cdxgen
cdxgen copied to clipboard
CycloneDX
missing components on dotnet based project
Hi,
When I try to run cdxgen against the dotnet source code, I see there are some components that are part of the solution missing in the sbom file. these components are referred to in the code and also part of the csproj reference list. The highlighted components are not included in the SBOM and all other components are part of the SBOM.
@visagansanthanam-unisys, was the solution built prior to invoking cdxgen? Could you check for the presence of projects.assets.json?
@prabhu so the solution is not built prior to invoking cdxgen and it does not have projects.assets.json. How are the other components identified in this case?
@visagansanthanam-unisys, we parse the csproj file if projects.assets.json is not available. This is explained in the footnotes in the readme.
[3] - Perform dotnet or nuget restore to generate project.assets.json. Without this file, cdxgen would not include indirect dependencies.
@prabhu I understand about including indirect dependencies. but what I reported is missing direct dependencies which are part of the csproj file. cdxgen tool identifies some of the components on the project references and misses others. So this is not an invalid issue.
@visagansanthanam-unisys would you be able to share the csproj file? Suspecting those entries with only .dll is getting missed out
@prabhu can you help with the instruction for running cdxgen directly using souce code.
@visagansanthanam-unisys The file you would be calling is bin/cdxgen.js. You can use the usual options or --help by calling this file.
@cerrussell is there any action pending from me on this bug?
@visagansanthanam-unisys, no one is currently working on this. Could you find a colleague or friend with some node.js experience who is willing to contribute to this feature?