Hi,
I use Microsoft dotnet Arcade tools for csharp projects and CyclonDX does always create a empty BOM file whenever the Arcade extensions are activated. After removing the Arcade tooling (global.json, Directory.Build.props, Directory.Build.targets) a complete BOM is created.

How to reproduce: clone Arcade repository and run CycloneDX tool: dotnet CycloneDX Arcade.sln --out lincenseDX

The generated BOM.xml file:

<?xml version="1.0" encoding="utf-8"?>
<bom version="1" serialNumber="urn:uuid:c4bc047c-9409-4f19-aa68-b7aad0a195f5" xmlns="http://cyclonedx.org/schema/bom/1.1">
  <components />
</bom>

Hello,

Dotnet CycloneDx gave the following error. It try to look at "C:\Users\steve..". Could you review that?

When trying to restore package for generation the SBOM, I have an exception but it is not useful:

» Analyzing: mySolution.csproj
  Attempting to restore packages
Dotnet restore failed:

Unhandled exception. CycloneDX.Services.DotnetRestoreException: Exception of type 'CycloneDX.Services.DotnetRestoreException' was thrown.
   at CycloneDX.Services.ProjectFileService.GetProjectNugetPackagesAsync(String projectFilePath) in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Services/ProjectFileService.cs:line 92
   at CycloneDX.Services.SolutionFileService.GetSolutionNugetPackages(String solutionFilePath) in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Services/SolutionFileService.cs:line 110
   at CycloneDX.Program.OnExecuteAsync() in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 128
   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.InvokeAsync(MethodInfo method, Object instance, Object[] arguments)
   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.OnExecute(ConventionContext context, CancellationToken cancellationToken)
   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.<>c__DisplayClass0_0.<<Apply>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync(String[] args, CancellationToken cancellationToken)
   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](CommandLineContext context, CancellationToken cancellationToken)
   at CycloneDX.Program.Main(String[] args) in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 62
   at CycloneDX.Program.<Main>(String[] args)

This is probably an issue with a local package, but the exception is not explicit.

Hi,
I imported my project in Dependency-Track from a generated sbom generated from my sln project.
The project and its components are well imported but they are not scanned.
For example the component Microsoft.AspNetCore.App version 2.2.0 is associated with CVE-2019-0564 but the vulnerability is not detected.
Does anyone have the same issue ?
I attached the sbom file and the Dependency-Track component screen.

Regards.

bom.zip

This probably depends on #174 being resolved first.

This would enable users of this implementation to verify what has been published to nuget matches the relevant commit tag.

A defacto standard is to have lowercase dotnet command names and parameters. I'm proposing to add lowercase equivalents for current parameters while still supporting existing parameters.

This would include updating all documentation to reference the lowercase equivalents. And only add new parameters in lowercase.

There probably isn't any real maintenance overhead in keeping existing uppercase options. So no plans to deprecate them anytime soon.

Hi Steve,

When I am trying to use latest dotnet-CycloneDX (0.11.0) version for creating BOM file I am getting following message, so I am using dotnet-CycloneDX (0.9.0) is using:

¯ Analyzing: C:\Users\admin\file.csproj
  Getting project references
  No project references found
  1 project(s) found

My file.csproj contains following contents:

<Project>
  <ItemGroup>
    <!--Set Third party nuget versions-->	
    <PackageReference Include="AngleSharp" Version="0.9.4" />
	<PackageReference Include="Apache.NMS.ActiveMQ" Version="1.7.2" />
    <PackageReference Include="Aspose.BarCode" Version="19.4.0" />
    <PackageReference Include="Aspose.Cells" Version="19.8.0" />
    <PackageReference Include="Aspose.Pdf" Version="19.8.0" />
    <PackageReference Include="Aspose.Words" Version="20.1.0" />
  </ItemGroup>
</Project>

Hi Team,

I am using "dotnet-CycloneDX" package for creating bom.xml from .sln file. But as per my observation it is adding incorrect version in bom.xml. For example the .csproj file contains following entry:

<PackageReference Include="WebGrease" version="1.6.0" />

In above it is clear that the version of WebGrease is 1.6.0 but if we check the bom.xml it shows version 1.5.2 as follows:

    <component type="library">
      <name>WebGrease</name>
      <version>1.5.2</version>
      <description><![CDATA[Web Grease is a suite of tools for optimizing javascript, css files and images.]]></description>
      <licenses>
        <license>
          <url>http://www.microsoft.com/web/webpi/eula/msn_webgrease_eula.htm</url>
        </license>
      </licenses>
      <purl>pkg:nuget/[email protected]</purl>
    </component>

Also I have observed that it includes version of library which is not present either in .csproj or packages.config file.

For example:
packages.config file contains:
<package id="WebGrease" version="1.6.0" targetFramework="net45" />

but bom.xml file contains 2 entries for WebGrease one 1.6.0 and other with version 1.5.2 as shown below:

    <component type="library">
      <name>WebGrease</name>
      <version>1.5.2</version>
      <description><![CDATA[Web Grease is a suite of tools for optimizing javascript, css files and images.]]></description>
      <licenses>
        <license>
          <url>http://www.microsoft.com/web/webpi/eula/msn_webgrease_eula.htm</url>
        </license>
      </licenses>
      <purl>pkg:nuget/[email protected]</purl>
    </component>

    <component type="library">
      <name>WebGrease</name>
      <version>1.6.0</version>
      <description><![CDATA[Web Grease is a suite of tools for optimizing javascript, css files and images.]]></description>
      <licenses>
        <license>
          <url>http://www.microsoft.com/web/webpi/eula/aspnetcomponent_rtw_ENU.htm</url>
        </license>
      </licenses>
      <purl>pkg:nuget/[email protected]</purl>
      <externalReferences>
        <reference type="website">
          <url>http://webgrease.codeplex.com/</url>
        </reference>
      </externalReferences>
    </component>

Could you please take a look into it and let me know if I am missing something?

The NuSpec includes the information of the GIT source repository:
https://github.com/nunit/nunit/blob/master/nuget/framework/nunit.nuspec#L11

Does somebody in this project and community is working on net5 compatibility? It's clear that it's not supported until now from project home page. But raising issue to get fast feedback was idea. Thanks for your feedback in advance

The offending code is

Will be addressed in #20, just want to make sure it doesn't get lost.

Currently produces output like this...

"licenses": [
    {
        "name": "BSD"
    }
],

instead of...

"licenses": [
    {
        "license": {
            "name": "BSD"
        }
    }
],

Can we add support for including components that are added as "dll" references in .NET projects, in the generated CycloneDX BOM? I understand that the "dll" reference may not have all the information CycloneDX spec will require - but for teams who need to aggregate all their components to BOM - this will be a good feature. This feature could be added as optional, managed by a optional parameter to the tool.

It would be great if this tool could recognise full framework solution files and switch to scanning for packages.config files.

My use case is that I want to run this against a lot of git repositories and it would be nice to use the same command regardless of the project.

It does add some complexity though. So understand if you don't want to go there. But I'd be happy to have a go at implementing it.

Hello,

Since the 0.9.1 update we have been having issues retrieving nuget package information that is hosted in our private Nuget Feed. I've tried specifying the url, only to receive a 401 unauthorized error. Previously we we would simply not specify the url. I'm assuming we would need to pass an authentication token, but I don't see a way for us to do this currently.

Thanks,
Edouard

Similar, but different to #44

Although you can still specify a username and personal access token, each github action has a generated bearer token which can be used for licence resolution.

This should be a supported option.

If a project file references a project that isn't included in the solution file the corresponding packages will not be included in the BOM.

i.e. Solution File references just project1.csproj, and project1.csproj references project2.csproj
Then project2.csproj packages will not be included in BOM.

Offending method is

Will be addressed by #20

In preparation of v1.2 of the spec we need to support JSON output.

When a project file is specified relevant metadata should be included in the BOM. And as a base minimum tool information should be included regardless.

I've just found RetireNet. This tools produces massive more information and also finds some vulnerabilities.

• It scans all transitive dependencies,
• It includes .NET Framework / .NET Core version aswell
  • I think this is very important, because MSFT mostly publish vulnerabilities for a specific .netcore version

Maybe you can include dotnet-retire and create a bom.xml out of scan results from dotnet-retire. Or add parameter to add additional input from output

Regarding CycloneDX Spec, it's also possibile to add vulnerabilities to the bom.xml

What do you think?

Test projects don’t ship. I think the default behaviour when scanning solution file references should skip test projects.

Unhandled Exception: System.ArgumentNullException: Value cannot be null.
Parameter name: path
at System.IO.Path.GetFullPath(String path)
at CycloneDX.Program.OnExecute() in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 51
at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.InvokeAsync(MethodInfo method, Object instance, Object[] arguments) in C:\projects\commandlineutils\src\CommandLineUtils\Conventions\ExecuteMethodConvention.cs:line 77
at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.OnExecute(ConventionContext context) in C:\projects\commandlineutils\src\CommandLineUtils\Conventions\ExecuteMethodConvention.cs:line 62
at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.<>c__DisplayClass0_0.<b__0>d.MoveNext() in C:\projects\commandlineutils\src\CommandLineUtils\Conventions\ExecuteMethodConvention.cs:line 25
--- End of stack trace from previous location where exception was thrown ---
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.<>c__DisplayClass126_0.b__0() in C:\projects\commandlineutils\src\CommandLineUtils\CommandLineApplication.cs:line 505
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute[TApp](CommandLineContext context) in C:\projects\commandlineutils\src\CommandLineUtils\CommandLineApplication.Execute.cs:line 31
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute[TApp](IConsole console, String[] args) in C:\projects\commandlineutils\src\CommandLineUtils\CommandLineApplication.Execute.cs:line 97
at CycloneDX.Program.Main(String[] args) in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 45

Current behaviour outputs A path is required if no parameters are supplied.

It would be more helpful to default to the full help text if no parameters are provided.

I've opened an issue on Dependency-Track and I've been asked to move it here.
Here's the link: DependencyTrack/dependency-track#510

A good use case would be when producing deterministic builds. This information is necessary for someone to be able to verify what has been built matches the commit the build was on.

No automated tests makes vetting pull requests even more time consuming.

I noticed your comment @stevespringett on another issue that you aren't a .net developer. I'm opening this issue to find out if you want a .net developer to jump in and work on this.

It would be a bit of effort to implement, and review. So please let me know if you are interested. Although I do have a bit of free time over the next couple of days so I'll probably make a start on it anyway.

As pointed out in the #181 thread, internal project references are included in the BOM. I think these should be excluded.

The one scenario I can think of for including them is if the project reference is to a project that is also a nuget package. However, even this is problematic. The reference might not match the relevant nuget package. In particular because of how package versions are managed by some build/release projects.

Dear cyclonedx-dotnet team,

I discovered an issue with this product.

When cyclonedx-dotnet attempts to retreive info for a local project that is listed as a dependency for another project but contains very little info about itself (such as the below) it blows up.

<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <TargetFramework>netstandard2.1</TargetFramework>
    </PropertyGroup>

</Project>

It looks like it is a bug in the framework you use for reading NuSpec details.

I created a sample repo for your convenience to easily reproduce this issue:

https://github.com/karolswdev/cyclonedx-0-9-1-bug

I checked other issues but they were closed and opened quite a while back.

We have a lot of existing projects. So we don't have to go back and add bom generation to all our existing build pipelines we have a script that generates them in bulk.

I suspect this would be significantly faster by keeping a local, on disk, cache of already resolved nuget packages.

If implemented I think this should be opt in.

Any thoughts @stevespringett ?

It would be good to be able to support multiple package providers in the solution.
For example, a web application solution may consume packages from both NuGet and NPM and thus the SBOM should aggregate both sets of references.

Hi All.

Disclaimer: I tried looking through the Wiki and your README file but could not find the answer.

I am tasked to create BOM during CI/CD pipelines using GitHub Actions.

I discovered your wonderful plugin and decided to give it a shot. We have recently moved all of our projects from .NET core 2.X to 3.1. It seems that your tool does not support 3.1 project, is that a correct assumption?

The error I am getting is

Run ./dotnet-CycloneDX ExampleNetCore/ExampleNetCore.csproj -o bom/
It was not possible to find any compatible framework version
The framework 'Microsoft.NETCore.App', version '2.1.0' was not found.
  - The following frameworks were found:
      3.1.0 at [/opt/hostedtoolcache/dncs/3.1.100/x64/shared/Microsoft.NETCore.App]

You can resolve the problem by installing the specified framework and/or SDK.

The specified framework can be found at:
  - https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=2.1.0&arch=x64&rid=ubuntu.18.04-x64
##[error]Process completed with exit code 150.

Any clarity on your strategy and/or instructions how to contribute to getting this feature moving would be great. Thanks

Karol

When specifying a .sln file, which usually includes production and tests projects, it should be possible to pass a --include <regex> or --exclude <regex> to filter out .Tests.csproj files from the solution.

Hi I was wondering if CycloneDX-dotnet supports scanning the classic .NET 4 framework instead of .NET CORE. I'm able to run it on the project *.sln but I'm not getting any dependencies as a result.
Any ideas?

Pretty much what the title says. For situations where you aren't running a current LTS runtime or don't want to worry about what runtime versions are available.

Dockerfile is ready to go here...
https://github.com/coderpatros/cyclonedx-dotnet/blob/docker/Dockerfile

But wanted to gauge your interest first @stevespringett. If you'd prefer not to have another thing to worry about I can just keep it as an unofficial image.

You can find it here (assuming the dockerhub build has finished, they can be slow)...
https://hub.docker.com/r/coderpatros/cyclonedx-dotnet

My organisation only produces software for in-house usage so we are not liable for license infringement. Furthermore, the github lookup is bothersome because our build servers are not supposed to have a direct Internet access, we must edit our firewall rules because of that. Is it possible to make this lookup optional?

@coderpatros With all of your contributions (and two more PR's possibly ready for merge?), I'm wondering if it would make sense to invite you to the team, which would provide more direct access to the repos, ability to merge PRs, etc.

Let me know if this is something you're interested in. If not, no worries. We can continue collaborating the way we have been. Your call.

Later .csproj files supports package references with are just used in development scope.

They usually looks like:

<PackageReference Include="Foo" Version="1.0.0">
   <PrivateAssets>all</PrivateAssets>
   <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>

This could be Roslyn.Analyzers, SourceLink packages, ... which will never go to production.

see DevelopmentDependency

I think it would be good to exclude such dependencies.

Steps to reproduce:

1. See that sometimes cyclonedx-dotnet returns Dotnet restore failed: and so can't make result bom file
2. In same case when run it pair with dotnet restore command everything is ok

Current result:
dotnet restore is called inside cyclonedx-dotnet in DotnetUtilsService.cs

        public DotnetUtilsResult Restore(string path)
        {
            var arguments = "restore";
            if (!string.IsNullOrEmpty(path)) arguments = $"{arguments} \"{path}\"";

            var commandResult = _dotnetCommandService.Run(arguments);

            if (commandResult.Success)
            {
                return new DotnetUtilsResult();
            }
            else
            {
                return new DotnetUtilsResult
                {
                    // dotnet restore only outputs to std out, not std err
                    ErrorMessage = commandResult.StdOut
                };
            }
        }

If look on dotnetCommandService.Run

public DotnetCommandResult Run(string workingDirectory, string arguments)
        {
            var psi = new ProcessStartInfo(DotNetExe.FullPathOrDefault(), arguments)
            {
                CreateNoWindow = true,
                RedirectStandardOutput = true,
                RedirectStandardError = true,
                UseShellExecute = false,
                WorkingDirectory = workingDirectory
            };
            
            using (var p = Process.Start(psi))
            {
                var exitCode = 0;
                // ...
                var processExited = p.WaitForExit(60000);
                if (processExited)
                {
                    exitCode = p.ExitCode;
                }
                else
                {
                    p.Kill();
                    exitCode = -1;
                }
                // ...
                return result;
            }

Here we see hard-limit for 60 sec to call dotnet restore. It could be not enough in some cases, e.g. when you need to download 400+ heavyweight dependencies

Expected result:

1. Add option for cyclonedx-dotnet to change this time limit
2. Add error message to output about the limit passing event

Once CycloneDX/cyclonedx-dotnet-library#30 has been implemented validation should be added to this tool.

Just capturing this as a separate item to #15 and some of the discussion in #20.

In my experience the current logic resolves dependencies the same as a standard dotnet restore does. However there could be some corner cases where the behaviour is different.

To ensure dependency resolution is correct I think we should be using the standard nuget libraries as published from https://github.com/NuGet/NuGet.Client

Version used: 1.3.0

Exception:
Unhandled exception. System.Xml.XmlException: There is no Unicode byte order mar
k. Cannot switch to Unicode.
at System.Xml.XmlTextReaderImpl.Throw(Exception e)
at System.Xml.XmlTextReaderImpl.CheckEncoding(String newEncodingName)
at System.Xml.XmlTextReaderImpl.ParseXmlDeclaration(Boolean isTextDecl)
at System.Xml.XmlTextReaderImpl.Read()
at System.Xml.Linq.XDocument.Load(XmlReader reader, LoadOptions options)
at NuGet.Packaging.Core.NuspecCoreReaderBase.LoadXml(Stream stream, Boolean l
eaveStreamOpen)
at NuGet.Packaging.Core.NuspecCoreReaderBase..ctor(Stream stream, Boolean lea
veStreamOpen)
at NuGet.Packaging.NuspecReader..ctor(Stream stream, IFrameworkNameProvider f
rameworkProvider, Boolean leaveStreamOpen)
at NuGet.Packaging.NuspecReader..ctor(Stream stream)
at CycloneDX.Services.NugetService.GetComponentAsync(String name, String vers
ion, String scope) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/Cyclon
eDX.Core/Services/NugetService.cs:line 110
at CycloneDX.Services.NugetService.GetComponentAsync(NugetPackage package) in
/home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX.Core/Services/Nug
etService.cs:line 219
at CycloneDX.Program.OnExecuteAsync() in /home/runner/work/cyclonedx-dotnet/c
yclonedx-dotnet/CycloneDX/Program.cs:line 211
at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.I
nvokeAsync(MethodInfo method, Object instance, Object[] arguments)
at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.O
nExecute(ConventionContext context, CancellationToken cancellationToken)
at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.<

c__DisplayClass0_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync(S
tring[] args, CancellationToken cancellationToken)
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[T
App](CommandLineContext context, CancellationToken cancellationToken)
at CycloneDX.Program.Main(String[] args) in /home/runner/work/cyclonedx-dotne
t/cyclonedx-dotnet/CycloneDX/Program.cs:line 90
at CycloneDX.Program.

(String[] args)

Running the latest cyclonedx-dotnet (0.3.1) on my TFS build server.
Notice the /Users/steve/... path?
Did a development version get installed? If so, how can I rectify this?

2019-01-23T15:30:34.4838674Z » Analyzing: F:\Agents\Agent01\_work\4\s\Audio\APITestHarnes\packages.config
2019-01-23T15:30:34.4838674Z   Getting packages                                              
2019-01-23T15:30:40.6871154Z ##[error]Unhandled Exception: System.IO.IOException: The handle is invalid
2019-01-23T15:30:40.6871154Z ##[error]   at System.ConsolePal.GetBufferInfo(Boolean throwOnNoConsole, Boolean& succeeded)
2019-01-23T15:30:40.6871154Z ##[error]   at CycloneDX.Program.AnalyzeProjectAsync(String projectFile) in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 177
2019-01-23T15:30:40.6871154Z ##[error]   at CycloneDX.Program.AnalyzeDirectoryAsync(String projectPath) in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 157
2019-01-23T15:30:40.6871154Z ##[error]   at CycloneDX.Program.OnExecute() in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 79
2019-01-23T15:30:40.6871154Z ##[error]   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.InvokeAsync(MethodInfo method, Object instance, Object[] arguments) in C:\projects\commandlineutils\src\CommandLineUtils\Conventions\ExecuteMethodConvention.cs:line 77
2019-01-23T15:30:40.6871154Z ##[error]   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.OnExecute(ConventionContext context) in C:\projects\commandlineutils\src\CommandLineUtils\Conventions\ExecuteMethodConvention.cs:line 62
2019-01-23T15:30:40.6871154Z ##[error]   at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.<>c__DisplayClass0_0.<<Apply>b__0>d.MoveNext() in C:\projects\commandlineutils\src\CommandLineUtils\Conventions\ExecuteMethodConvention.cs:line 25
2019-01-23T15:30:40.6871154Z ##[error]--- End of stack trace from previous location where exception was thrown ---
2019-01-23T15:30:40.6871154Z ##[error]   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.<>c__DisplayClass126_0.<OnExecute>b__0() in C:\projects\commandlineutils\src\CommandLineUtils\CommandLineApplication.cs:line 505
2019-01-23T15:30:40.6871154Z ##[error]   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute[TApp](CommandLineContext context) in C:\projects\commandlineutils\src\CommandLineUtils\CommandLineApplication.Execute.cs:line 31
2019-01-23T15:30:40.7027422Z ##[error]   at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute[TApp](IConsole console, String[] args) in C:\projects\commandlineutils\src\CommandLineUtils\CommandLineApplication.Execute.cs:line 97
2019-01-23T15:30:40.7027422Z ##[error]   at CycloneDX.Program.Main(String[] args) in /Users/steve/Development/CycloneDX/cyclonedx-dotnet/CycloneDX/Program.cs:line 45```

When i try to run cyclonedx on my project i get a empty bom file.

Cyclonedx-dotnet version:

Package Id      Version      Commands
---------------------------------------------
cyclonedx       1.0.2        dotnet-CycloneDX

the file contents are as follows:

<?xml version="1.0" encoding="utf-8"?>
<bom version="1" serialNumber="urn:uuid:8acd057e-4e88-48cf-8ce7-d0f5a6120c73" xmlns="http://cyclonedx.org/schema/bom/1.1">
  <components />
</bom>

Here is the output of the command:

Found the following local nuget package cache locations:
    <redacted-path>/FeaturePeer.AlertSettings/packages
» Solution: <redacted-path>/FeaturePeer.AlertSettings/AlertSettings.sln
  Getting projects
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.PeerApplication/AlertSettings.PeerApplication.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Peer/AlertSettings.Peer.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Peer/AlertSettings.Peer.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/Tests/Module.Tests/Module.Tests.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.PeerApplication/AlertSettings.PeerApplication.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Peer/AlertSettings.Peer.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Peer/AlertSettings.Peer.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Getting project references
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Getting project references
  5 project(s) found
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.PeerApplication/AlertSettings.PeerApplication.csproj
  Attempting to restore packages
  No packages found
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Peer/AlertSettings.Peer.csproj
  Attempting to restore packages
  No packages found
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services/AlertSettings.Services.csproj
  Attempting to restore packages
  No packages found
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/src/AlertSettings.Services.Abstractions/AlertSettings.Services.Abstractions.csproj
  Attempting to restore packages
  No packages found
» Analyzing: <redacted-path>/FeaturePeer.AlertSettings/Tests/Module.Tests/Module.Tests.csproj
  Attempting to restore packages
  No packages found
Creating CycloneDX BOM
Writing to: <redacted-path>/FeaturePeer.AlertSettings/target/bom.xml

I am trying to run CycloneDX on a build server that does not have internet access. My packages are hosted in a package source on the LAN that the build server does have access to. CycloneDX gets an error like this while trying to retrieve information for one of the libraries in my solution. Since its my own library, it does not have a NuGet package. CycloneDX can't find a local package file, so it tries to connect to nuget.org which it cannot. I think that CycloneDX should be able to run without access to the internet.

     Retrieving System.Threading.Tasks.Extensions 4.0.0
     Retrieving System.Threading.Thread 4.0.0
     Retrieving System.Threading.ThreadPool 4.0.10
     Retrieving System.Xml.ReaderWriter 4.0.11
     Retrieving System.Xml.XDocument 4.0.11
     Retrieving System.Xml.XmlDocument 4.0.1
     Retrieving System.Xml.XmlSerializer 4.0.11
     Retrieving System.Xml.XPath 4.0.1
     Retrieving System.Xml.XPath.XmlDocument 4.0.1
     Retrieving My.Library 1.0.0-176678
     
     Unhandled Exception: System.Net.Http.HttpRequestException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
        at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
        --- End of inner exception stack trace ---
        at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
        at System.Threading.Tasks.ValueTask`1.get_Result()
        at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        at System.Threading.Tasks.ValueTask`1.get_Result()
        at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask`1 creationTask)
        at System.Threading.Tasks.ValueTask`1.get_Result()
        at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
        at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
        at CycloneDX.Extensions.HttpClientExtensions.GetXmlStreamAsync(HttpClient httpClient, String url) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX.Core/Extensions/HttpClientExtensions.cs:line 37
        at CycloneDX.Services.NugetService.GetComponentAsync(String name, String version) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX.Core/Services/NugetService.cs:line 107
        at CycloneDX.Services.NugetService.GetComponentAsync(NugetPackage package) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX.Core/Services/NugetService.cs:line 209
        at CycloneDX.Program.OnExecuteAsync() in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX/Program.cs:line 179
        at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.InvokeAsync(MethodInfo method, Object instance, Object[] arguments)
        at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.OnExecute(ConventionContext context, CancellationToken cancellationToken)
        at McMaster.Extensions.CommandLineUtils.Conventions.ExecuteMethodConvention.<>c__DisplayClass0_0.<<Apply>b__0>d.MoveNext()
     --- End of stack trace from previous location where exception was thrown ---
        at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync(String[] args, CancellationToken cancellationToken)
        at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync[TApp](CommandLineContext context, CancellationToken cancellationToken)
        at CycloneDX.Program.Main(String[] args) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX/Program.cs:line 69
        at CycloneDX.Program.<Main>(String[] args)

This is the part of the code that is making the network request that fails. I think it should either catch the network exception, or else give the user the option to remove nuget.org as a package source to avoid this request.

        if (nuspecFilename == null)
        {
            var url = _baseUrl + name + "/" + version + "/" + name + ".nuspec";
            using (var xmlStream = await _httpClient.GetXmlStreamAsync(url).ConfigureAwait(false))
            {
                if (xmlStream != null) nuspecReader = new NuspecReader(xmlStream);
            }
        }
        else
        {
            using (var xmlStream = _fileSystem.File.Open(nuspecFilename, System.IO.FileMode.Open, System.IO.FileAccess.Read))
            {
                nuspecReader = new NuspecReader(xmlStream);
            }
        }

Does this support scanning of .net framework projects?
I'm unable to get this to work for my .net framework 4.5/4.6 solutions.

Some projects are made up of multiple system components. They may be separated at the project level or solution level within a repo. A repo might also contain a combination of legacy (older format) full framework projects and new .net core and standard projects.

It would make BOM generation simpler if specifying a directory processed all solution, project and packages files within.