Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.NET Framework 4.6.x project without packages.config returns error and zero components #454

Closed
zuBux opened this issue Nov 11, 2021 · 2 comments
Closed

.NET Framework 4.6.x project without packages.config returns error and zero components #454

zuBux opened this issue Nov 11, 2021 · 2 comments

Comments

@zuBux
Copy link

zuBux commented Nov 11, 2021

Summary

When running cyclonedx-dotnet on a .NET Framework 4.6.1 project, cyclonedx-dotnet does not report any dependencies and returns an error.

Context

testproject.csproj includes the following section:

 <ItemGroup>
    <Reference Include="System" />
    <Reference Include="System.Core" />
    <Reference Include="System.Xml.Linq" />
    <Reference Include="System.Data.DataSetExtensions" />
    <Reference Include="Microsoft.CSharp" />
    <Reference Include="System.Data" />
    <Reference Include="System.Net.Http" />
    <Reference Include="System.Xml" />
  </ItemGroup>

The project does not include a packages.config file.

Observed Behavior

I am using cyclonedx-dotnet on a .NET Framework 4.6.1 project. When I run:

dotnet CycloneDX project.sln  -o ~/sbom

I get the following output:

Found the following local nuget package cache locations:
    /Users/user/.nuget/packages/
    /usr/local/share/dotnet/sdk/NuGetFallbackFolder

» Solution: /Users/user/Workspace/testproject/testproject.sln
  Getting projects

» Analyzing: /Users/user/Workspace/testproject/testproject/testproject.csproj
  Getting project references
  No project references found
  1 project(s) found


» Analyzing: /Users/user/Workspace/testproject/testproject/testproject.csproj
  Attempting to restore packages
File not found: "/Users/user/Workspace//testproject/testproject/obj/project.assets.json", "/Users/user/Workspace/testproject/testproject/testproject.csproj" 
  No packages found

The SBOM I get back is:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:4d2360b9-d248-41b8-a0c0-2dd5371dbaa7",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.1.2.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "testproject@0.0.0",
      "name": "testproject",
      "version": "0.0.0"
    }
  },
  "components": [],
  "dependencies": [
    {
      "ref": "testproject@0.0.0",
      "dependsOn": []
    }
  ]
}

Expected behavior

No errors returned. Perhaps the SBOM should include the referenced packages described in the .csproj file as well?
@patspaeth
Copy link
Contributor

Hi @zuBux,
What I understood is that the .Net Framework includes already the named libraries (that is why there is no version needed) and you can only add more by using the packages.config and nuget.

I am not sure if the framework itself can be mapped as a bom entry, because this tool is focused on nuget references.

Best regards
Patrick

@mtsfoni
Copy link
Contributor

mtsfoni commented Dec 28, 2023

The dependencies seem all to be framework dependencies and are not being delivered with your software, thus they are not part of the generated BOM.

This might change in a future version of the specification:
CycloneDX/specification#326

@mtsfoni mtsfoni closed this as completed Dec 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zuBux @patspaeth @mtsfoni