fix: resolve version-range bom-ref crash when scanning multi-project solutions

When a package's nuspec declares an exact-range dependency (e.g. [1.0.0])
and the project that consumes it has resolved a higher version of the same
package directly, NuGet stores the range string verbatim in project.assets.json.
ResolveDependencyVersionRanges cannot resolve it within that project's assets
(2.0.0 does not satisfy [1.0.0]), leaving the range unresolved.

In a multi-project solution where another project resolves 1.0.0, the merged
BOM contains both versions. The name-only fallback in Runner.cs then finds two
candidates and crashes with 'Unable to locate valid bom ref for X [1.0.0, 1.0.0]'.

Fix: when the name-only fallback finds multiple candidates and dep.Value is a
parseable VersionRange, use the range to select the single satisfying candidate
before falling back to the error path.

Adds a two-project E2E regression test that reproduces the exact topology from
the issue report and asserts both the tool succeeds and the dependency edge
points to the correct version.

Author: mtsfoni

CycloneDX.E2ETests/Tests/Issue903Tests.cs

@@ -15,6 +15,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright (c) OWASP Foundation. All Rights Reserved.
 
+using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using CycloneDX.E2ETests.Builders;
 using CycloneDX.E2ETests.Infrastructure;
@@ -54,21 +55,33 @@ public async Task VersionRangeDependency_MultipleVersionsInSolution_ShouldSuccee
         {
             // Reproduces the exact topology reported in PR #903 / issue comment by @ilehtoranta:
             //
-            //   ProjectA  — directly references TestPkg.Shared 2.0.0
+            //   ProjectB  — directly references TestPkg.Shared 1.0.0
+            //   ProjectA  — ProjectReference to ProjectB
+            //             — directly references TestPkg.Shared 2.0.0
             //             — directly references TestPkg.Consumer 1.0.0
             //   TestPkg.Consumer — depends on TestPkg.Shared [1.0.0, 1.0.0]  (exact-range notation)
             //
-            // After restore, ProjectA's project.assets.json contains two targets entries for
-            // TestPkg.Shared (1.0.0 and 2.0.0) and one dep entry under TestPkg.Consumer that
-            // reads "[1.0.0, 1.0.0]" instead of "1.0.0".
+            // After restore:
+            //   ProjectA's assets: NuGet resolves TestPkg.Shared to 2.0.0 (direct ref wins).
+            //     TestPkg.Consumer's dep is stored as "[1.0.0]" in project.assets.json.
+            //     ResolveDependencyVersionRanges cannot resolve it because 2.0.0 does not
+            //     satisfy the exact range [1.0.0]. Range string is left unresolved.
+            //   ProjectB's assets: resolves TestPkg.Shared/1.0.0.
+            //
+            // The tool merges both projects' packages into one BOM → both Shared 1.0.0 and 2.0.0
+            // are present. The name-only fallback in Runner.cs finds two candidates → crash.
             //
             // Before the fix: "Unable to locate valid bom ref for TestPkg.Shared [1.0.0, 1.0.0]"
             // After the fix:  tool succeeds and both versions appear in the BOM.
             using var solution = await new SolutionBuilder("Issue903Sln")
+                .AddProject("ProjectB", p => p
+                    .WithTargetFramework("net8.0")
+                    .AddPackage("TestPkg.Shared", "1.0.0"))
                 .AddProject("ProjectA", p => p
                     .WithTargetFramework("net8.0")
                     .AddPackage("TestPkg.Shared", "2.0.0")
-                    .AddPackage("TestPkg.Consumer", "1.0.0"))
+                    .AddPackage("TestPkg.Consumer", "1.0.0")
+                    .AddProjectReference("../ProjectB/ProjectB.csproj"))
                 .BuildAsync(_fixture.NuGetFeedUrl);
 
             using var outputDir = solution.CreateOutputDir();
@@ -86,13 +99,28 @@ public async Task VersionRangeDependency_MultipleVersionsInSolution_ShouldSuccee
             Assert.True(result.Success,
                 $"Tool failed with exit code {result.ExitCode}.\nstderr:\n{result.StdErr}\nstdout:\n{result.StdOut}");
 
-            // Both versions of the shared package must be present in the BOM
-            Assert.Contains("TestPkg.Shared", result.BomContent);
-            Assert.Contains("1.0.0", result.BomContent);
-            Assert.Contains("2.0.0", result.BomContent);
+            // Both versions of the shared package must appear as distinct components in the BOM.
+            // Scanning a solution is an explicit union of all projects — duplicate versions of the
+            // same package across projects are expected and correct.
+            Assert.Contains("pkg:nuget/TestPkg.Shared@1.0.0", result.BomContent);
+            Assert.Contains("pkg:nuget/TestPkg.Shared@2.0.0", result.BomContent);
+            Assert.Contains("pkg:nuget/TestPkg.Consumer@1.0.0", result.BomContent);
+
+            // The critical correctness check: TestPkg.Consumer's dependency edge must point to
+            // TestPkg.Shared 1.0.0 (what its nuspec declares), not 2.0.0.
+            // In the XML the dependencies section looks like:
+            //   <dependency ref="pkg:nuget/TestPkg.Consumer@1.0.0">
+            //     <dependency ref="pkg:nuget/TestPkg.Shared@1.0.0"/>
+            //   </dependency>
+            var consumerDepBlock = Regex.Match(
+                result.BomContent,
+                @"<dependency ref=""pkg:nuget/TestPkg\.Consumer@1\.0\.0"">(.*?)</dependency>",
+                RegexOptions.Singleline).Value;
 
-            // The consumer package must be present
-            Assert.Contains("TestPkg.Consumer", result.BomContent);
+            Assert.False(string.IsNullOrEmpty(consumerDepBlock),
+                "No dependency block found for TestPkg.Consumer@1.0.0");
+            Assert.Contains("pkg:nuget/TestPkg.Shared@1.0.0", consumerDepBlock);
+            Assert.DoesNotContain("pkg:nuget/TestPkg.Shared@2.0.0", consumerDepBlock);
         }
     }
 }

CycloneDX/Runner.cs

@@ -28,6 +28,7 @@
 using CycloneDX.Services;
 using static CycloneDX.Models.Component;
 using Json.Schema;
+using NuGet.Versioning;
 
 namespace CycloneDX
 {
@@ -363,8 +364,28 @@ public async Task<int> HandleCommandAsync(RunOptions options)
                             }
                             else
                             {
+                                // dep.Value may be a version range (e.g. "[1.0.0]") when NuGet
+                                // stored the nuspec constraint verbatim and ResolveDependencyVersionRanges
+                                // could not resolve it within this project's assets (because the
+                                // satisfying version only exists in another project's assets).
+                                // Try to pick the right candidate using the range itself.
+                                if (packageNameMatch.Count > 1
+                                    && VersionRange.TryParse(dep.Value, out var versionRange))
+                                {
+                                    var rangeMatch = packageNameMatch
+                                        .Where(x => NuGetVersion.TryParse(x.Key.Item2, out var v)
+                                                    && versionRange.Satisfies(v))
+                                        .ToList();
+                                    if (rangeMatch.Count == 1)
+                                    {
+                                        lookupKey = rangeMatch[0].Key;
+                                        goto found;
+                                    }
+                                }
+
                                 Console.Error.WriteLine($"Unable to locate valid bom ref for {dep.Key} {dep.Value}");
                                 return (int)ExitCode.UnableToLocateDependencyBomRef;
+                                found:;
                             }
                         }