Use a folder path as entry point instead of Project/Solution files

[hornpecom]

Suggestion: Use a folder path as entry point instead of Project/Solution files

recursively search in the folder for the following files

• project.assets.json or
• packages.lock.json

Background: Our MSBuild based build scripts are not in the solution and are not taken into account in the dependency scan. Although they also use NuGet Packages which would be relevant for the SBOM

I'm sure the JSON files approach can simplify the whole process pretty much. Because there is no need for a time-consuming search for the dependencies via the project/solution files or the build for the scan of the dependencies could be omitted entirely. A single requirement of the scan can be the existence of the mentioned json files. It doesn't matter how they come about

[rkg-mm]

Or use a glob statement that can match e.g. */.csproj oder others like some build tools support

[hornpecom]

@rkg-mm The json file approach is a bit better because I could split my build pipeline into Build Job and SBOM Job. These JSON files are created during the build anyway and can be transferred to the SBOM job as artifacts. The SBOM job only creates SBOM based on the JSON files

[Bertk]

Please note: CycloneDX tool is using solution and C# project files to gather meta data e.g. IsTestProject . Generated project.assets.json files are used to identify the dependencies of the C# project files.

Unfortunately, it does not support an array of C# project files. Maybe this would be helpful for you.

[mtsfoni]

Background: Our MSBuild based build scripts are not in the solution and are not taken into account in the dependency scan. Although they also use NuGet Packages which would be relevant for the SBOM

I need some more detailed information here. I don't understand how or why you need to add components at compile time that are not yet known at design time.