1. After following the above steps, the build is scanned properly and we could see the Xray status is showing as "Critical" for this build as shown below -
2. Xray will not report any violations for the package "NugetTest.1.0.0.nupkg". It is expected behavior as the package "NugetTest.1.0.0.nupkg" only has metadata information of the package "log4net.2.0.8.nupkg" but not the physical file.
3. The Xray data for the package will be showing no violations even though the repository “k-nuget-local” is part of the watch and the history scan has been triggered for the watch.
4. The Xray scans any dependencies which are present there in the "build-info.json" file. As in the build, we can see that the dependency "log4net:2.0.8" is there, the build is scanned by the Xray and it is reporting the violation.
5. After the scan the, Xray Data for the build shows the violations as shown below -