Merge pull request #2 from dborgards/claude/cyclonedx-nuget-package-01EkX7VTfBKakXEbsnQoSXCb

feat: Implement CycloneDX.MSBuild NuGet package with corrected parameters

Author: dborgards

CONTRIBUTING.md

@@ -122,4 +122,4 @@ Documentation locations:
 
 ## License
 
-By contributing, you agree that your contributions will be licensed under the Apache License 2.0.
+By contributing, you agree that your contributions will be licensed under the MIT License.

README.md

@@ -1,6 +1,6 @@
 # CycloneDX.MSBuild
 
-[![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)](LICENSE)
+[![License](https://img.shields.io/badge/license-MIT-brightgreen.svg)](LICENSE)
 [![NuGet](https://img.shields.io/nuget/v/CycloneDX.MSBuild.svg)](https://www.nuget.org/packages/CycloneDX.MSBuild/)
 
 MSBuild targets for automatic **CycloneDX SBOM** (Software Bill of Materials) generation during build and pack operations. Seamlessly integrates the [CycloneDX .NET tool](https://github.com/CycloneDX/cyclonedx-dotnet) into your build pipeline.
@@ -42,7 +42,7 @@ Or add it manually to your `.csproj`:
 dotnet build
 ```
 
-That's it! Your SBOM will be generated at `bin/Debug/net8.0/bom.json` (or your output directory).
+That's it! Your SBOM will be generated at `bin/Debug/net8.0/sbom.json` (or your output directory).
 
 ## 📋 Features
 
@@ -60,7 +60,7 @@ SBOMs are generated automatically:
 
 ### CycloneDX Specification Versions
 
-Supports CycloneDX spec versions: `1.2`, `1.3`, `1.4`, `1.5`, `1.6` (default)
+The tool automatically uses the latest CycloneDX specification version supported by the installed tool version (typically 1.6).
 
 ## ⚙️ Configuration
 
@@ -109,15 +109,6 @@ All configuration is done via MSBuild properties. Set them in your `.csproj`, `D
 </PropertyGroup>
 ```
 
-#### Specification Version
-
-```xml
-<PropertyGroup>
-  <!-- CycloneDX spec version: 1.2, 1.3, 1.4, 1.5, or 1.6 (default) -->
-  <CycloneDxSpecVersion>1.5</CycloneDxSpecVersion>
-</PropertyGroup>
-```
-
 ### Advanced Options
 
 #### Exclude Dependencies
@@ -132,21 +123,25 @@ All configuration is done via MSBuild properties. Set them in your `.csproj`, `D
 </PropertyGroup>
 ```
 
-#### License Information
+#### Serial Number Control
 
 ```xml
 <PropertyGroup>
-  <!-- Include full license text (default: false, only IDs) -->
-  <CycloneDxIncludeLicenseText>true</CycloneDxIncludeLicenseText>
+  <!-- Disable auto-generated SBOM serial number -->
+  <CycloneDxDisableSerialNumber>true</CycloneDxDisableSerialNumber>
 </PropertyGroup>
 ```
 
-#### Serial Number
+#### GitHub License Resolution
 
 ```xml
 <PropertyGroup>
-  <!-- Set custom SBOM serial number (UUID) -->
-  <CycloneDxSerialNumber>urn:uuid:12345678-1234-1234-1234-123456789abc</CycloneDxSerialNumber>
+  <!-- Enable GitHub license resolution -->
+  <CycloneDxEnableGitHubLicenses>true</CycloneDxEnableGitHubLicenses>
+
+  <!-- GitHub credentials (optional, for higher rate limits) -->
+  <CycloneDxGitHubUsername>your-username</CycloneDxGitHubUsername>
+  <CycloneDxGitHubToken>ghp_yourtoken</CycloneDxGitHubToken>
 </PropertyGroup>
 ```
 
@@ -172,7 +167,7 @@ Consumers of your NuGet package can inspect the SBOM:
 ```bash
 # Extract and view
 unzip -q MyPackage.1.0.0.nupkg -d extracted
-cat extracted/sbom/bom.json
+cat extracted/sbom/sbom.json
 ```
 
 ## 🏗️ Architecture
@@ -274,7 +269,7 @@ Contributions are welcome! Please feel free to submit issues, feature requests,
 
 ## 📄 License
 
-This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
 
 ## 🔗 Related Projects
 

src/CycloneDX.MSBuild/CycloneDX.MSBuild.csproj

@@ -14,7 +14,7 @@
     <PackageProjectUrl>https://github.com/CycloneDX/cyclonedx-msbuild</PackageProjectUrl>
     <RepositoryUrl>https://github.com/CycloneDX/cyclonedx-msbuild</RepositoryUrl>
     <RepositoryType>git</RepositoryType>
-    <PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
+    <PackageLicenseExpression>MIT</PackageLicenseExpression>
     <PackageReadmeFile>README.md</PackageReadmeFile>
 
     <!-- Build Configuration -->

src/CycloneDX.MSBuild/build/CycloneDX.MSBuild.props

@@ -27,22 +27,23 @@
   <PropertyGroup Label="CycloneDX Output Configuration">
 
     <!--
-      Output format: json, xml, or spdx-json
+      Output format: json, xml
       Default: json
     -->
     <CycloneDxOutputFormat Condition="'$(CycloneDxOutputFormat)' == ''">json</CycloneDxOutputFormat>
 
     <!--
       Output directory for generated SBOM
-      Default: $(OutputPath) (e.g., bin/Debug/net8.0/)
+      Default: $(OutputPath) - set at build time in .targets file
+      Users can override this in their project file
     -->
-    <CycloneDxOutputDirectory Condition="'$(CycloneDxOutputDirectory)' == ''">$(OutputPath)</CycloneDxOutputDirectory>
+    <!-- CycloneDxOutputDirectory default is set in .targets, not here -->
 
     <!--
       Output filename (without extension)
-      Default: bom (results in bom.json or bom.xml)
+      Default: sbom (results in sbom.json or sbom.xml)
     -->
-    <CycloneDxOutputFilename Condition="'$(CycloneDxOutputFilename)' == ''">bom</CycloneDxOutputFilename>
+    <CycloneDxOutputFilename Condition="'$(CycloneDxOutputFilename)' == ''">sbom</CycloneDxOutputFilename>
 
   </PropertyGroup>
 
@@ -54,12 +55,6 @@
     -->
     <CycloneDxToolVersion Condition="'$(CycloneDxToolVersion)' == ''">5.5.0</CycloneDxToolVersion>
 
-    <!--
-      CycloneDX specification version
-      Supported: 1.2, 1.3, 1.4, 1.5, 1.6
-    -->
-    <CycloneDxSpecVersion Condition="'$(CycloneDxSpecVersion)' == ''">1.6</CycloneDxSpecVersion>
-
   </PropertyGroup>
 
   <PropertyGroup Label="CycloneDX Advanced Options">
@@ -77,16 +72,32 @@
     <CycloneDxExcludeTestProjects Condition="'$(CycloneDxExcludeTestProjects)' == ''">false</CycloneDxExcludeTestProjects>
 
     <!--
-      Include license text in SBOM
-      Default: false (only license IDs)
+      Disable SBOM serial number generation
+      Default: false (serial number is auto-generated)
+    -->
+    <CycloneDxDisableSerialNumber Condition="'$(CycloneDxDisableSerialNumber)' == ''">false</CycloneDxDisableSerialNumber>
+
+  </PropertyGroup>
+
+  <PropertyGroup Label="CycloneDX License Resolution">
+
+    <!--
+      Enable GitHub license resolution
+      Default: false
+    -->
+    <CycloneDxEnableGitHubLicenses Condition="'$(CycloneDxEnableGitHubLicenses)' == ''">false</CycloneDxEnableGitHubLicenses>
+
+    <!--
+      GitHub username for license resolution
+      Leave empty to disable GitHub license lookups
     -->
-    <CycloneDxIncludeLicenseText Condition="'$(CycloneDxIncludeLicenseText)' == ''">false</CycloneDxIncludeLicenseText>
+    <CycloneDxGitHubUsername Condition="'$(CycloneDxGitHubUsername)' == ''"></CycloneDxGitHubUsername>
 
     <!--
-      Set SBOM serial number (UUID)
-      Leave empty for auto-generation
+      GitHub personal access token for license resolution
+      Leave empty to use unauthenticated requests (rate limited)
     -->
-    <CycloneDxSerialNumber Condition="'$(CycloneDxSerialNumber)' == ''"></CycloneDxSerialNumber>
+    <CycloneDxGitHubToken Condition="'$(CycloneDxGitHubToken)' == ''"></CycloneDxGitHubToken>
 
   </PropertyGroup>
 

src/CycloneDX.MSBuild/build/CycloneDX.MSBuild.targets

@@ -33,35 +33,15 @@
       <_CycloneDxValidationFailed>false</_CycloneDxValidationFailed>
     </PropertyGroup>
 
-    <!-- Define valid output formats and spec versions -->
-    <ItemGroup>
-      <_ValidCycloneDxOutputFormat Include="json" />
-      <_ValidCycloneDxOutputFormat Include="xml" />
-      <_ValidCycloneDxSpecVersion Include="1.2" />
-      <_ValidCycloneDxSpecVersion Include="1.3" />
-      <_ValidCycloneDxSpecVersion Include="1.4" />
-      <_ValidCycloneDxSpecVersion Include="1.5" />
-      <_ValidCycloneDxSpecVersion Include="1.6" />
-    </ItemGroup>
-
     <!-- Validate output format -->
     <Warning
-      Condition="! $([MSBuild]::Contains('@(_ValidCycloneDxOutputFormat)', '$(CycloneDxOutputFormat)'))"
-      Text="[CycloneDX] Invalid output format '$(CycloneDxOutputFormat)'. Supported formats: @( _ValidCycloneDxOutputFormat->', ' ). Defaulting to json." />
+      Condition="'$(CycloneDxOutputFormat)' != 'json' AND '$(CycloneDxOutputFormat)' != 'xml'"
+      Text="[CycloneDX] Invalid output format '$(CycloneDxOutputFormat)'. Supported formats: json, xml. Defaulting to json." />
 
-    <PropertyGroup Condition="! $([MSBuild]::Contains('@(_ValidCycloneDxOutputFormat)', '$(CycloneDxOutputFormat)'))">
+    <PropertyGroup Condition="'$(CycloneDxOutputFormat)' != 'json' AND '$(CycloneDxOutputFormat)' != 'xml'">
       <CycloneDxOutputFormat>json</CycloneDxOutputFormat>
     </PropertyGroup>
 
-    <!-- Validate spec version -->
-    <Warning
-      Condition="! $([MSBuild]::Contains('@(_ValidCycloneDxSpecVersion)', '$(CycloneDxSpecVersion)'))"
-      Text="[CycloneDX] Invalid spec version '$(CycloneDxSpecVersion)'. Supported: @( _ValidCycloneDxSpecVersion->', ' ). Defaulting to 1.6." />
-
-    <PropertyGroup Condition="! $([MSBuild]::Contains('@(_ValidCycloneDxSpecVersion)', '$(CycloneDxSpecVersion)'))">
-      <CycloneDxSpecVersion>1.6</CycloneDxSpecVersion>
-    </PropertyGroup>
-
     <!-- Ensure output directory exists -->
     <MakeDir Directories="$(CycloneDxOutputDirectory)" Condition="!Exists('$(CycloneDxOutputDirectory)')" />
 
@@ -125,20 +105,40 @@
 
     <Message Importance="high" Text="[CycloneDX] Generating SBOM for $(MSBuildProjectName)..." />
 
+    <!-- Set output directory default now, when $(OutputPath) is available -->
+    <PropertyGroup>
+      <CycloneDxOutputDirectory Condition="'$(CycloneDxOutputDirectory)' == ''">$(OutputPath)</CycloneDxOutputDirectory>
+      <!-- Remove trailing backslash/slash to avoid escaping the closing quote in command-line arguments -->
+      <CycloneDxOutputDirectory>$(CycloneDxOutputDirectory.TrimEnd('\\').TrimEnd('/'))</CycloneDxOutputDirectory>
+    </PropertyGroup>
+
     <PropertyGroup>
       <!-- Build command line arguments -->
       <_CycloneDxArgs></_CycloneDxArgs>
       <_CycloneDxArgs>$(_CycloneDxArgs) "$(MSBuildProjectFullPath)"</_CycloneDxArgs>
-      <_CycloneDxArgs>$(_CycloneDxArgs) --output-directory "$(CycloneDxOutputDirectory)"</_CycloneDxArgs>
-      <_CycloneDxArgs>$(_CycloneDxArgs) --output-filename "$(CycloneDxOutputFilename)"</_CycloneDxArgs>
-      <_CycloneDxArgs>$(_CycloneDxArgs) --output-format $(CycloneDxOutputFormat)</_CycloneDxArgs>
-      <_CycloneDxArgs>$(_CycloneDxArgs) --spec-version $(CycloneDxSpecVersion)</_CycloneDxArgs>
+      <_CycloneDxArgs>$(_CycloneDxArgs) -o "$(CycloneDxOutputDirectory)"</_CycloneDxArgs>
+
+      <!-- Build full filename with extension based on format -->
+      <_CycloneDxFullFilename Condition="'$(CycloneDxOutputFormat)' == 'json'">$(CycloneDxOutputFilename).json</_CycloneDxFullFilename>
+      <_CycloneDxFullFilename Condition="'$(CycloneDxOutputFormat)' == 'xml'">$(CycloneDxOutputFilename).xml</_CycloneDxFullFilename>
+      <!-- Fallback to json if format is invalid -->
+      <_CycloneDxFullFilename Condition="'$(_CycloneDxFullFilename)' == ''">$(CycloneDxOutputFilename).json</_CycloneDxFullFilename>
+      <_CycloneDxArgs>$(_CycloneDxArgs) -fn "$(_CycloneDxFullFilename)"</_CycloneDxArgs>
+
+      <!-- Output format: json or xml (capitalize first letter for tool) -->
+      <_CycloneDxOutputFormat Condition="'$(CycloneDxOutputFormat)' == 'json'">Json</_CycloneDxOutputFormat>
+      <_CycloneDxOutputFormat Condition="'$(CycloneDxOutputFormat)' == 'xml'">Xml</_CycloneDxOutputFormat>
+      <!-- Fallback to Json if format is invalid -->
+      <_CycloneDxOutputFormat Condition="'$(_CycloneDxOutputFormat)' == ''">Json</_CycloneDxOutputFormat>
+      <_CycloneDxArgs>$(_CycloneDxArgs) -F $(_CycloneDxOutputFormat)</_CycloneDxArgs>
 
       <!-- Optional arguments -->
-      <_CycloneDxArgs Condition="'$(CycloneDxExcludeDev)' == 'true'">$(_CycloneDxArgs) --exclude-dev</_CycloneDxArgs>
-      <_CycloneDxArgs Condition="'$(CycloneDxExcludeTestProjects)' == 'true'">$(_CycloneDxArgs) --exclude-test-projects</_CycloneDxArgs>
-      <_CycloneDxArgs Condition="'$(CycloneDxIncludeLicenseText)' == 'true'">$(_CycloneDxArgs) --include-license-text</_CycloneDxArgs>
-      <_CycloneDxArgs Condition="'$(CycloneDxSerialNumber)' != ''">$(_CycloneDxArgs) --serial-number $(CycloneDxSerialNumber)</_CycloneDxArgs>
+      <_CycloneDxArgs Condition="'$(CycloneDxExcludeDev)' == 'true'">$(_CycloneDxArgs) -ed</_CycloneDxArgs>
+      <_CycloneDxArgs Condition="'$(CycloneDxExcludeTestProjects)' == 'true'">$(_CycloneDxArgs) -t</_CycloneDxArgs>
+      <_CycloneDxArgs Condition="'$(CycloneDxDisableSerialNumber)' == 'true'">$(_CycloneDxArgs) -ns</_CycloneDxArgs>
+      <_CycloneDxArgs Condition="'$(CycloneDxEnableGitHubLicenses)' == 'true'">$(_CycloneDxArgs) -egl</_CycloneDxArgs>
+      <_CycloneDxArgs Condition="'$(CycloneDxGitHubUsername)' != ''">$(_CycloneDxArgs) -gu "$(CycloneDxGitHubUsername)"</_CycloneDxArgs>
+      <_CycloneDxArgs Condition="'$(CycloneDxGitHubToken)' != ''">$(_CycloneDxArgs) -gt "$(CycloneDxGitHubToken)"</_CycloneDxArgs>
     </PropertyGroup>
 
     <!-- Execute CycloneDX tool -->

tests/Integration.Tests/DisabledProject/DisabledProject.csproj

@@ -5,6 +5,10 @@
     <OutputType>Library</OutputType>
   </PropertyGroup>
 
+  <!-- Import CycloneDX.MSBuild targets manually for local testing -->
+  <Import Project="..\..\..\src\CycloneDX.MSBuild\build\CycloneDX.MSBuild.props" />
+  <Import Project="..\..\..\src\CycloneDX.MSBuild\build\CycloneDX.MSBuild.targets" />
+
   <!-- Explicitly disable SBOM generation for this project -->
   <PropertyGroup>
     <GenerateCycloneDxSbom>false</GenerateCycloneDxSbom>

tests/Integration.Tests/MultiTargetProject/MultiTargetProject.csproj

@@ -3,11 +3,20 @@
   <PropertyGroup>
     <!-- Multi-targeting: .NET 6, .NET 8, and .NET Standard 2.0 -->
     <TargetFrameworks>net6.0;net8.0;netstandard2.0</TargetFrameworks>
+    <LangVersion>10.0</LangVersion>
+    <OutputType>Library</OutputType>
+  </PropertyGroup>
+
+  <!-- Enable ImplicitUsings and Nullable only for .NET 6+ (not for netstandard2.0) -->
+  <PropertyGroup Condition="'$(TargetFramework)' == 'net6.0' OR '$(TargetFramework)' == 'net8.0'">
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
-    <OutputType>Library</OutputType>
   </PropertyGroup>
 
+  <!-- Import CycloneDX.MSBuild targets manually for local testing -->
+  <Import Project="..\..\..\src\CycloneDX.MSBuild\buildMultiTargeting\CycloneDX.MSBuild.props" />
+  <Import Project="..\..\..\src\CycloneDX.MSBuild\buildMultiTargeting\CycloneDX.MSBuild.targets" />
+
   <ItemGroup>
     <!-- Reference the local CycloneDX.MSBuild package -->
     <ProjectReference Include="..\..\..\src\CycloneDX.MSBuild\CycloneDX.MSBuild.csproj">

tests/Integration.Tests/SimpleProject/SimpleProject.csproj

@@ -7,6 +7,10 @@
     <OutputType>Library</OutputType>
   </PropertyGroup>
 
+  <!-- Import CycloneDX.MSBuild targets manually for local testing -->
+  <Import Project="..\..\..\src\CycloneDX.MSBuild\build\CycloneDX.MSBuild.props" />
+  <Import Project="..\..\..\src\CycloneDX.MSBuild\build\CycloneDX.MSBuild.targets" />
+
   <ItemGroup>
     <!-- Reference the local CycloneDX.MSBuild package -->
     <ProjectReference Include="..\..\..\src\CycloneDX.MSBuild\CycloneDX.MSBuild.csproj">