Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM tool always includes package entry when .nuspec file is found #866

Open
jalkire opened this issue Jan 14, 2025 · 0 comments
Open

SBOM tool always includes package entry when .nuspec file is found #866

jalkire opened this issue Jan 14, 2025 · 0 comments
Assignees
@jalkire
Labels
needs triage Default status upon issue submission

Comments

@jalkire
Copy link
Contributor

jalkire commented Jan 14, 2025
edited
Loading

The underlying component detector for nuget packages includes, among other things, *.nuspec files. This means that if a .nuspec file is present during SBOM generation, the package that it defines will be included in the packages section of the SBOM. This will happen regardless of if that package is actually installed/present, and can lead to misleading results. CD acknowledges this potential in their docs.
@jalkire jalkire self-assigned this Jan 14, 2025
@jalkire jalkire added the needs triage Default status upon issue submission label Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jalkire jalkire

Labels
needs triage Default status upon issue submission
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jalkire