[DOTNET] Incomplete support for PackageReference in csproj files. #3144
Description
I have observed the following two issues for DOTNET projects. They are both related to version declaration of PackageReference in csproj files.
- cdxgen does not handle version definition in child nodes.
E.g. I have defined
<PackageReference Include="System.Buffers">
<Version>4.5.1</Version>
</PackageReference>
However, cdxgen generated an SBOM with System.Buffer version 4.6.1 (latest version) instead.
- cdxgen does not handle dynamic version labels
E.g.
<PackageReference Include="System.Buffers" Version="$(SystemBuffers_PackageVersion)" />
Instead of trying to resolve the version from Directory.Build.porps, cdxgen will output something like
{
"name": "System.Buffers",
"version": "$(SystemBuffers_PackageVersion)",
...
}