cyclonedx-dotnet icon indicating copy to clipboard operation
cyclonedx-dotnet copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

.NET Framework 4.6.x project without packages.config returns error and zero components

Open zuBux opened this issue 2 years ago • 1 comments

Summary

When running cyclonedx-dotnet on a .NET Framework 4.6.1 project, cyclonedx-dotnet does not report any dependencies and returns an error.

Context

testproject.csproj includes the following section:

 <ItemGroup>
    <Reference Include="System" />
    <Reference Include="System.Core" />
    <Reference Include="System.Xml.Linq" />
    <Reference Include="System.Data.DataSetExtensions" />
    <Reference Include="Microsoft.CSharp" />
    <Reference Include="System.Data" />
    <Reference Include="System.Net.Http" />
    <Reference Include="System.Xml" />
  </ItemGroup>

The project does not include a packages.config file.

Observed Behavior

I am using cyclonedx-dotnet on a .NET Framework 4.6.1 project. When I run:

dotnet CycloneDX project.sln  -o ~/sbom

I get the following output:

Found the following local nuget package cache locations:
    /Users/user/.nuget/packages/
    /usr/local/share/dotnet/sdk/NuGetFallbackFolder

» Solution: /Users/user/Workspace/testproject/testproject.sln
  Getting projects

» Analyzing: /Users/user/Workspace/testproject/testproject/testproject.csproj
  Getting project references
  No project references found
  1 project(s) found


» Analyzing: /Users/user/Workspace/testproject/testproject/testproject.csproj
  Attempting to restore packages
File not found: "/Users/user/Workspace//testproject/testproject/obj/project.assets.json", "/Users/user/Workspace/testproject/testproject/testproject.csproj" 
  No packages found

The SBOM I get back is:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:4d2360b9-d248-41b8-a0c0-2dd5371dbaa7",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.1.2.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "[email protected]",
      "name": "testproject",
      "version": "0.0.0"
    }
  },
  "components": [],
  "dependencies": [
    {
      "ref": "[email protected]",
      "dependsOn": []
    }
  ]
}

Expected behavior

No errors returned. Perhaps the SBOM should include the referenced packages described in the .csproj file as well?

zuBux avatar Nov 11 '21 11:11 zuBux

Hi @zuBux, What I understood is that the .Net Framework includes already the named libraries (that is why there is no version needed) and you can only add more by using the packages.config and nuget.

I am not sure if the framework itself can be mapped as a bom entry, because this tool is focused on nuget references.

Best regards Patrick

patspaeth avatar Dec 06 '21 12:12 patspaeth

The dependencies seem all to be framework dependencies and are not being delivered with your software, thus they are not part of the generated BOM.

This might change in a future version of the specification: https://github.com/CycloneDX/specification/pull/326

mtsfoni avatar Dec 28 '23 13:12 mtsfoni