Cannot detect embedded deps.json metadata in single-file .NET binaries

[rezmoss]

What would you like to be added:

Modern .net app, you can publish your app as a single self-contained file using PublishSingleFile, it packs everything inside including deps.json.

Why is this needed:

syft doesn't pick up the embedded deps.json in single-file executables, so it misses dependency info for .net apps built this way.

Additional context:

t deps.json file is baked into the singlefile bundle as a bin resource, so to get it out you gotta read the executables resource section and parse the data, adding this would let syft report deps more accurately for modern .net apps

build with

  --self-contained true \
  -p:PublishSingleFile=true 

[rezmoss]

@willmurphyscode / @kzantow could you plz assign this to me

[wagoodman]

We do have tests that use the PublishSingleFile and it looks like, you're right, we're not finding the embedded deps.json.

[wagoodman]

I've assigned to you @rezmoss , thanks for picking it up! (shout out if you have questions)

[rezmoss]

sure @wagoodman i’ll ping you if i run into any blockers

[rezmoss]

Before

After

@wagoodman PR #4375 here let me know if you'd like any changes