cdxgen icon indicating copy to clipboard operation
cdxgen copied to clipboard
verified publisher icon CycloneDX

Feature request: Scan a specific csproj

Open prabhu opened this issue 3 years ago • 4 comments

Discussed in https://github.com/AppThreat/cdxgen/discussions/168

Originally posted by sduquette-devolutions October 14, 2022 We have a project that has multiple csproj files in the same folder for different tools based on the same codebase. With dotnet-cyclonedx we can pass the path to the csproj file to generate them separately. It would be useful if we could do the same thing with cdxgen. I was wondering if you had ideas how best to implement that.

prabhu avatar Nov 11 '22 09:11 prabhu

I'd like the same feature to scan, say, a specific pom.xml or composer.lock.

metametadata avatar Aug 14 '24 10:08 metametadata

Can you pass the directory for the specific csproj file? It should work fine

prabhu avatar Aug 15 '24 00:08 prabhu

It's unsafe as there can be other scannable files in the same directory. It can be somewhat protected against by specifying, say --type java to scan only pom.xml. But it's would still not reflect the consumer's goal (to scan a single file) and will scan more than expected in the edge cases.

And then it would also be great to fail loudly in case the explicitly specified file doesn't exist.

metametadata avatar Aug 15 '24 01:08 metametadata

@metametadata True. It's a non-trivial change and one that none of my current clients would fund. I will consider this for cdxgen v11, but someone has to pay the invoices for both development and testing efforts.

prabhu avatar Aug 15 '24 01:08 prabhu