Patrick Dwyer
Patrick Dwyer
v2.2.0 now has an option to disable restore. Does that solve this problem?
@tarakg is this full framework or .core? And I think for explicitly referenced dlls this should probably be default behaviour.
If you want to retain the top level metadata component you can use the `--hierarchical` merge option.
Can you share all your package references?
Ah, is the target framework 5?
Have you noticed this with any transitive dependencies outside of framework ones? Digging into this, it's an absolute mess. Just re-read the documentation on nuget package dependency resolution. It's even...
I've emailed a Microsoft Program Manager who works on NuGet about this. All the documentation reads that project.assets.json, and especially packages.lock.json, should be a reliable source of truth for resolved...
Hmm... could I add the dotnet retire vulnerable packages as a vulnerability source to Dependency-Track @stevespringett? (MIT licence) Any minimum requirements/gotchas that I should be aware of? The only well...
Or, given the low quality and how specific this vuln information is, should I just write a tool to fetch the information and create the vulns in DT via the...
Hi @kmlr05, you need to build the binary first like the release process does https://github.com/CycloneDX/cyclonedx-cli/blob/5d836f69f3c07c1f993b22aaba1b74aabe87c0d9/.github/workflows/release.yml#L46-L55 Although you can skip the extra runtimes and just publish it for "linux-x64".