Michael Tsfoni

> I believe all the packages where this causes problems for us right now are using an older dotnet version (6.0) and require an older dotnet CycloneDX version due to...

The dependencies seem all to be framework dependencies and are not being delivered with your software, thus they are not part of the generated BOM. This might change in a...

> What's the current "best" way of adding this information to our SBOM's, given that CycloneDX doesn't support it? Should we just insert some static text manually, or is there...

As dotnet-retire has retired, I opened a new issue regarding using the NuGet vulnerability scan: #805

Marked this for next major-version. Would add argument `-noValidation` to allow user to turn off validation. Having an invalid cdx file might be better than having no cdx file.

I could reproduce the exception by using a package from a private repository and removing it from the cache folder before running CycloneDX. However, adding(in my case) `-u http://localhost:8081/repository/nuget-group/index.json` solved...

> Are you saying that you solved this by using -u and this made needing a cache not needed? It's the other way around. `--URL` is used as fallback, when...

> The problem is because because of GetNuspec C:\Repos\cyclonedx-dotnet\CycloneDX\Services\NugetV3Service.cs > > ``` > > System.Private.CoreLib.dll!System.IO.MemoryStream.Seek(long offset, System.IO.SeekOrigin loc) Line 476 C# > System.IO.Compression.dll!System.IO.Compression.ZipArchive.ReadEndOfCentralDirectory() Line 352 C# > System.IO.Compression.dll!System.IO.Compression.ZipArchive.ZipArchive(System.IO.Stream stream, System.IO.Compression.ZipArchiveMode...

I merged those PRs from Dependabot yesterday. There is one issue I want to fix and then I will release a new version. Hopefully this is solved then. I'd appreciate...

I also ran into this problem. Interestingly, it seemed to work until roughly 5 months ago, the last change to our codebase was 7 months ago. So I can only...