mtsfoni
commented
9 months ago Basically waiting for the outcome of this: Feature: documenting external/extraneous dependencies
Open thompson-tomo opened 10 months ago
mtsfoni
commented
9 months ago Basically waiting for the outcome of this: Feature: documenting external/extraneous dependencies
lhotamir
commented
9 months ago This would be really useful, because now it is kinda difficult to monitor vulnerabilities in the framework itself.
thompson-tomo
commented
9 months ago @mtsfoni As nuspec provides the framework dependence needed by the package & I wouldn't want to lose that association information. Could we as a first step add those dependencies as an optional component.
Reason I am wanting to go down this path as when an application is published as trimmed + self contained those dependencies become required. We could Potentially have an argument able to be passed to the tool to signify compilation mode ie dependent, self contained or trimmed which alters the scope of the dependencies.
github-actions[bot]
commented
6 months ago This issue is stale because it has been open for 3 months with no activity.
berezovskyi
commented
4 months ago Basically waiting for the outcome of this: https://github.com/CycloneDX/specification/issues/321
This is not the case when producing self-contained dotnet builds. In that case, the dotnet runtime is delivered as part of the application and is not an extraneous component. Any (security) upgrades to the OS-installed frameworks are ignored by a self-contained application. Thus, the SBOM should reflect this so that SBOM consumers do not mistakenly believe that they can install the new version of the dotnet framework OS-wide and that self-contained dotnet applications would have all framework security issues addressed by the update.
github-actions[bot]
commented
1 month ago This issue is stale because it has been open for 3 months with no activity.
thompson-tomo
commented
1 month ago Still waiting
The BOM generated by the tool should also include: