As your own blog article nicely explains, resolved dependencies depend on the context of the downstream consumer, i.e. the application. So when aiming to create a "build-type-SBOM", additional context has to be provided to the resolution mechanism, like the target framework fur NuGet applications, or the JDK version for Maven applications.
However, currently it seems the GetDependencies API cannot take any such context information, making me wonder what the default assumptions about the above-mentioned contexts are.
Ideally, the API would take system-dependent context parameters to allow the user to specify these explicitly.
As your own blog article nicely explains, resolved dependencies depend on the context of the downstream consumer, i.e. the application. So when aiming to create a "build-type-SBOM", additional context has to be provided to the resolution mechanism, like the target framework fur NuGet applications, or the JDK version for Maven applications.
However, currently it seems the
GetDependenciesAPI cannot take any such context information, making me wonder what the default assumptions about the above-mentioned contexts are.Ideally, the API would take
system-dependent context parameters to allow the user to specify these explicitly.