cyclonedx-dotnet icon indicating copy to clipboard operation
cyclonedx-dotnet copied to clipboard
verified publisher icon CycloneDX

Incorrect dependency structure on different target framework

Open jesperolsson-se opened this issue 1 year ago • 2 comments

A dependency may reference different dependency versions based on the project's target framework. When scanning a solution where two projects with different target frameworks reference the same dependency, the generated SBOM may incorrectly label a transitive dependency as a direct dependency.

Steps to reproduce

  1. Given a fresh solution
  2. Add a net6.0 project (P1)
  3. Let P1 reference [email protected]
  4. Add a net8.0 project (P2)
  5. Let P2 reference [email protected]
  6. Generate an SBOM for the solution

Result

jesperolsson-se avatar Oct 24 '24 17:10 jesperolsson-se

This issue is stale because it has been open for 3 months with no activity.

github-actions[bot] avatar Jan 26 '25 01:01 github-actions[bot]

Thanks for reporting and the creation of the test case.

Solution scan is always a little fuzzy, but I agree it should be:

This is tricky, however. Currently, a dictionary is used for dependencies, where the name is used as key. I plan some bigger refactors over the year, when does happen this will likely be fixed too.

mtsfoni avatar Mar 10 '25 15:03 mtsfoni