Unable to locate valid bom ref for NETStandard.Library [2.0.1, ) please help :)

[Kubana]

Hi I am trying to generate BOM file for my .sln using CycloneDX 3.0.5.0 and I keep getting an error:
"Unable to locate valid bom ref for NETStandard.Library [2.0.1, )"
And couple of these: "Dependency (NETStandard.Library) with version range ([2.0.1, )) referenced by (Name:Microsoft.Azure.Storage.Queue Version:11.1.7) did not resolve to a specific version."

The thing is when I go .csproj after .csproj everything goes smooth I mean the latter error keeps popping up but the BOM gets generated regardless. And another thing is when I am looking for something that references NETStandard.Library with version 2.0.1 - there is nothing ... I don't know maybe I'm just blind or looking somewhere else

[mtsfoni]

Solution bom is basically aggregating all projects but currently expects to not find dependencies is different versions. I consider this a bug and it's probably the case here.
Regarding what refers net standard I would assume it's Microsoft.Azure.Storage.Queue as said in the error.

If you can generate the sbom from a csproj you should prefer that, it's generally more reliable (if you use packagesReference and not packages.config)

[Kubana]

I am running the same command:
dotnet-CycloneDX.exe $solutionPath -o $outputFolder -fn $outputFileName -dpr

1. on my local machine from powershell on a .sln file - getting the "Unable to locate valid bom ref for NETStandard.Library [2.0.1, )" exception
2. on a remote build server from powershell on the same .sln as above, everything works fine, SBOM gets generated
3. on a remote build server through azure devops powershell script agent step on the same .sln as the two points above - getting the "Unable to locate valid bom ref for NETStandard.Library [2.0.1, )"

Something here smells fishy and horribly bugged

[mtsfoni]

Ad hoc I have no clue why it should work on one way and not the other.

Do your projects use the Package References inside the .csproj-files?

If so it would be interesting if there is a difference between the project.assets.json files in your obj-folders. Those files are the main source of information for the cyclonedx tool. My assumption is that those files are environment independent.

Besides that you can wait until I fix this:

Solution bom is basically aggregating all projects but currently expects to not find dependencies is different versions. I consider this a bug and it's probably the case here.

And then recheck. But as said, for the part, that it works on the remote server but not locally, I have no idea right now.