Skip to content

dotnet-deps cataloger should skip project references with type "project" when building the sbom #4423

New issue
New issue
Closed
#4436
Closed
dotnet-deps cataloger should skip project references with type "project" when building the sbom#4423
#4436
Labels
bugSomething isn't working
@rezmoss

Description

@rezmoss
rezmoss
opened on Dec 1, 2025

What happened:

Syft treats project refs from deps.json as if they’re nuget packages in the sbom, even though they’re first-party code, which leads to weird purls like pkg:nuget/myapp@1.0.0

What you expected to happen:

by default sbom shouldn't include project references (type: "project") because they're part of the firstparty code

from the .net sdk runtime config spec

"package" is for nuget deps
"project" is for internal refs

I think by default, entries with type "project" must filtered out unless it's the root package, or even add use --include-project-references to include them

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

  • Output of syft version: latest main
  • OS (e.g: cat /etc/os-release or similar): all

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    OSS

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions