Niklas

@chrisbloom7 Thanks so much for the quick and thorough response! Good to know that `last_known_affected_version_range` will continue to be used in some cases still. However, I'm wondering whether the `ECOSYSTEM`...

I think I discovered a workaround. FWIW, it looks like Gradle / Android may have introduced more classpath configs in in versions >4 that cause these issues. If you ignore...

Good to see that you have automatability in mind from the very beginning. I think JSON is a great choice.

Hi @xXGeserXx, you need to mount `/home/xxx/deptrack/prj/edox` into the container first. This should work: ``` $ sudo docker run --rm -v '/home/xxx/deptrack/prj/edox:/tmp/edox' cyclonedx/cyclonedx-dotnet -o /tmp/edox /tmp/edox ```

@dependabot recreate

Oh man, of course! The [`Module` struct](https://golang.org/ref/mod#go-list-m) has an `Indirect` field: ```go Indirect bool // is this module only an indirect dependency of main module? ``` So we can just...

Alright, so there's still a distinction to be made between direct dependencies and indirect dependencies that have been explicitly declared in `go.mod` (e.g. to force-update them to a newer version)....

@cleaton Transitive dependencies are always included. This issue is more about the dependency graph and the edges within it. As of now, it may be possible that indirect dependencies are...

Oh, I see this is a known issue... :sweat_smile: https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/tests/CycloneDX.Core.Tests/Json/v1.4/ValidationTests.cs#L53-L54 The schemas do not differ in a way that could explain this. ```diff $ diff cyclonedx-specification/schema/bom-1.4.schema.json cyclonedx-dotnet-library/src/CycloneDX.Core/Schemas/bom-1.4.schema.json 614c614 < "$ref":...

I was able to debug this by lifting [these restrictions](https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/src/CycloneDX.Core/Json/Validator.cs#L154-L155) of adding validation results to the output message. ~Looks like the BOMs are indeed *not* valid and the JSON schema...