Include other dependencies than package references

[Whathecode]

When generating an SBOM from a .csproj file, only <PackageReference ...> dependencies are included in the SBOM. We are also interested in adding dependencies which are output manually, e.g.:

    <None Include="non-nuget.dll">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </None>

A quick glance at the source code shows that GetProjectDotnetDependencyAsync() operates on dotnet restore's output in obj/project.assets.json, which indeed only includes nuget references.

Is there a plan to also represent such files in generated SBOMs?

[mtsfoni]

Obviously we won't have a lot of data for such files, but I understand the need to add them.
I could imagine having a new option, that when activated, causes all *.dll that are copied to the output directory to be added to the SBOM. This would require to go through all referenced projects, I assume the functionality of -ipr can be reused for that.

[hmi95]

When I look in my .csproj (in Format <Project Sdk="Microsoft.NET.Sdk">) I see:

<PackageReference Include="..." ... /> which is included in SBOM
<ProjectReference Include="..." /> which I can include in SBOM by -ipr
and

<Reference Include="SomeLib, Version=1.2.3.4, Culture=neutral, processorArchitecture=MSIL">
  <SpecificVersion>False</SpecificVersion>
  <HintPath>..\SomePath\SomeLib.dll</HintPath>
</Reference>

For that I have not found out how to get the reference into the SBOM.
Would that be included in the above question or is that another request/task?