Has CBOM been added to this project?

[joe-ratzer]

Hi, I have various C# code - e.g. MD5 and RijndaelManaged - that I would expect to be flagged as a problem. Or at least added to the SBOM result in a list

However, I don't see anything about the code in the bom.xml file. Just a list of nuget packages.

Does the latest dotnet version include CBOM? If so, how do I get it to output in the bom.xml?

[mtsfoni]

CBOM is newly supported in CycloneDX 1.6 which was released 9th of April this year.

The CycloneDX Library doesn't support 1.6 yet, and adaption will still take weeks to months until it support 1.6.

This cyclonedx-dotnet tool currently is only a package scanner and doesn't have any code-scanning capabilities whatsoever. I don't see that changing unless somebody is willing to put a lot of work into it.

Regarding flagging things as a problem: the general approach of CycloneDX generating tools is to describe the current state as factual as possible. Most of them by loading data from the respective package manager. So the flagging as problems regularly has to be done by another analyzing tool as dependency track does for package vulnerabilities.

If you simply want to find weaknesses in your code, one of the plenty SAST solutions might be better suited for you. If you actually have to provide a statement about used algorithms, then the way might be to create that manually and possibly merge it via the CLI tool once 1.6 is adapted.

[joe-ratzer]

Hi. Ah ok, thanks for clarification.