Dependencies in manifest are a flat list instead of graph for .NET Solution #585
Labels
tabled
We like this idea, but we are not going to action on it in the moment
Comments
sfoslund
added
needs triage
sfoslund
added
tabled
|
Due to this security scanners like Trivy are not able to seperate direct from indirect package relationships |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem
In the resulting
manifest.spdx.jsonfile created by SBOM Tool, the "relationships" are all defined as depending on SPDXRef-RootPackage instead of the proper subdependency.Context
I have created a simple Hello-World C# project, and added some random dependencies. You can find the project I used here:
hello-world-dotnet.zip
Then, I ran
dotnet restore. This creates the project.assets.json file, which is read by Component-Detection.To be sure Component-Detection works as expected, I used
.\componentdetection.exe scan --SourceDirectory . --SourceFileRoot . --ManifestFile componentdetection_manifest.json. This generated the file componentdetection_manifest.json. In this file, the dependencies are stored as a graph, not a flat list where all dependencies point to the root package:But when executing
.\sbom.exe Generate -b . -bc . -ps "MyTest" -pn "MyPackageName" -pv "1.0.0", this hierarchy is not kept in the resulting spdx file: manifest.spdx.jsonThe text was updated successfully, but these errors were encountered: