BDO - Transient Package Updater

Project description

The main design challenge of this project is to develop a tool that improves vulnerability management for C#/.NET applications by also checking transitive dependencies. Existing tools mainly focus on direct packages, while security risks can also exist in packages that are included indirectly through other dependencies.

The project focuses on the question:
How can we design and develop a C#/.NET tool that analyzes the full dependency tree of a project, detects vulnerabilities in transitive packages, and provides clear remediation advice or automated update options?

The tool should parse .NET project files, identify direct and transitive dependencies, check them against vulnerability databases, and generate understandable reports. It should also be suitable for use in CI/CD pipelines, so vulnerability checks can become part of the normal development process.

Context

BDO is an international accountancy and advisory organization that provides services in auditing and assurance, tax advice, accountancy, consultancy, and advisory. In the Netherlands, BDO has around 2,700 professionals, while worldwide it operates with more than 91,000 employees across 1,600 locations in 167 countries. This makes BDO one of the largest accountancy and advisory providers in the world.

This project is carried out for BDO Digital Technology Services in Eindhoven. DTS is the technology branch within BDO and supports the organization with software development, data analytics, cloud computing, cybersecurity, and other digital solutions. The assignment is given by the Integration Services team, which works on technical solutions used within BDO.

The assignment focuses on creating a Transient Package Updater for C#/.NET applications. Current vulnerability scanning tools, such as Mend or WhiteSource, are useful for checking dependencies, but they may not always give enough insight into transitive packages. These are packages that are not added directly by developers, but are included through other dependencies. Vulnerabilities in these packages can still create security risks.
The goal of this project is to develop a tool that can analyze the full dependency tree of a .NET application, detect vulnerable direct and transitive packages, and provide clear reports with useful remediation advice. The tool should also be able to integrate with CI/CD pipelines, so vulnerability checks can be automated. This helps BDO improve visibility, security, and control over package vulnerabilities in its .NET projects.

Results

The main product is a working C# tool that scans the full transitive NuGet dependency tree of .NET projects, identifies vulnerable packages, and can automatically update them and create pull requests in Azure DevOps. Existing tooling like dotnet list package --vulnerable only flags direct dependencies, so transitive vulnerabilities go unnoticed. For BDO, that is a real security risk across their codebase.

The dependency resolution went through a major iteration. The initial approach parsed project.assets.json but turned out to be too limited. We reworked it into a custom NuGet-based resolver that walks the full dependency graph, driven by edge cases we found when testing against actual project structures.

On the pipeline side, we built the Azure DevOps execution pipeline that handles commit and PR creation logic automatically. BDO can run the tool on a schedule or on-demand, and it produces PRs for review rather than silently changing dependencies. That keeps a human in the loop while removing the manual scanning effort.

We validated the tool through unit tests, SonarCloud for static analysis integrated into CI, and regular stakeholder demos during sprint reviews. Feedback from BDO shaped the direction throughout the project and helped us prioritize what mattered for their actual workflow.

In terms of TRL, the tool sits at roughly TRL 6. It works against real .NET project structures and integrates with Azure DevOps, which is BDO's actual environment. We demonstrated it to the stakeholders and incorporated their feedback. It has not been rolled out into BDO's production pipelines at scale yet, as that requires further integration work on their side. We advised them on that during the final delivery.

A key insight from the project is that transitive dependency management is a blind spot in most .NET workflows. The default tooling does not surface these risks, and most teams do not realize they are exposed until something breaks. Our research into NuGet internals and the .NET dependency resolution model was essential to building something that catches what existing tools miss.