cyclonedx-dotnet icon indicating copy to clipboard operation
cyclonedx-dotnet copied to clipboard
verified publisher icon CycloneDX

Include other dependencies than package references

Open Whathecode opened this issue 10 months ago • 2 comments

When generating an SBOM from a .csproj file, only <PackageReference ...> dependencies are included in the SBOM. We are also interested in adding dependencies which are output manually, e.g.:

    <None Include="non-nuget.dll">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </None>

A quick glance at the source code shows that GetProjectDotnetDependencyAsync() operates on dotnet restore's output in obj/project.assets.json, which indeed only includes nuget references.

Is there a plan to also represent such files in generated SBOMs?

Whathecode avatar Feb 27 '25 12:02 Whathecode

Obviously we won't have a lot of data for such files, but I understand the need to add them. I could imagine having a new option, that when activated, causes all *.dll that are copied to the output directory to be added to the SBOM. This would require to go through all referenced projects, I assume the functionality of -ipr can be reused for that.

mtsfoni avatar Mar 10 '25 18:03 mtsfoni

When I look in my .csproj (in Format <Project Sdk="Microsoft.NET.Sdk">) I see:

<PackageReference Include="..." ... /> which is included in SBOM <ProjectReference Include="..." /> which I can include in SBOM by -ipr and

<Reference Include="SomeLib, Version=1.2.3.4, Culture=neutral, processorArchitecture=MSIL">
  <SpecificVersion>False</SpecificVersion>
  <HintPath>..\SomePath\SomeLib.dll</HintPath>
</Reference>

For that I have not found out how to get the reference into the SBOM. Would that be included in the above question or is that another request/task?

hmi95 avatar Mar 25 '25 17:03 hmi95