[BUG] Incorrect version detection with NuGet Central Package Management

[degeens]

Describe the bug

When using Central Package Management (CPM) in .NET solutions, package versions are removed from project files (.csproj) and consolidated in a solution-level Directory.Packages.props file.

FOSSA does not currently seem to account for this setup. It treats the missing version numbers in .csproj files as if the latest package versions are being used, even though the actual versions are listed in Directory.Packages.props.

As a result, FOSSA resolves dependencies incorrectly. It merges the version-less PackageReference entries from .csproj files with other sources (such as project.assets.json), which can produce multiple detected versions.

Example

Given:

• Directory.Packages.props specifies SomePackage version 8.0.0
• .csproj contains <PackageReference Include="SomePackage" /> (no version)

FOSSA incorrectly reports both 8.0.0 and the latest version (e.g., 8.5.5) as being in use.

Expected behavior

FOSSA should respect the version information defined in Directory.Packages.props and not assume the use of the latest package version when versions are omitted from .csproj files.

[github-actions]

Thank you @degeens for creating this issue. If this is in regards to a defect, product question or feature request: you should use our support portal at https://support.fossa.com to file a request, as you would receive more immediate support.

[degeens]

I contacted support, and they unfortunately confirmed that FOSSA currently does not support CPM.