From 5d4ade05ea707816552825d9c5c8e0f6d965a154 Mon Sep 17 00:00:00 2001 From: Patrick Dwyer Date: Wed, 23 Jul 2025 17:11:59 +1000 Subject: [PATCH 1/5] Bump dependency minor versions Signed-off-by: Patrick Dwyer --- src/cyclonedx/cyclonedx.csproj | 2 +- tests/cyclonedx.tests/cyclonedx.tests.csproj | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/cyclonedx/cyclonedx.csproj b/src/cyclonedx/cyclonedx.csproj index 7c6e799..6425913 100644 --- a/src/cyclonedx/cyclonedx.csproj +++ b/src/cyclonedx/cyclonedx.csproj @@ -19,7 +19,7 @@ - + diff --git a/tests/cyclonedx.tests/cyclonedx.tests.csproj b/tests/cyclonedx.tests/cyclonedx.tests.csproj index 92411d6..9bb4e73 100644 --- a/tests/cyclonedx.tests/cyclonedx.tests.csproj +++ b/tests/cyclonedx.tests/cyclonedx.tests.csproj @@ -7,14 +7,14 @@ - - - - + + + + runtime; build; native; contentfiles; analyzers; buildtransitive all - + runtime; build; native; contentfiles; analyzers; buildtransitive all From a695e275437d04d6a22a0c21691d5a2d23e59895 Mon Sep 17 00:00:00 2001 From: Patrick Dwyer Date: Wed, 23 Jul 2025 17:19:50 +1000 Subject: [PATCH 2/5] Address build warning xUnit1030 warning xUnit1030: Test methods should not call ConfigureAwait(false), as it may bypass parallelization limits. Omit ConfigureAwait, or use ConfigureAwait(true) to avoid CA2007. (https://xunit.net/xunit.analyzers/rules/xUnit1030) Signed-off-by: Patrick Dwyer --- tests/cyclonedx.tests/ConvertTests.cs | 6 +++--- tests/cyclonedx.tests/MergeTests.cs | 2 +- tests/cyclonedx.tests/SignBomTests.cs | 2 +- tests/cyclonedx.tests/SignFileTests.cs | 6 +++--- tests/cyclonedx.tests/ValidateTests.cs | 2 +- tests/cyclonedx.tests/VerifyAllTests.cs | 4 ++-- tests/cyclonedx.tests/VerifyFileTests.cs | 12 ++++++------ 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/tests/cyclonedx.tests/ConvertTests.cs b/tests/cyclonedx.tests/ConvertTests.cs index 6a75c02..a62fc24 100644 --- a/tests/cyclonedx.tests/ConvertTests.cs +++ b/tests/cyclonedx.tests/ConvertTests.cs @@ -99,7 +99,7 @@ public async Task Convert(string inputFilename, ConvertFormat inputFormat, strin InputFormat = inputFormat, OutputFormat = outputFormat, OutputVersion = outputVersion, - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(0, exitCode); var bom = File.ReadAllText(fullOutputPath); @@ -122,7 +122,7 @@ public async Task ConvertToSpdxJson(ConvertFormat outputFormat) InputFormat = ConvertFormat.autodetect, OutputFormat = outputFormat - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(0, exitCode); var bom = File.ReadAllText(outputFilename); @@ -146,7 +146,7 @@ public async Task ConvertFromSpdxJson(ConvertFormat inputFormat) InputFormat = inputFormat, OutputFormat = ConvertFormat.xml, - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(0, exitCode); var bom = File.ReadAllText(outputFilename); diff --git a/tests/cyclonedx.tests/MergeTests.cs b/tests/cyclonedx.tests/MergeTests.cs index e9b60dc..8a6bfb0 100644 --- a/tests/cyclonedx.tests/MergeTests.cs +++ b/tests/cyclonedx.tests/MergeTests.cs @@ -71,7 +71,7 @@ public async Task Merge( options.InputFiles.Add(Path.Combine("Resources", "Merge", inputFilename)); } - var exitCode = await MergeCommand.Merge(options).ConfigureAwait(false); + var exitCode = await MergeCommand.Merge(options).ConfigureAwait(true); Assert.Equal(0, exitCode); var bom = File.ReadAllText(fullOutputPath); diff --git a/tests/cyclonedx.tests/SignBomTests.cs b/tests/cyclonedx.tests/SignBomTests.cs index e82c9ab..518f705 100644 --- a/tests/cyclonedx.tests/SignBomTests.cs +++ b/tests/cyclonedx.tests/SignBomTests.cs @@ -39,7 +39,7 @@ public async Task SignXmlBom() { BomFile = testFilename, KeyFile = Path.Combine("Resources", "private.key"), - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(ExitCode.Ok, (ExitCode)exitCode); diff --git a/tests/cyclonedx.tests/SignFileTests.cs b/tests/cyclonedx.tests/SignFileTests.cs index af7ea3a..c986eb9 100644 --- a/tests/cyclonedx.tests/SignFileTests.cs +++ b/tests/cyclonedx.tests/SignFileTests.cs @@ -33,18 +33,18 @@ public async Task SignFile() using (var tempDirectory = new TempDirectory()) { var testFilename = Path.Combine(tempDirectory.DirectoryPath, "bom.xml"); - var fileContents = await File.ReadAllTextAsync(Path.Combine("Resources", "bom-1.3.xml")).ConfigureAwait(false); + var fileContents = await File.ReadAllTextAsync(Path.Combine("Resources", "bom-1.3.xml")).ConfigureAwait(true); if (Environment.OSVersion.Platform == PlatformID.Win32NT) { fileContents = fileContents.Replace("\r\n", "\n"); } - await File.WriteAllTextAsync(testFilename, fileContents).ConfigureAwait(false); + await File.WriteAllTextAsync(testFilename, fileContents).ConfigureAwait(true); var exitCode = await SignFileCommand.SignFile(new SignFileCommandOptions { File = testFilename, KeyFile = Path.Combine("Resources", "private.key"), - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(ExitCode.Ok, (ExitCode)exitCode); diff --git a/tests/cyclonedx.tests/ValidateTests.cs b/tests/cyclonedx.tests/ValidateTests.cs index 651ab7a..23b0464 100644 --- a/tests/cyclonedx.tests/ValidateTests.cs +++ b/tests/cyclonedx.tests/ValidateTests.cs @@ -78,7 +78,7 @@ public async Task Validate(string inputFilename, ValidationBomFormat inputFormat InputFormat = inputFormat, InputVersion = inputVersion, FailOnErrors = true, - }).ConfigureAwait(false); + }).ConfigureAwait(true); if (valid) { diff --git a/tests/cyclonedx.tests/VerifyAllTests.cs b/tests/cyclonedx.tests/VerifyAllTests.cs index 9be310e..06a4226 100644 --- a/tests/cyclonedx.tests/VerifyAllTests.cs +++ b/tests/cyclonedx.tests/VerifyAllTests.cs @@ -32,7 +32,7 @@ public async Task OriginalBomSignatureVerifies() { BomFile = Path.Combine("Resources", "signed-bom.xml"), KeyFile = Path.Combine("Resources", "public.key") - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(ExitCode.Ok, (ExitCode)exitCode); } @@ -44,7 +44,7 @@ public async Task ModifiedBomFailsSignatureVerification() { BomFile = Path.Combine("Resources", "signed-bom-modified.xml"), KeyFile = Path.Combine("Resources", "public.key") - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(ExitCode.SignatureFailedVerification, (ExitCode)exitCode); } diff --git a/tests/cyclonedx.tests/VerifyFileTests.cs b/tests/cyclonedx.tests/VerifyFileTests.cs index 8c81375..1324849 100644 --- a/tests/cyclonedx.tests/VerifyFileTests.cs +++ b/tests/cyclonedx.tests/VerifyFileTests.cs @@ -32,19 +32,19 @@ public async Task ValidSignatureVerifies() { var testFilename = Path.Combine(tempDirectory.DirectoryPath, "bom.xml"); - var fileContents = await File.ReadAllTextAsync(Path.Combine("Resources", "bom-1.3.xml")).ConfigureAwait(false); + var fileContents = await File.ReadAllTextAsync(Path.Combine("Resources", "bom-1.3.xml")).ConfigureAwait(true); if (Environment.OSVersion.Platform == PlatformID.Win32NT) { fileContents = fileContents.Replace("\r\n", "\n"); } - await File.WriteAllTextAsync(testFilename, fileContents).ConfigureAwait(false); + await File.WriteAllTextAsync(testFilename, fileContents).ConfigureAwait(true); var exitCode = await VerifyFileCommand.VerifyFile(new VerifyFileCommandOptions { File = testFilename, KeyFile = Path.Combine("Resources", "public.key"), SignatureFile = Path.Combine("Resources", "bom-1.3.xml.valid.sig"), - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(ExitCode.Ok, (ExitCode)exitCode); } @@ -57,19 +57,19 @@ public async Task InvalidSignatureFailsVerification() { var testFilename = Path.Combine(tempDirectory.DirectoryPath, "bom.xml"); - var fileContents = await File.ReadAllTextAsync(Path.Combine("Resources", "bom-1.3.xml")).ConfigureAwait(false); + var fileContents = await File.ReadAllTextAsync(Path.Combine("Resources", "bom-1.3.xml")).ConfigureAwait(true); if (Environment.OSVersion.Platform == PlatformID.Win32NT) { fileContents = fileContents.Replace("\r\n", "\n"); } - await File.WriteAllTextAsync(testFilename, fileContents).ConfigureAwait(false); + await File.WriteAllTextAsync(testFilename, fileContents).ConfigureAwait(true); var exitCode = await VerifyFileCommand.VerifyFile(new VerifyFileCommandOptions { File = testFilename, KeyFile = Path.Combine("Resources", "public.key"), SignatureFile = Path.Combine("Resources", "bom-1.3.xml.invalid.sig"), - }).ConfigureAwait(false); + }).ConfigureAwait(true); Assert.Equal(ExitCode.SignatureFailedVerification, (ExitCode)exitCode); } From bf9ea642501f67e96eccefd158a12302d0a663f2 Mon Sep 17 00:00:00 2001 From: Patrick Dwyer Date: Wed, 23 Jul 2025 17:35:23 +1000 Subject: [PATCH 3/5] Upgrade most of the remaining dependencies Signed-off-by: Patrick Dwyer --- src/cyclonedx/cyclonedx.csproj | 4 ++-- tests/cyclonedx.tests/cyclonedx.tests.csproj | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/cyclonedx/cyclonedx.csproj b/src/cyclonedx/cyclonedx.csproj index 6425913..3078eba 100644 --- a/src/cyclonedx/cyclonedx.csproj +++ b/src/cyclonedx/cyclonedx.csproj @@ -13,8 +13,8 @@ - - + + diff --git a/tests/cyclonedx.tests/cyclonedx.tests.csproj b/tests/cyclonedx.tests/cyclonedx.tests.csproj index 9bb4e73..95b74e9 100644 --- a/tests/cyclonedx.tests/cyclonedx.tests.csproj +++ b/tests/cyclonedx.tests/cyclonedx.tests.csproj @@ -8,13 +8,13 @@ - + - + runtime; build; native; contentfiles; analyzers; buildtransitive all - + runtime; build; native; contentfiles; analyzers; buildtransitive all From 34c371eeec5b54fb677d9fc0b9de2f752d9f5ad5 Mon Sep 17 00:00:00 2001 From: Patrick Dwyer Date: Wed, 23 Jul 2025 17:42:35 +1000 Subject: [PATCH 4/5] Bump system cryptography xml dependency Signed-off-by: Patrick Dwyer --- src/cyclonedx/cyclonedx.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cyclonedx/cyclonedx.csproj b/src/cyclonedx/cyclonedx.csproj index 3078eba..7180056 100644 --- a/src/cyclonedx/cyclonedx.csproj +++ b/src/cyclonedx/cyclonedx.csproj @@ -19,7 +19,7 @@ - + From 676bc0862ef03263a7621cb2c790f3cfe42f6c84 Mon Sep 17 00:00:00 2001 From: Patrick Dwyer Date: Wed, 23 Jul 2025 17:56:00 +1000 Subject: [PATCH 5/5] Tidy up some using statements Signed-off-by: Patrick Dwyer --- src/cyclonedx/Commands/Add/AddFilesCommand.cs | 5 +---- src/cyclonedx/Commands/Sign/SignBomCommand.cs | 3 +-- src/cyclonedx/Commands/Sign/SignFileCommand.cs | 5 +---- src/cyclonedx/Commands/ValidateCommandOptions.cs | 6 ------ src/cyclonedx/Commands/Verify/VerifyAllCommand.cs | 3 +-- src/cyclonedx/Commands/Verify/VerifyFileCommand.cs | 3 +-- 6 files changed, 5 insertions(+), 20 deletions(-) diff --git a/src/cyclonedx/Commands/Add/AddFilesCommand.cs b/src/cyclonedx/Commands/Add/AddFilesCommand.cs index 77f095f..539a681 100644 --- a/src/cyclonedx/Commands/Add/AddFilesCommand.cs +++ b/src/cyclonedx/Commands/Add/AddFilesCommand.cs @@ -18,8 +18,7 @@ using System.Collections.Generic; using System.Diagnostics.Contracts; using System.CommandLine; -using System.CommandLine.Invocation; -using System.Globalization; +using System.CommandLine.NamingConventionBinder; using System.IO; using System.Linq; using System.Reflection; @@ -28,8 +27,6 @@ using System.Threading.Tasks; using AntPathMatching; using CycloneDX.Models; -using CycloneDX.Cli.Commands; -using System.CommandLine.NamingConventionBinder; namespace CycloneDX.Cli.Commands.Add { diff --git a/src/cyclonedx/Commands/Sign/SignBomCommand.cs b/src/cyclonedx/Commands/Sign/SignBomCommand.cs index 4cfc34f..b56deb7 100644 --- a/src/cyclonedx/Commands/Sign/SignBomCommand.cs +++ b/src/cyclonedx/Commands/Sign/SignBomCommand.cs @@ -17,14 +17,13 @@ using System; using System.Diagnostics.Contracts; using System.CommandLine; -using System.CommandLine.Invocation; +using System.CommandLine.NamingConventionBinder; using System.Globalization; using System.IO; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Threading.Tasks; using System.Xml; -using System.CommandLine.NamingConventionBinder; namespace CycloneDX.Cli.Commands.Sign { diff --git a/src/cyclonedx/Commands/Sign/SignFileCommand.cs b/src/cyclonedx/Commands/Sign/SignFileCommand.cs index 11d06db..edd70e4 100644 --- a/src/cyclonedx/Commands/Sign/SignFileCommand.cs +++ b/src/cyclonedx/Commands/Sign/SignFileCommand.cs @@ -18,13 +18,10 @@ using System.Diagnostics.CodeAnalysis; using System.Diagnostics.Contracts; using System.CommandLine; -using System.CommandLine.Invocation; -using System.Globalization; +using System.CommandLine.NamingConventionBinder; using System.IO; using System.Security.Cryptography; using System.Threading.Tasks; -using System.Xml; -using System.CommandLine.NamingConventionBinder; namespace CycloneDX.Cli.Commands.Sign { diff --git a/src/cyclonedx/Commands/ValidateCommandOptions.cs b/src/cyclonedx/Commands/ValidateCommandOptions.cs index 3d097ed..d95cfc3 100644 --- a/src/cyclonedx/Commands/ValidateCommandOptions.cs +++ b/src/cyclonedx/Commands/ValidateCommandOptions.cs @@ -15,12 +15,6 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright (c) OWASP Foundation. All Rights Reserved. using System; -using System.CommandLine; -using System.CommandLine.Invocation; -using System.IO; -using System.Text; -using System.Threading.Tasks; -using CycloneDX.Models; namespace CycloneDX.Cli.Commands { diff --git a/src/cyclonedx/Commands/Verify/VerifyAllCommand.cs b/src/cyclonedx/Commands/Verify/VerifyAllCommand.cs index 5ae2608..33a4e17 100644 --- a/src/cyclonedx/Commands/Verify/VerifyAllCommand.cs +++ b/src/cyclonedx/Commands/Verify/VerifyAllCommand.cs @@ -17,14 +17,13 @@ using System; using System.Diagnostics.Contracts; using System.CommandLine; -using System.CommandLine.Invocation; +using System.CommandLine.NamingConventionBinder; using System.Globalization; using System.IO; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Threading.Tasks; using System.Xml; -using System.CommandLine.NamingConventionBinder; namespace CycloneDX.Cli.Commands.Verify { diff --git a/src/cyclonedx/Commands/Verify/VerifyFileCommand.cs b/src/cyclonedx/Commands/Verify/VerifyFileCommand.cs index 82e7299..02fdc49 100644 --- a/src/cyclonedx/Commands/Verify/VerifyFileCommand.cs +++ b/src/cyclonedx/Commands/Verify/VerifyFileCommand.cs @@ -17,11 +17,10 @@ using System; using System.Diagnostics.Contracts; using System.CommandLine; -using System.CommandLine.Invocation; +using System.CommandLine.NamingConventionBinder; using System.IO; using System.Security.Cryptography; using System.Threading.Tasks; -using System.CommandLine.NamingConventionBinder; namespace CycloneDX.Cli.Commands.Verify {