dotnet-CycloneDX is a .NET global CLI tool that generates CycloneDX SBOMs for .NET projects. It reads NuGet project.assets.json files (and optionally queries the NuGet API) to resolve dependencies, then uses the CycloneDX.Core library to produce the BOM in XML or JSON. See docs/architecture.md for a full behavioral reference.
CycloneDX/— CLI tool,net8.0;net9.0;net10.0CycloneDX.Tests/— xunit 2.x,net8.0;net9.0;net10.0CycloneDX.E2ETests/— xunit v3,net10.0only, requires Docker
dotnet clean && dotnet restore --locked-mode && dotnet build /WarnAsErrordotnet clean is required first — stale artifacts cause spurious warnings. CI fails on any warning.
dotnet test CycloneDX.Tests --framework net10.0
dotnet test CycloneDX.Tests --filter "FullyQualifiedName~ClassName.MethodName"
dotnet test CycloneDX.E2ETests --framework net10.0 # requires DockerUpdate E2E snapshots (CycloneDX.E2ETests/Snapshots/):
VERIFY_AUTO_APPROVE=true dotnet test CycloneDX.E2ETests --framework net10.0Versions go in Directory.Packages.props only (Central Package Version Management). After any package change, regenerate and commit lock files:
dotnet restore # no --locked-modeDirectory.Build.propsdefinesWindows/OSX/Linuxas compile-time constants.CycloneDX.E2ETests.csprojexplicitly sets<PackAsTool>false</PackAsTool>to override the inherited default.- Release version: edit
semver.txt, then triggerrelease.yml(workflow_dispatch).
Commits follow Conventional Commits. CHANGELOG.md is maintained manually — update it with user-facing changes.
You MUST NOT create a commit unless the user explicitly asks you to commit. Never commit as a side effect of completing a task.
You MUST NOT fabricate the Signed-off-by identity. If the user wants to sign off the commit, ask them to confirm and then use git commit -s to let git append the trailer automatically from git config user.name and git config user.email. Never construct the trailer manually in the commit message.