Incorrect nuget dependencies are identified

[iamrahul127]

Analysis of project referring NServiceBus.Newtonsoft.Json v 2.3.0 results in to identifying incorrect dependency. We expect DT to identify Newtonsoft.Json v 13.0.1 but it's identifying 11.0.2 version of instead as given in below screenshot. This results in finding incorrect vulnerability.

.NETFramework 4.5.2
  [Newtonsoft.Json](>= 13.0.1 && < 14.0.0)
  [NServiceBus] (>= 7.0.0 && < 8.0.0)

.NETStandard 2.0
  [Newtonsoft.Json] (>= 13.0.1 && < 14.0.0)
  [NServiceBus] (>= 7.0.0 && < 8.0.0) 

Current Behavior:

Expected Behavior:

Should identify following as dependencies instead

Environment:

• Dependency-Track Version: v4.4.1
• Distribution: Docker
• BOM Format & Version: CycloneDX 1.3
• Database Server: PostgreSQL
• Browser: Chrome

[nscuro]

Hi @iamrahul127 👋

Dependency-Track works with data it's being fed with the BOM you upload. This looks like the tool you used to generate the BOM with produced a BOM with different contents than you expected.

What generator were you using to produce the BOM? Is it cyclonedx-dotnet per chance? If so, you may want to file a defect over there.

[iamrahul127]

Hi @nscuro,
Yes, we are using cyclonedx-dotnet. I have investigated further and look like it's a bug in cyclonedx-dotnet.
Sample solution with two projects look like below and attached to the thread.

Observations:

1. When I generate BOM for entire solution using dotnet CycloneDX -o . -j BOMIssue.sln following dependency is added to BOM.
   { "ref": "pkg:nuget/[email protected]", "dependsOn": [ "pkg:nuget/[email protected]", "pkg:nuget/[email protected]" ] },

2. When I generate BOM only for using dotnet CycloneDX -o . -j BOMIssue/BOMIssue.csproj following dependency is added to BOM.

{ "ref": "pkg:nuget/**[email protected]**", "dependsOn": [ "pkg:nuget/[email protected]", "pkg:nuget/**[email protected]**" ] },

I think tool is reporting incorrect dependency of [email protected] on [email protected]. In fact [email protected] is depending on [email protected].

Could you please investigate further?
BOMIssue.zip

[nscuro]

Please raise this issue in the cyclonedx-dotnet repository (https://github.com/CycloneDX/cyclonedx-dotnet), so its maintainers can investigate.