CycloneDX - Dependency Graph displays transitive dependencies with inaccurate version

[VijayB2606]

Hello,

I have a .NET Core solution which has two projects with below frameworks.

1. netcoreapp3.1
2. netstandard2.0

A] netcoreapp3.1 project -
In this project, I installed nuget package Automapper@10.1.1. It has two dependencies as below -
AutoMapper@10.1.1 =>Microsoft.CSharp@4.7.0
=> System.Reflection.Emit@4.7.0

B] netstandard2.0 project -
In this project, I installed nuget package Microsoft.CSharp@4.0.0.

After running CycloneDX v2.2.0 tool against this .NET Core solution, the resultant SBOM shows inaccurate dependency graph.

Refer below images.

In the dependency graph, dependency of Automapper@10.1.1 is displayed as below.
AutoMapper@10.1.1 =>Microsoft.CSharp@4.0.0
=> System.Reflection.Emit@4.7.0
Microsoft.CSharp@4.7.0 should be displayed as a dependency and not Microsoft.CSharp@4.0.0.

Also, Microsoft.CSharp@4.0.0 is displayed twice in the dependency graph and Microsoft.CSharp@4.7.0 is not displayed.

Thanks and Regards,
Vijay

[patspaeth]

I see the same issue that package dependency versions will be overwritten and causes duplications.
I think this line will cause the error:
https://github.com/CycloneDX/cyclonedx-dotnet/blob/master/CycloneDX/Program.cs#L268