Identify library usage in the case of conditional compilation

[alexandrehtrb]

Hello,

I have some projects which use conditional compilation in their csprojs, like:

<ItemGroup>
    <PackageReference Include="Avalonia"/>
    <PackageReference Include="Avalonia.Diagnostics" Condition="'$(Configuration)' == 'Debug'"/>
  </ItemGroup>

The second package is only used on Debug configuration, not when publishing or in Release configuration.

When running the tool, those dependencies that are not part of the final program are listed in the SBOM.

From what I checked in the source code, CycloneDX tool reads the obj\project.assets.json file to identify the dependencies.

A way to identify the app's final dependencies is by reading the bin\Debug\net10.0\MyProject.deps.json, which correctly lists them. This file is also generated when publishing the program.

The caveat is that the MyProject.deps.json file is generated only after building or publishing the project, whereas the project.assets.json is available after just restoring it.

[mus65]

Seems like cyclonedx-dotnet always restores in Debug configuration. You can work around this by restoring in Release configuration yourself and passing --disable-package-restore to cyclonedx-dotnet.

dotnet restore -p Configuration=Release
dotnet-CycloneDX --disable-package-restore ...