BOM should include Framework Components

[thompson-tomo]

The BOM generated by the tool should also include:

• Framework Component for each TargetFramework and the version is based upon what is installed
• Library Component for both implicit and explicit FrameworkReferences and the version is based upon what is installed.

[mtsfoni]

Basically waiting for the outcome of this:
Feature: documenting external/extraneous dependencies

[lhotamir]

This would be really useful, because now it is kinda difficult to monitor vulnerabilities in the framework itself.

[thompson-tomo]

@mtsfoni As nuspec provides the framework dependence needed by the package & I wouldn't want to lose that association information. Could we as a first step add those dependencies as an optional component.

Reason I am wanting to go down this path as when an application is published as trimmed + self contained those dependencies become required. We could Potentially have an argument able to be passed to the tool to signify compilation mode ie dependent, self contained or trimmed which alters the scope of the dependencies.

[github-actions]

This issue is stale because it has been open for 3 months with no activity.

[berezovskyi]

Basically waiting for the outcome of this:
CycloneDX/specification#321

This is not the case when producing self-contained dotnet builds. In that case, the dotnet runtime is delivered as part of the application and is not an extraneous component. Any (security) upgrades to the OS-installed frameworks are ignored by a self-contained application. Thus, the SBOM should reflect this so that SBOM consumers do not mistakenly believe that they can install the new version of the dotnet framework OS-wide and that self-contained dotnet applications would have all framework security issues addressed by the update.

[github-actions]

This issue is stale because it has been open for 3 months with no activity.

[thompson-tomo]

Still waiting