We are building various nuget packages using the Microsoft .Net 6.0,7.0 and 8.0. The package is pushed via JFrog connector that doesn't contain the nuget build info. This is a critical requirement for the Jfrog Xray SCA scan.
Here are the build info details that provided by the JFrog. We need to pass along the build info while running and uploading to Artifactory. Build info is JFrog source to identify dependencies. Xray will request for the build-info, which contains the list of artifacts and dependencies to scan. Using this information, whatever the build info is able to pick up during the build process, Xray can attempt to match "transitive dependencies" and include it in the analysis. You can find more information on it below:
And an npm/donet example of build passing the build info: