Incorrect dependencies are identified

[iamrahul127]

Hi, We are using cyclonedx-dotnet and facing incorrect dependencies issue.

Sample solution with two projects look like below and attached to the thread. Please note ClassLibrary1 is netstandard 2.0 project. Sample project BOMIssue.zip

Observations:

1. When I generate BOM for entire solution using dotnet CycloneDX -o . -j BOMIssue.sln following dependency is added to BOM. { "ref": "pkg:nuget/[email protected]", "dependsOn": [ "pkg:nuget/[email protected]", "pkg:nuget/[email protected]" ] },

2. When I generate BOM only for using dotnet CycloneDX -o . -j BOMIssue/BOMIssue.csproj following dependency is added to BOM. { "ref": "pkg:nuget/**[email protected]**", "dependsOn": [ "pkg:nuget/[email protected]", "pkg:nuget/**[email protected]**" ] },

I think tool is reporting incorrect dependency of [email protected] on [email protected]. In fact [email protected] is depending on [email protected] BOMIssue.zip .

Build output is correct as below.

Could you please investigate further?

[iamrahul127]

@coderpatros @verzada I have tested this with latest code you have and my reflection is this issue is fixed already. When are you planning to release latest version?

[Pvlerick]

This issue is not solved. I have a repro example here: https://github.com/Pvlerick/cyclonedx-repro-561/commit/11d87882e9630cf88f72ac5b4d0b33ae29cdd413#diff-5756cd2f62a57f43d8a6f3715ab654def4a774734c5cbaf6ae50f2d00676eac0L1099

When a reference comes implicitly from another project but the main project references a newer version of the package, that is not taken into account in the bom.

This was done with version 2.7.0

[Pvlerick]

My bad, it is actually correct since we ask cyclonedx to analyze the solution, so the dependent package could bring along the offending reference if referenced directly.