cyclonedx-dotnet
cyclonedx-dotnet copied to clipboard
.NET Framework 4.6.x project without packages.config returns error and zero components
Summary
When running cyclonedx-dotnet
on a .NET Framework 4.6.1 project, cyclonedx-dotnet
does not report any dependencies and returns an error.
Context
testproject.csproj
includes the following section:
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
The project does not include a packages.config
file.
Observed Behavior
I am using cyclonedx-dotnet
on a .NET Framework 4.6.1 project. When I run:
dotnet CycloneDX project.sln -o ~/sbom
I get the following output:
Found the following local nuget package cache locations:
/Users/user/.nuget/packages/
/usr/local/share/dotnet/sdk/NuGetFallbackFolder
» Solution: /Users/user/Workspace/testproject/testproject.sln
Getting projects
» Analyzing: /Users/user/Workspace/testproject/testproject/testproject.csproj
Getting project references
No project references found
1 project(s) found
» Analyzing: /Users/user/Workspace/testproject/testproject/testproject.csproj
Attempting to restore packages
File not found: "/Users/user/Workspace//testproject/testproject/obj/project.assets.json", "/Users/user/Workspace/testproject/testproject/testproject.csproj"
No packages found
The SBOM I get back is:
{
"bomFormat": "CycloneDX",
"specVersion": "1.3",
"serialNumber": "urn:uuid:4d2360b9-d248-41b8-a0c0-2dd5371dbaa7",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "2.1.2.0"
}
],
"component": {
"type": "application",
"bom-ref": "[email protected]",
"name": "testproject",
"version": "0.0.0"
}
},
"components": [],
"dependencies": [
{
"ref": "[email protected]",
"dependsOn": []
}
]
}
Expected behavior
No errors returned. Perhaps the SBOM should include the referenced packages described in the .csproj
file as well?
Hi @zuBux, What I understood is that the .Net Framework includes already the named libraries (that is why there is no version needed) and you can only add more by using the packages.config and nuget.
I am not sure if the framework itself can be mapped as a bom entry, because this tool is focused on nuget references.
Best regards Patrick
The dependencies seem all to be framework dependencies and are not being delivered with your software, thus they are not part of the generated BOM.
This might change in a future version of the specification: https://github.com/CycloneDX/specification/pull/326