CDXGEN tool doesn't generate the Dependency Graph correctly for WPF/.NET solutions

[simona-chiosa]

Hi,

While working with CDXGEN tool to generate the SBOM of a multi-project WPF solution I discovered that the dependency graph is not constructed correctly. As a result, the Dependency Graph tab in OWASP Dependency-Track does not display the graph, and dependencies cannot be distinguished between direct and transitive in Components tab. The vulnerabilities are identified correctly.

Using dotnet-cyclonedx, the dependency graph is constructed correctly and displayed as expected in OWASP Dependency-Track.

This problem also occurs with single-project WPF solutions. To help reproduce the issue, I created a support WPF single-project application in this Test.Sbom repository. Two PowerShell scripts are included to generate SBOMs using CDXGEN or dotnet-cyclonedx.

The root cause for the single-project solutions appears to be mismatched bom-ref and ref identifiers in the SBOM. Additionally, CDXGEN incorrectly treats project DLL and EXE files as dependencies. The workaround is to manually edit the SBOM to fix the ref identifier.

The problem is more complex for multi-project solutions, CDXGEN also treats all project DLLs, including test project, as NuGet packages, generates "@latest" and 1.0.0 versions for the same project DLL, leaves the application package empty under "dependencies", doesn't include all the dependencies of the projects in the "dependsOn".

For more details, steps to reproduce, workarounds, please check the repository README.

Please let me know if I can help further with the investigation.

Thank you.

[prabhu]

Could you triage further and propose a pull request? Regarding treating dll and exe files as dependencies, we have uses who want that feature. Have you tried using --filter argument to filter them?