Skip to content

feat(sbom): Handle self-contained dotnet projects #9627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(sbom): Handle self-contained dotnet projects #9627

wants to merge 4 commits into from
+125 −5

Conversation

@octocolby
Copy link

@octocolby octocolby commented Oct 8, 2025
edited
Loading

Description

This PR introduces the functionality to parse self-contained dotnet projects. When dotnet projects are published as self-contained there are libraries added to the output folder that the dotnet runtime would normally supply. These local libraries are used instead of the hosts runtime libraries when run so they should be included in the SBOM.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@CLAassistant
Copy link

CLAassistant commented Oct 8, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 8, 2025
@github-actions
Copy link

github-actions bot commented Oct 8, 2025

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/rpc/common
  Incompatible changes:
  - BuildInfo: removed

github.com/aquasecurity/trivy/rpc/cache
  Incompatible changes:
  - (*BlobInfo).GetBuildInfo: removed
  - BlobInfo.BuildInfo: removed

github.com/aquasecurity/trivy/pkg/rpc
  Incompatible changes:
  - ConvertFromRPCBuildInfo: removed
  - ConvertToRPCBuildInfo: removed

github.com/aquasecurity/trivy/pkg/sbom/io
  Incompatible changes:
  - EncoderOption: removed
  - ForceRegenerate: removed
  - NewEncoder: changed from func(...EncoderOption) *Encoder to func(github.com/aquasecurity/trivy/pkg/sbom/core.Options) *Encoder
  - WithBOMRef: removed
  - WithParents: removed

github.com/aquasecurity/trivy/pkg/dependency/parser/dotnet/core_deps
  Incompatible changes:
  - TargetLib.Runtime: changed from any to map[string]Runtime
  - TargetLib: old is comparable, new is not
  Compatible changes:
  - Runtime: added

@aqua-bot aqua-bot requested a review from a team October 8, 2025 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

@DmitriyLewen DmitriyLewen Awaiting requested review from DmitriyLewen DmitriyLewen is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@octocolby @CLAassistant