snyk
diff --git a/‎lib/nuget-parser/parsers/dotnet-core-v2-parser.ts
+20-3 b/‎lib/nuget-parser/parsers/dotnet-core-v2-parser.ts
+20-3
diff --git a/‎test/fixtures/dotnetcore/dotnet_8_transitive_false_positive/FirstProject/dotnet_8_transitive_false_positive.csproj
+16 b/‎test/fixtures/dotnetcore/dotnet_8_transitive_false_positive/FirstProject/dotnet_8_transitive_false_positive.csproj
+16
@@ -110,7 +110,7 @@ function getRestoredProjectName(
   );
 }
 
-export function extractLocalProjects(libs: Record<string, any>): string[] {
+function extractLocalProjects(libs: Record<string, any>): string[] {
   const localPackages: string[] = [];
 
   for (const [key, value] of Object.entries(libs)) {
@@ -126,6 +126,10 @@ export function extractLocalProjects(libs: Record<string, any>): string[] {
   return localPackages;
 }
 
+function getDllName(depName: string): string {
+  return `${depName}.dll`;
+}
+
 function buildGraph(
   projectName: string,
   projectAssets: ProjectAssets,
@@ -201,20 +205,33 @@ function buildGraph(
       publishedProjectDeps.libraries,
     );
 
-    // Overwriting the runtime versions with the versions declared in the manifest files.
     const targets = publishedProjectDeps.targets[runtimeTarget];
+
+    // Overwriting the runtime versions with the values used in local projects.
     for (const pgkName of localPackagesNames) {
       if (targets[pgkName]?.dependencies) {
         for (const [key, value] of Object.entries(
           targets[pgkName].dependencies,
         )) {
-          const dllName = `${key}.dll`;
+          const dllName = getDllName(key);
           if (runtimeAssembly[dllName]) {
             runtimeAssembly[dllName] = value as string;
           }
         }
       }
     }
+
+    // Overwriting the runtime versions with the values used in fetched packages.
+    for (const [key, value] of Object.entries(targets)) {
+      if (value && Object.keys(value).length === 0) {
+        const [depName, depVersion] = key.split('/');
+        const dllName = getDllName(depName);
+        // NuGet’s dependency resolution mechanism will choose the higher available version.
+        if (runtimeAssembly[dllName] && depVersion > runtimeAssembly[dllName]) {
+          runtimeAssembly[dllName] = depVersion as string;
+        }
+      }
+    }
   }
 
   recursivelyPopulateNodes(
 
@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Aspire.RabbitMQ.Client" Version="8.2.2" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference
+      Include="..\SecondProject\dotnet_8_second_project.csproj"
+    />
+  </ItemGroup>
+</Project>