURL:      "pkg:nuget/Microsoft.Extensions.Options@9.0.0",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "Microsoft.Extensions.Options",
+			Version:     "9.0.0",
+			ContentHash: "dzXN0+V1AyjOe2xcJ86Qbo233KHuLEY0njf/P2Kw8SfJU+d45HNS2ctJdnEnrWbM9Ye2eFgaC5Mj9otRMU6IsQ==",
+			Type:        "Transitive",
+		},
+	}
+
+	extensionPrimitivesPkg := pkg.Package{
+		Name:      "Microsoft.Extensions.Primitives",
+		Version:   "9.0.0",
+		PURL:      "pkg:nuget/Microsoft.Extensions.Primitives@9.0.0",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "Microsoft.Extensions.Primitives",
+			Version:     "9.0.0",
+			ContentHash: "9+PnzmQFfEFNR9J2aDTfJGGupShHjOuGw4VUv+JB044biSHrnmCIMD+mJHmb2H7YryrfBEXDurxQ47gJZdCKNQ==",
+			Type:        "Transitive",
+		},
+	}
+
+	compilerServicesUnsafePkg := pkg.Package{
+		Name:      "System.Runtime.CompilerServices.Unsafe",
+		Version:   "9.0.0",
+		PURL:      "pkg:nuget/System.Runtime.CompilerServices.Unsafe@9.0.0",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "System.Runtime.CompilerServices.Unsafe",
+			Version:     "9.0.0",
+			ContentHash: "/iUeP3tq1S0XdNNoMz5C9twLSrM/TH+qElHkXWaPvuNOt+99G75NrV0OS2EqHx5wMN7popYjpc8oTjC1y16DLg==",
+			Type:        "Transitive",
+		},
+	}
+
+	microsoftLoggingPkg := pkg.Package{
+		Name:      "Microsoft.Extensions.Logging",
+		Version:   "9.0.0",
+		PURL:      "pkg:nuget/Microsoft.Extensions.Logging@9.0.0",
+		Locations: fixtureLocationSet,
+		Language:  pkg.Dotnet,
+		Type:      pkg.DotnetPkg,
+		Metadata: pkg.DotnetPackagesLockEntry{
+			Name:        "Microsoft.Extensions.Logging",
+			Version:     "9.0.0",
+			ContentHash: "crjWyORoug0kK7RSNJBTeSE6VX8IQgLf3nUpTB9m62bPXp/tzbnOsnbe8TXEG0AASNaKZddnpHKw7fET8E++Pg==",
+			Type:        "Direct",
+		},
+	}
+
+	expectedPkgs := []pkg.Package{
+		autoMapperPkg,
+		compilerServicesUnsafePkg,
+		dependencyInjectionAbstractionsPkg,
+		microsoftLoggingPkg,
+		extensionOptionsPkg,
+		extensionPrimitivesPkg,
+		bootstrapPkg,
+		log4net1Pkg,
+		log4netPkg,
+	}
+
+	expectedRelationships := []artifact.Relationship{
+		{
+			From: autoMapperPkg,
+			To:   extensionOptionsPkg,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: extensionOptionsPkg,
+			To:   dependencyInjectionAbstractionsPkg,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: extensionOptionsPkg,
+			To:   extensionPrimitivesPkg,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: extensionPrimitivesPkg,
+			To:   compilerServicesUnsafePkg,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: microsoftLoggingPkg,
+			To:   extensionOptionsPkg,
+			Type: artifact.DependencyOfRelationship,
+		},
+	}
+
+	pkgtest.TestFileParser(t, fixture, parseDotnetPackagesLock, expectedPkgs, expectedRelationships)
+}
--- a/syft/pkg/cataloger/dotnet/test-fixtures/glob-paths/src/packages.lock.json
+++ b/syft/pkg/cataloger/dotnet/test-fixtures/glob-paths/src/packages.lock.json
@ -0,0 +1 @@
+"i am bogus"
--- a/syft/pkg/cataloger/dotnet/test-fixtures/packages.lock.json
+++ b/syft/pkg/cataloger/dotnet/test-fixtures/packages.lock.json
@ -0,0 +1,78 @@
+{
+    "version": 1,
+    "dependencies": {
+        "net8.0": {
+            "AutoMapper": {
+                "type": "Direct",
+                "requested": "[13.0.1, )",
+                "resolved": "13.0.1",
+                "contentHash": "/Fx1SbJ16qS7dU4i604Sle+U9VLX+WSNVJggk6MupKVkYvvBm4XqYaeFuf67diHefHKHs50uQIS2YEDFhPCakQ==",
+                "dependencies": {
+                    "Microsoft.Extensions.Options": "6.0.0"
+                }
+            },
+            "bootstrap": {
+                "type": "Direct",
+                "requested": "[5.0.0, )",
+                "resolved": "5.0.0",
+                "contentHash": "NKQFzFwrfWOMjTwr+X/2iJyCveuAGF+fNzkxyB0YW45+InVhcE9PUxoL1a8Vmc/Lq9E/CQd4DjO8kU32P4w/Gg=="
+            },
+            "log4net": {
+                "type": "Direct",
+                "requested": "[2.0.5, )",
+                "resolved": "2.0.5",
+                "contentHash": "AEqPZz+v+OikfnR2SqRVdQPnSaLq5y9Iz1CfRQZ9kTKPYCXHG6zYmDHb7wJotICpDLMr/JqokyjiqKAjUKp0ng=="
+            },
+            "Microsoft.Extensions.DependencyInjection.Abstractions": {
+                "type": "Transitive",
+                "resolved": "9.0.0",
+                "contentHash": "xlzi2IYREJH3/m6+lUrQlujzX8wDitm4QGnUu6kUXTQAWPuZY8i+ticFJbzfqaetLA6KR/rO6Ew/HuYD+bxifg=="
+            },
+            "Microsoft.Extensions.Logging": {
+                "type": "Direct",
+                "requested": "[9.0.0, )",
+                "resolved": "9.0.0",
+                "contentHash": "crjWyORoug0kK7RSNJBTeSE6VX8IQgLf3nUpTB9m62bPXp/tzbnOsnbe8TXEG0AASNaKZddnpHKw7fET8E++Pg==",
+                "dependencies": {
+                    "Microsoft.Extensions.Options": "9.0.0"
+                }
+            },
+            "Microsoft.Extensions.Options": {
+                "type": "Transitive",
+                "resolved": "9.0.0",
+                "contentHash": "dzXN0+V1AyjOe2xcJ86Qbo233KHuLEY0njf/P2Kw8SfJU+d45HNS2ctJdnEnrWbM9Ye2eFgaC5Mj9otRMU6IsQ==",
+                "dependencies": {
+                    "Microsoft.Extensions.DependencyInjection.Abstractions": "9.0.0",
+                    "Microsoft.Extensions.Primitives": "9.0.0"
+                }
+            },
+            "Microsoft.Extensions.Primitives": {
+                "type": "Transitive",
+                "resolved": "9.0.0",
+                "contentHash": "9+PnzmQFfEFNR9J2aDTfJGGupShHjOuGw4VUv+JB044biSHrnmCIMD+mJHmb2H7YryrfBEXDurxQ47gJZdCKNQ==",
+                "dependencies": {
+                    "System.Runtime.CompilerServices.Unsafe": "9.0.0"
+                }
+            },
+            "System.Runtime.CompilerServices.Unsafe": {
+                "type": "Transitive",
+                "resolved": "9.0.0",
+                "contentHash": "/iUeP3tq1S0XdNNoMz5C9twLSrM/TH+qElHkXWaPvuNOt+99G75NrV0OS2EqHx5wMN7popYjpc8oTjC1y16DLg=="
+            }
+        },
+        ".netcore2.0": {
+            "bootstrap": {
+                "type": "Direct",
+                "requested": "[5.0.0, )",
+                "resolved": "5.0.0",
+                "contentHash": "NKQFzFwrfWOMjTwr+X/2iJyCveuAGF+fNzkxyB0YW45+InVhcE9PUxoL1a8Vmc/Lq9E/CQd4DjO8kU32P4w/Gg=="
+            },
+            "log4net": {
+                "type": "Direct",
+                "requested": "[1.2.15, )",
+                "resolved": "1.2.15",
+                "contentHash": "KPajjkU1rbF6uY2rnakbh36LB9z9FVcYlciyOi6C5SJ3AMNywxjCGxBTN/Hl5nQEinRLuWvHWPF8W7YHh9sONw=="
+            }
+        }
+    }
+}
--- a/syft/pkg/dotnet.go
+++ b/syft/pkg/dotnet.go
@ -9,6 +9,14 @@ type DotnetDepsEntry struct {
 	HashPath string `mapstructure:"hashPath" json:"hashPath"`
 }

+// DotnetPackagesLockEntry is a struct that represents a single entry found in the "dependencies" section in a .NET packages.lock.json file.
+type DotnetPackagesLockEntry struct {
+	Name        string `mapstructure:"name" json:"name"`
+	Version     string `mapstructure:"version" json:"version"`
+	ContentHash string `mapstructure:"contentHash" json:"contentHash"`
+	Type        string `mapstructure:"type" json:"type"`
+}
+
 // DotnetPortableExecutableEntry is a struct that represents a single entry found within "VersionResources" section of a .NET Portable Executable binary file.
 type DotnetPortableExecutableEntry struct {
 	AssemblyVersion string `json:"assemblyVersion"`