Dependencies in manifest are a flat list instead of graph for .NET Solution

[Tram13]

Problem

In the resulting manifest.spdx.json file created by SBOM Tool, the "relationships" are all defined as depending on SPDXRef-RootPackage instead of the proper subdependency.

Context

I have created a simple Hello-World C# project, and added some random dependencies. You can find the project I used here: hello-world-dotnet.zip

Then, I ran dotnet restore. This creates the project.assets.json file, which is read by Component-Detection.

To be sure Component-Detection works as expected, I used .\componentdetection.exe scan --SourceDirectory . --SourceFileRoot . --ManifestFile componentdetection_manifest.json. This generated the file componentdetection_manifest.json. In this file, the dependencies are stored as a graph, not a flat list where all dependencies point to the root package:

But when executing .\sbom.exe Generate -b . -bc . -ps "MyTest" -pn "MyPackageName" -pv "1.0.0", this hierarchy is not kept in the resulting spdx file: manifest.spdx.json