✨ Detect .NET Framework as package (#5838)

czunker · web-flow · commit 5b5f2892694a · 2025-08-15T09:59:43.000+02:00
* ✨ Detect .NET Framework as package

.NET Framework bundled with Windows does not show up in the default package list.
Query the registry keys separatly and add the disciovered version to the packages.

Signed-off-by: Christian Zunker &lt;christian@mondoo.com&gt;

* refactor create package

Signed-off-by: Christian Zunker &lt;christian@mondoo.com&gt;

---------

Signed-off-by: Christian Zunker &lt;christian@mondoo.com&gt;
diff --git a/providers/os/resources/packages/windows_packages.go b/providers/os/resources/packages/windows_packages.go
@@ -25,6 +25,8 @@ import (
 	"go.mondoo.com/cnquery/v11/providers/os/resources/cpe"
 	"go.mondoo.com/cnquery/v11/providers/os/resources/powershell"
 	"go.mondoo.com/cnquery/v11/providers/os/resources/purl"
+	"go.mondoo.com/ranger-rpc/codes"
+	"go.mondoo.com/ranger-rpc/status"
 )
 
 // ProcessorArchitecture Enum
@@ -130,38 +132,9 @@ func (p winAppxPackages) toPackage(platform *inventory.Platform) Package {
 		p.arch = arch
 	}
 
-	pkg := Package{
-		Name:    p.Name,
-		Version: p.Version,
-		Arch:    p.arch,
-		Format:  "windows/appx",
-		Vendor:  p.Publisher,
-		PUrl:    purl.NewPackageURL(platform, purl.TypeAppx, p.Name, p.Version).String(),
-	}
-	if p.InstallLocation != "" {
-		pkg.Files = []FileRecord{
-			{
-				Path: p.InstallLocation,
-			},
-		}
-		pkg.FilesAvailable = PkgFilesIncluded
-	}
-
-	if p.Version != "" {
-		cpeWfns, err := cpe.NewPackage2Cpe(p.Publisher, p.Name, p.Version, "", "")
-		if err != nil {
-			log.Debug().Err(err).
-				Str("name", p.Name).
-				Str("version", p.Version).
-				Msg("could not create cpe for windows appx package")
-		} else {
-			pkg.CPEs = cpeWfns
-		}
-	} else {
-		log.Debug().Msg("ignored package since information is missing")
-	}
+	pkg := createPackage(p.Name, p.Version, "windows/appx", p.arch, p.Publisher, p.InstallLocation, platform)
 
-	return pkg
+	return *pkg
 }
 
 // Good read: https://www.wintips.org/view-installed-apps-and-packages-in-windows-10-8-1-8-from-powershell/
@@ -278,9 +251,63 @@ func (w *WinPkgManager) getLocalInstalledApps() ([]Package, error) {
 			packages = append(packages, *p)
 		}
 	}
+
+	// These are the .NET Framework packages
+	// They do not show up in the general apps or features list, so we need to discover them separately
+	dotNetFramework, err := w.getDotNetFramework()
+	if err != nil {
+		return nil, err
+	}
+	packages = append(packages, dotNetFramework...)
+
 	return packages, nil
 }
 
+// getDotNetFramework returns the .NET Framework package
+func (w *WinPkgManager) getDotNetFramework() ([]Package, error) {
+	// https://learn.microsoft.com/en-us/dotnet/framework/install/how-to-determine-which-versions-are-installed#net-framework-45-and-later-versions
+	dotNet45plus := "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full"
+	// https://learn.microsoft.com/en-us/dotnet/framework/install/how-to-determine-which-versions-are-installed#use-registry-editor-older-framework-versions
+	dotNet35 := "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v3.5"
+
+	return getDotNetFrameworkPackageFromRegistryKeys(dotNet45plus, dotNet35, w.platform)
+}
+
+// getDotNetFrameworkFs returns the .NET Framework package discovered on the filesystem
+func (w *WinPkgManager) getDotNetFrameworkFs() ([]Package, error) {
+	// https://learn.microsoft.com/en-us/dotnet/framework/install/how-to-determine-which-versions-are-installed#net-framework-45-and-later-versions
+	dotNet45plus := "Microsoft\\NET Framework Setup\\NDP\\v4\\Full"
+	// https://learn.microsoft.com/en-us/dotnet/framework/install/how-to-determine-which-versions-are-installed#use-registry-editor-older-framework-versions
+	dotNet35 := "Microsoft\\NET Framework Setup\\NDP\\v3.5"
+
+	return getDotNetFrameworkPackageFromRegistryKeys(dotNet45plus, dotNet35, w.platform)
+}
+
+// getDotNetFrameworkPackageFromRegistryKeys returns the .NET Framework package from the registry keys
+func getDotNetFrameworkPackageFromRegistryKeys(dotNet45plus, dotNet35 string, platform *inventory.Platform) ([]Package, error) {
+	items, err := registry.GetNativeRegistryKeyItems(dotNet45plus)
+	if err != nil && status.Code(err) != codes.NotFound {
+		return nil, err
+	}
+
+	if len(items) == 0 {
+		items, err = registry.GetNativeRegistryKeyItems(dotNet35)
+		if err != nil && status.Code(err) != codes.NotFound {
+			return nil, err
+		}
+	}
+
+	if len(items) == 0 {
+		return nil, nil
+	}
+
+	p := getDotNetFrameworkPackageFromRegistryKeyItems(items, platform)
+	if p == nil {
+		return nil, nil
+	}
+	return []Package{*p}, nil
+}
+
 func (w *WinPkgManager) getInstalledApps() ([]Package, error) {
 	if w.conn.Type() == shared.Type_Local && runtime.GOOS == "windows" {
 		return w.getLocalInstalledApps()
@@ -374,6 +401,14 @@ func (w *WinPkgManager) getFsInstalledApps() ([]Package, error) {
 		}
 	}
 
+	// These are the .NET Framework packages
+	// They do not show up in the general apps or features list, so we need to discover them separately
+	dotNetFramework, err := w.getDotNetFrameworkFs()
+	if err != nil {
+		return nil, err
+	}
+	packages = append(packages, dotNetFramework...)
+
 	msSqlHotfixes := findMsSqlHotfixes(packages)
 	if len(msSqlHotfixes) > 0 {
 		packages = updateMsSqlPackages(packages, msSqlHotfixes[len(msSqlHotfixes)-1])
@@ -490,35 +525,31 @@ func getPackageFromRegistryKeyItems(children []registry.RegistryKeyItem, platfor
 		return nil
 	}
 
-	pkg := &Package{
-		Name:    displayName,
-		Version: displayVersion,
-		Format:  "windows/app",
-		Arch:    platform.Arch,
-		Vendor:  publisher,
-		PUrl: purl.NewPackageURL(
-			platform, purl.TypeWindows, displayName, displayVersion,
-		).String(),
-	}
-	if installLocation != "" {
-		pkg.Files = []FileRecord{
-			{
-				Path: installLocation,
-			},
+	pkg := createPackage(displayName, displayVersion, "windows/app", platform.Arch, publisher, installLocation, platform)
+
+	return pkg
+}
+
+// getDotNetFrameworkPackageFromRegistryKeyItems returns the .NET Framework package from the registry key items
+func getDotNetFrameworkPackageFromRegistryKeyItems(items []registry.RegistryKeyItem, platform *inventory.Platform) *Package {
+	var version string
+	var installLocation string
+
+	for _, i := range items {
+		switch i.Key {
+		case "Version":
+			version = i.Value.String
+		case "InstallLocation":
+			installLocation = i.Value.String
 		}
-		pkg.FilesAvailable = PkgFilesIncluded
 	}
 
-	if displayVersion != "" {
-		cpeWfns, err := cpe.NewPackage2Cpe(publisher, displayName, displayVersion, "", "")
-		if err != nil {
-			log.Debug().Err(err).Str("name", displayName).Str("version", displayVersion).Msg("could not create cpe for windows app package")
-		} else {
-			pkg.CPEs = cpeWfns
-		}
-	} else {
-		log.Debug().Msg("ignored package since information is missing")
+	if version == "" {
+		return nil
 	}
+
+	pkg := createPackage("Microsoft .NET Framework", version, "windows/app", platform.Arch, "Microsoft", installLocation, platform)
+
 	return pkg
 }
 
@@ -596,44 +627,15 @@ func ParseWindowsAppPackages(platform *inventory.Platform, input io.Reader) ([]P
 		if entry.UninstallString == "" {
 			continue
 		}
-		cpeWfns := []string{}
 
 		// TODO: We need to figure out why we have empty displayNames.
 		// this is common in windows but we need to verify it is a windows
 		// issue and not a cnquery issue.
 		if entry.DisplayName == "" {
 			continue
 		}
-		if entry.DisplayVersion != "" {
-			cpeWfns, err = cpe.NewPackage2Cpe(entry.Publisher, entry.DisplayName, entry.DisplayVersion, "", "")
-			if err != nil {
-				log.Debug().Err(err).
-					Str("name", entry.DisplayName).
-					Str("version", entry.DisplayVersion).
-					Msg("could not create cpe for windows app package")
-			}
-		} else {
-			log.Debug().Msg("ignored package since information is missing")
-		}
-		pkg := Package{
-			Name:    entry.DisplayName,
-			Version: entry.DisplayVersion,
-			Format:  "windows/app",
-			CPEs:    cpeWfns,
-			Vendor:  entry.Publisher,
-			Arch:    platform.Arch,
-			PUrl: purl.NewPackageURL(
-				platform, purl.TypeWindows, entry.DisplayName, entry.DisplayVersion,
-			).String(),
-		}
-		if entry.InstallLocation != "" {
-			pkg.Files = []FileRecord{
-				{
-					Path: entry.InstallLocation,
-				},
-			}
-		}
-		pkgs = append(pkgs, pkg)
+		pkg := createPackage(entry.DisplayName, entry.DisplayVersion, "windows/app", platform.Arch, entry.Publisher, entry.InstallLocation, platform)
+		pkgs = append(pkgs, *pkg)
 	}
 
 	return pkgs, nil
@@ -682,3 +684,41 @@ func updateMsSqlPackages(pkgs []Package, latestMsSqlHotfix Package) []Package {
 	}
 	return pkgs
 }
+
+// createPackage creates a new package with the given parameters
+func createPackage(name, version, format, arch, publisher, installLocation string, platform *inventory.Platform) *Package {
+	purlType := purl.TypeWindows
+	if format == "windows/appx" {
+		purlType = purl.TypeAppx
+	}
+
+	pkg := &Package{
+		Name:    name,
+		Version: version,
+		Format:  format,
+		Arch:    arch,
+		Vendor:  publisher,
+		PUrl: purl.NewPackageURL(
+			platform, purlType, name, version,
+		).String(),
+	}
+	if installLocation != "" {
+		pkg.Files = []FileRecord{
+			{
+				Path: installLocation,
+			},
+		}
+		pkg.FilesAvailable = PkgFilesIncluded
+	}
+
+	if version != "" {
+		cpeWfns, err := cpe.NewPackage2Cpe(publisher, name, version, "", "")
+		if err != nil {
+			log.Debug().Err(err).Str("name", name).Str("version", version).Msg("could not create cpe for windows app package")
+		} else {
+			pkg.CPEs = cpeWfns
+		}
+	}
+
+	return pkg
+}
diff --git a/providers/os/resources/packages/windows_packages_test.go b/providers/os/resources/packages/windows_packages_test.go
@@ -338,3 +338,102 @@ func TestFindAndUpdateMsSqlHotfixes(t *testing.T) {
 	require.Equal(t, "1.0.0", pkg.Version, "expected non-SQL Server package to remain unchanged")
 	assert.Equal(t, "pkg:windows/windows/Not%20a%20hotfix@1.0.0?arch=x86", pkg.PUrl)
 }
+
+func TestGetDotNetFrameworkPackageFromRegistryKeyItems(t *testing.T) {
+	platform := &inventory.Platform{
+		Name:    "windows",
+		Version: "19041",
+		Arch:    "x86_64",
+		Family:  []string{"windows"},
+	}
+
+	t.Run("with version and install location", func(t *testing.T) {
+		// Create mock registry items for .NET Framework 4.8
+		items := []registry.RegistryKeyItem{
+			{
+				Key: "Version",
+				Value: registry.RegistryKeyValue{
+					Kind:   registry.SZ,
+					String: "4.8.04084.0",
+				},
+			},
+			{
+				Key: "InstallLocation",
+				Value: registry.RegistryKeyValue{
+					Kind:   registry.SZ,
+					String: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.8.04084\\",
+				},
+			},
+		}
+
+		pkg := getDotNetFrameworkPackageFromRegistryKeyItems(items, platform)
+		require.NotNil(t, pkg, "expected package to be created")
+
+		assert.Equal(t, "Microsoft .NET Framework", pkg.Name)
+		assert.Equal(t, "4.8.04084.0", pkg.Version)
+		assert.Equal(t, "windows/app", pkg.Format)
+		assert.Equal(t, "x86_64", pkg.Arch)
+		assert.Equal(t, "Microsoft", pkg.Vendor)
+		assert.Equal(t, "pkg:windows/windows/Microsoft%20.NET%20Framework@4.8.04084.0?arch=x86_64", pkg.PUrl)
+		assert.Len(t, pkg.Files, 1)
+		assert.Equal(t, "C:\\Windows\\Microsoft.NET\\Framework64\\v4.8.04084\\", pkg.Files[0].Path)
+		assert.Equal(t, PkgFilesIncluded, pkg.FilesAvailable)
+
+		// Verify CPE generation
+		require.Len(t, pkg.CPEs, 2, "expected 2 CPE entries")
+		expectedCPEs := []string{
+			"cpe:2.3:a:microsoft:microsoft_.net_framework:4.8.04084.0:*:*:*:*:*:*:*",
+			"cpe:2.3:a:microsoft:microsoft_.net_framework:4.8.04084:*:*:*:*:*:*:*",
+		}
+		assert.ElementsMatch(t, expectedCPEs, pkg.CPEs)
+	})
+
+	t.Run("with .NET 3.5 version", func(t *testing.T) {
+		// Create mock registry items for .NET Framework 3.5
+		items := []registry.RegistryKeyItem{
+			{
+				Key: "Version",
+				Value: registry.RegistryKeyValue{
+					Kind:   registry.SZ,
+					String: "3.5.30729.4926",
+				},
+			},
+			{
+				Key: "InstallLocation",
+				Value: registry.RegistryKeyValue{
+					Kind:   registry.SZ,
+					String: "C:\\Windows\\Microsoft.NET\\Framework\\v3.5\\",
+				},
+			},
+		}
+
+		pkg := getDotNetFrameworkPackageFromRegistryKeyItems(items, platform)
+		require.NotNil(t, pkg, "expected package to be created")
+
+		assert.Equal(t, "Microsoft .NET Framework", pkg.Name)
+		assert.Equal(t, "3.5.30729.4926", pkg.Version)
+		assert.Equal(t, "windows/app", pkg.Format)
+		assert.Equal(t, "x86_64", pkg.Arch)
+		assert.Equal(t, "Microsoft", pkg.Vendor)
+		assert.Equal(t, "pkg:windows/windows/Microsoft%20.NET%20Framework@3.5.30729.4926?arch=x86_64", pkg.PUrl)
+		assert.Len(t, pkg.Files, 1)
+		assert.Equal(t, "C:\\Windows\\Microsoft.NET\\Framework\\v3.5\\", pkg.Files[0].Path)
+		assert.Equal(t, PkgFilesIncluded, pkg.FilesAvailable)
+
+		// Verify CPE generation
+		require.Len(t, pkg.CPEs, 2, "expected 2 CPE entries")
+		expectedCPEs := []string{
+			"cpe:2.3:a:microsoft:microsoft_.net_framework:3.5.30729.4926:*:*:*:*:*:*:*",
+			"cpe:2.3:a:microsoft:microsoft_.net_framework:3.5.30729:*:*:*:*:*:*:*",
+		}
+		assert.ElementsMatch(t, expectedCPEs, pkg.CPEs)
+	})
+
+	t.Run("with empty items", func(t *testing.T) {
+		// Create empty registry items
+		items := []registry.RegistryKeyItem{}
+
+		pkg := getDotNetFrameworkPackageFromRegistryKeyItems(items, platform)
+		assert.Nil(t, pkg, "expected no package when no items are provided")
+	})
+}
