Crash when using -rs with referenced project that has multiple target frameworks

[ag-lls]

We encountered an issue where the software crashes when building the SBOM.
In version 3.0.4 when using the -rs parameter.

Our project setup is as follows:
ProjectA references ProjectB, which has two target frameworks (dotnet 8 and net472).
We think the issue has to do with the fact that ProjectB uses a NuGet Package, which probably gets added two times (because of the two target frameworks).

@mtsfoni This is what we mentioned in the wrongly opened pull request.

We have created an example project that triggers the crash.
https://github.com/ag-lls/CrashReproduction

When running the tool like this:
dotnet CycloneDX "ConsoleApp1.csproj" -j -f sbom.json -rs -ipr -ed -t -sv 24.1 -egl
We get the crash:

Unhandled exception: System.ArgumentException: An item with the same key has already been added. Key: Microsoft.IO.RecyclableMemoryStream
   at System.Collections.Generic.Dictionary`2.TryInsert(TKey key, TValue value, InsertionBehavior behavior)
   at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
   at CycloneDX.Services.ProjectFileService.RecursivelyGetProjectDotnetDependencysAsync(String projectFilePath, String baseIntermediateOutputPath, Boolean excludeTestProjects, String framework, String runtime) in /home/runner/work/cyclonedx-dotnet/cyclonedx-dotnet/CycloneDX/Services/ProjectFileService.cs:line 226

Without the -rs parameter the generation doesn't crash.

[mtsfoni]

Thanks for the extensive groundwork, I expect that I will be able to provide a fix for this quickly.

Without the -rs parameter the generation doesn't crash.

The -rs parameter is basically legacy for projects that use the old packages.config. If you use ProjectReferences as in the provided example, dotnet creates obj/project.assets.json which contains basically all information that we need to build the SBOM. -rs shouldn't be necessary in that case.

[ag-lls]

Thanks for the quick response and for helping out!
In our real solution, we do have a vast amount of projects and project types, which also include old legacy projects. Thats why the -rs parameter works good for us.

I expect that I will be able to provide a fix for this quickly.

That would be awesome and extremely helpful! Thanks again 👍

[mtsfoni]

Please try with: 3.0.5

As a side note, I run the example with 2.10.0 and while it doesn't crash, the result is not entirely correct. It included both version of the double dependency in the SBOM and the dependency graph, while de facto only one of them gets delivered with the software.

The -tfm argument might help you make SBOMs that are more correct in cases like the test case.

The only good solution I could come up now is to just ignore the second package in the dependency graph - that's everything but perfect. It shouldn't crash, however.

[ag-lls]

Works good, thank you for your quick help! I will play arround with the -tfm. But i will have to take time for that, our pipelines are many and they are quite big 😄