You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a .NET Core solution which has two projects with below frameworks.
netcoreapp3.1
netstandard2.0
A] netcoreapp3.1 project -
In this project, I installed nuget package Automapper@10.1.1. It has two dependencies as below -
AutoMapper@10.1.1 =>Microsoft.CSharp@4.7.0
=> System.Reflection.Emit@4.7.0
B] netstandard2.0 project -
In this project, I installed nuget package Microsoft.CSharp@4.0.0.
After running CycloneDX v2.2.0 tool against this .NET Core solution, the resultant SBOM shows inaccurate dependency graph.
Refer below images.
In the dependency graph, dependency of Automapper@10.1.1 is displayed as below.
AutoMapper@10.1.1 =>Microsoft.CSharp@4.0.0
=> System.Reflection.Emit@4.7.0
Microsoft.CSharp@4.7.0 should be displayed as a dependency and not Microsoft.CSharp@4.0.0.
Also, Microsoft.CSharp@4.0.0 is displayed twice in the dependency graph and Microsoft.CSharp@4.7.0 is not displayed.
Thanks and Regards,
Vijay
The text was updated successfully, but these errors were encountered:
VijayB2606
changed the title
CycloneDX v2.2.0 - Dependency Graph displays dependencies with inaccurate version
CycloneDX v2.2.0 - Dependency Graph displays transitive dependencies with inaccurate version
Nov 10, 2021
VijayB2606
changed the title
CycloneDX v2.2.0 - Dependency Graph displays transitive dependencies with inaccurate version
CycloneDX - Dependency Graph displays transitive dependencies with inaccurate version
Nov 10, 2021
Hello,
I have a .NET Core solution which has two projects with below frameworks.
A] netcoreapp3.1 project -
In this project, I installed nuget package Automapper@10.1.1. It has two dependencies as below -
AutoMapper@10.1.1 =>Microsoft.CSharp@4.7.0
=> System.Reflection.Emit@4.7.0
B] netstandard2.0 project -
In this project, I installed nuget package Microsoft.CSharp@4.0.0.
After running CycloneDX v2.2.0 tool against this .NET Core solution, the resultant SBOM shows inaccurate dependency graph.
Refer below images.
In the dependency graph, dependency of Automapper@10.1.1 is displayed as below.
AutoMapper@10.1.1 =>Microsoft.CSharp@4.0.0
=> System.Reflection.Emit@4.7.0
Microsoft.CSharp@4.7.0 should be displayed as a dependency and not Microsoft.CSharp@4.0.0.
Also, Microsoft.CSharp@4.0.0 is displayed twice in the dependency graph and Microsoft.CSharp@4.7.0 is not displayed.
Thanks and Regards,
Vijay
The text was updated successfully, but these errors were encountered: