-
|
Hello, I would like to know if there are specific difference with cyclonedx-dotnet? As I understood, cyclonedx-dotnet:
After testing, the output are quite different (json vs json). |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
@Herve-M, the last time we checked cyclonedx-dotnet did a better job with retaining the license string and dependency tree. We subsequently improved license fetching for dotnet via #352. We will add dependency tree via #501 in a future release. Are there differences with list of purls in the components section? Could you attach any sbom for comparison so that we can advise? Where cdxgen shines is mixed projects and monorepos where there are javascript and other apps along with .net projects in the same repo. |
Beta Was this translation helpful? Give feedback.
-
|
Can't share directly the output of, but what I can see:
Other biggest diff. is around metadata, cdxgen include itself inside Output size differ too: ~680kb (-net) vs ~185kb (cdxgen) |
Beta Was this translation helpful? Give feedback.
-
|
cdxgen can also populate license and description when you set the environment variable FETCH_LICENSE=true. The difference in metadata is due to the spec version with cdxgen being newer. You can pass the argument --spec-version 1.4 for the previous version. Yes, metadata.tools must not be changed since it starts the chain of trust |
Beta Was this translation helpful? Give feedback.
@Herve-M, the last time we checked cyclonedx-dotnet did a better job with retaining the license string and dependency tree. We subsequently improved license fetching for dotnet via #352. We will add dependency tree via #501 in a future release. Are there differences with list of purls in the components section? Could you attach any sbom for comparison so that we can advise?
Where cdxgen shines is mixed projects and monorepos where there are javascript and other apps along with .net projects in the same repo.