Bump the nuget-dependencies group with 4 updates

[dependabot]

Updated Microsoft.CodeAnalysis.NetAnalyzers from 9.0.0 to 10.0.101.

Release notes

Sourced from Microsoft.CodeAnalysis.NetAnalyzers's releases.

10.0.101

You can build .NET 10.0 from the repository by cloning the release tag v10.0.101 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.100

You can build .NET 10.0 from the repository by cloning the release tag v10.0.100 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

To produce artifacts with the .NET 10 GA version strings, users must pass the branding argument to the build: --branding rtm.

10.0.100-rc.2.25502.107

You can build .NET 10.0 RC 2 from the repository by cloning the release tag v10.0.100-rc.2.25502.107 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

Note: GitHub automatically generates the "Source code (tar.gz/zip)" archives included in this release. Please download the official source code from:

• dotnet-source-10.0.100-rc.2.25502.107.tar.gz
• dotnet-source-10.0.100-rc.2.25502.107.zip

10.0.100-rc.1.25451.107

You can build .NET 10.0 RC 1 from the repository by cloning the release tag v10.0.100-rc.1.25451.107 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.100-preview.7.25380.108

You can build .NET 10.0 Preview 7 from the repository by cloning the release tag v10.0.100-preview.7.25380.108 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.6.25358.103

You can build .NET 10.0 Preview 6 from the repository by cloning the release tag v10.0.0-preview.6.25358.103 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.5.25277.114

You can build .NET 10.0 Preview 5 from the repository by cloning the release tag v10.0.0-preview.5.25277.114 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.4.25258.110

You can build .NET 10.0 Preview 4 from the repository by cloning the release tag v10.0.0-preview.4.25258.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.3.25171.5

You can build .NET 10.0 Preview 3 from the repository by cloning the release tag v10.0.0-preview.3.25171.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.2.25163.2

You can build .NET 10.0 Preview 2 from the repository by cloning the release tag v10.0.0-preview.2.25163.2 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.1.25080.5

You can build .NET 10.0 Preview 1 from the repository by cloning the release tag v10.0.0-preview.1.25080.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.112

You can build .NET 9.0 from the repository by cloning the release tag v9.0.112 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.111

You can build .NET 9.0 from the repository by cloning the release tag v9.0.111 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.110

You can build .NET 9.0 from the repository by cloning the release tag v9.0.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.109

You can build .NET 9.0 from the repository by cloning the release tag v9.0.109 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.101

You can build .NET 9.0 from the repository by cloning the release tag v9.0.101 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.7

You can build .NET 9.0 from the repository by cloning the release tag v9.0.7 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.6

You can build .NET 9.0 from the repository by cloning the release tag v9.0.6 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.5

You can build .NET 9.0 from the repository by cloning the release tag v9.0.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.4

You can build .NET 9.0 from the repository by cloning the release tag v9.0.4 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.3

You can build .NET 9.0 from the repository by cloning the release tag v9.0.3 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.2

You can build .NET 9.0 from the repository by cloning the release tag v9.0.2 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.1

You can build .NET 9.0 from the repository by cloning the release tag v9.0.1 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

Commits viewable in compare view.

Updated Microsoft.Extensions.FileSystemGlobbing from 9.0.0 to 10.0.1.

Release notes

Sourced from Microsoft.Extensions.FileSystemGlobbing's releases.

10.0.0-preview.6.25358.103

You can build .NET 10.0 Preview 6 from the repository by cloning the release tag v10.0.0-preview.6.25358.103 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.5.25277.114

You can build .NET 10.0 Preview 5 from the repository by cloning the release tag v10.0.0-preview.5.25277.114 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.4.25258.110

You can build .NET 10.0 Preview 4 from the repository by cloning the release tag v10.0.0-preview.4.25258.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.3.25171.5

You can build .NET 10.0 Preview 3 from the repository by cloning the release tag v10.0.0-preview.3.25171.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.2.25163.2

You can build .NET 10.0 Preview 2 from the repository by cloning the release tag v10.0.0-preview.2.25163.2 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

10.0.0-preview.1.25080.5

You can build .NET 10.0 Preview 1 from the repository by cloning the release tag v10.0.0-preview.1.25080.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.112

You can build .NET 9.0 from the repository by cloning the release tag v9.0.112 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.111

You can build .NET 9.0 from the repository by cloning the release tag v9.0.111 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.110

You can build .NET 9.0 from the repository by cloning the release tag v9.0.110 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.109

You can build .NET 9.0 from the repository by cloning the release tag v9.0.109 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.101

You can build .NET 9.0 from the repository by cloning the release tag v9.0.101 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.7

You can build .NET 9.0 from the repository by cloning the release tag v9.0.7 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.6

You can build .NET 9.0 from the repository by cloning the release tag v9.0.6 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.5

You can build .NET 9.0 from the repository by cloning the release tag v9.0.5 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.4

You can build .NET 9.0 from the repository by cloning the release tag v9.0.4 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.3

You can build .NET 9.0 from the repository by cloning the release tag v9.0.3 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.2

You can build .NET 9.0 from the repository by cloning the release tag v9.0.2 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

9.0.1

You can build .NET 9.0 from the repository by cloning the release tag v9.0.1 and following the build instructions in the main README.md.

Alternatively, you can build from the sources attached to this release directly.
More information on this process can be found in the dotnet/dotnet repository.

Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023

Commits viewable in compare view.

Updated Microsoft.Sbom.Targets from 2.2.8 to 4.1.5.

Release notes

Sourced from Microsoft.Sbom.Targets's releases.

4.1.5

⚙️ Changes

• Bump component detection to 6.2.1 by @​sebasgomez238 (#​1359)
• Fix CG alert - .NET SDK by @​ZhengHong-Tan (#​1334)
• Remove GH packages release step from pipeline by @​sfoslund (#​1333)
• Fix release pipeline internal feed release by @​sfoslund (#​1325)

4.1.4

⚙️ Changes

• Fix release pipeline internal feed release by @​sfoslund (#​1325)
• Fix release pipeline internal feed logic by @​sfoslund (#​1324)
• Major version bump for Component Detection by @​jlperkins (#​1323)
• Fix validation errors for SBOM tool release by @​pragnya17 (#​1282)
• Bump Microsoft.Build, Microsoft.Build.Framework, and Microsoft.Build.Utilities.Core by @dependabot[bot] (#​1276)
• Revert "Update pipeline to use shared service connection" by @​pragnya17 (#​1275)
• Bump System.Threading.Channels from 9.0.8 to 9.0.10 by @dependabot[bot] (#​1273)
• Update pipeline to use shared service connection by @​pragnya17 (#​1262)

4.1.3

⚙️ Changes

• Fix validation errors for SBOM tool release by @​pragnya17 (#​1282)
• Bump Microsoft.Build, Microsoft.Build.Framework, and Microsoft.Build.Utilities.Core by @dependabot[bot] (#​1276)
• Revert "Update pipeline to use shared service connection" by @​pragnya17 (#​1275)
• Bump System.Threading.Channels from 9.0.8 to 9.0.10 by @dependabot[bot] (#​1273)
• Update pipeline to use shared service connection by @​pragnya17 (#​1262)
• Bump Microsoft.ComponentDetection.Contracts from 5.2.19 to 5.2.27 by @dependabot[bot] (#​1204)
• Update readme to reflect new contribution policy by @​alisonlomaka (#​1235)
• Bump NuGet.Configuration from 6.13.2 to 6.14.0 by @dependabot[bot] (#​1178)
• Bump NuGet.Frameworks from 6.13.2 to 6.14.0 by @dependabot[bot] (#​1179)
• Bump System.Linq.Async from 6.0.1 to 6.0.3 by @dependabot[bot] (#​1184)
• Bump Scrutor from 6.0.1 to 6.1.0 by @dependabot[bot] (#​1181)
• Bump Newtonsoft.Json from 13.0.3 to 13.0.4 by @dependabot[bot] (#​1226)
• Bump actions/setup-dotnet from 4.3.1 to 5.0.0 by @dependabot[bot] (#​1202)
• Bump System.Text.Json from 9.0.2 to 9.0.9 by @dependabot[bot] (#​1218)
• Bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] (#​1207)
• Bump github/codeql-action from 3.29.11 to 3.30.3 by @dependabot[bot] (#​1219)
• Convert SBOM tool release pipeline from classic to governed by @​pragnya17 (#​1212)
• Bump Microsoft.VisualStudio.Threading.Analyzers from 17.12.19 to 17.14.15 by @dependabot[bot] (#​1176)
• Bump System.Threading.Channels from 9.0.2 to 9.0.8 by @dependabot[bot] (#​1186)
• Bump System.Threading.Tasks.Extensions from 4.6.1 to 4.6.3 by @dependabot[bot] (#​1187)
• Bump github/codeql-action from 3.29.3 to 3.29.11 by @dependabot[bot] (#​1164)
• Bump actions/checkout from 4 to 5 by @dependabot[bot] (#​1156)

4.1.2

• Add COSE paths to SbomConfig by @​JoseRenan (#​1152)
• Exit with appropriate exit code when providing version by @​GDWR (#​1161)

4.1.1

⚙️ Changes

• Temporarily make NI policy permissive by @​pragnya17 (#​1157)
• Scope FileHasher awaiting to just aggregation by @​DaveTryon (#​1160)
• Add telemetry to record depends on relationships by @​pragnya17 (#​1153)
• Exclude samples folder from externaldocreferences by @​DaveTryon (#​1146)

4.1.0

⚙️ Changes

• Fix externalRefs parser bug by @​jlperkins (#​1147)
• Add aggregation docs by @​DaveTryon (#​1145)
• Bump github/codeql-action from 3.29.0 to 3.29.3 by @dependabot[bot] (#​1144)
• Ignore SHA1 codeQL warnings by @​sfoslund (#​1143)
• Refactor constructor for Generator class by @​DaveTryon (#​1142)
• Add E2E tests for aggregation, fix race condition by @​DaveTryon (#​1141)
• Include package relationships when aggregating by @​DaveTryon (#​1139)
• Ignore SHA1 codeQL warnings by @​sfoslund (#​1138)
• Restore writing of root dependencies by @​DaveTryon (#​1137)
• Include empty files and relationships arrays in aggregated SBOMs by @​sfoslund (#​1136)
• Convert info message about invalid aggregation input to warn by @​sfoslund (#​1135)
• Capture more package fields in MergeableContent by @​DaveTryon (#​1134)
• Add correct relationships to MergeableContent by @​DaveTryon (#​1133)
• Fix SBOM aggregation signing bug by @​sfoslund (#​1132)
• Add a simple class to wrap the SbomConsolidationWorkflow by @​DaveTryon (#​1130)
• Add aggregation telemetry by @​DaveTryon (#​1128)
• Add telemetry file path option to aggregate verb by @​sfoslund (#​1129)
• Rename Consolidation to Aggregation by @​DaveTryon (#​1127)
• Generated a consolidated SBOM by @​DaveTryon (#​1126)
• Do not require outputPath in consolidate config file by @​sfoslund (#​1124)
• Ignore SPDX 3.0 SBOMs in consolidation by @​sfoslund (#​1123)
• Running validation workflow in consolidate by @​sfoslund (#​1118)
• Follow try standard by @​DaveTryon (#​1121)
• remove pointless returns xml docs by @​SimonCropp (#​1112)
• Pass set of validated SBOMs to consolidation by @​DaveTryon (#​1119)
• Add plumbing to collect packages from SPDX 2.2 files by @​DaveTryon (#​1117)
• Adding validate plumbing to consolidate verb by @​sfoslund (#​1115)
• remove broken param docs by @​SimonCropp (#​1111)
• remove redundant interpolation by @​SimonCropp (#​1113)
• Add simple unit tests for SbomConsolidationWorkflow by @​DaveTryon (#​1114)
• Add SPDXFormatDetector for SPDX version detection by @​sfoslund (#​1108)
• JSON encode env var values before config file insertion by @​sfoslund (#​1109)
• Add config file for Consolidate action by @​DaveTryon (#​1110)
• SBOM content diff checker between SPDX 2.2 and SPDX 3.0 by @​pragnya17 (#​1011)
• Bump Microsoft.Build.Locator to 1.7.8, 1.9.1 by @dependabot[bot] (#​1102)
• Expand env vars included in input config files by @​sfoslund (#​1105)
• Complete the stubbed plumbing for Consolidate action by @​DaveTryon (#​1106)
• Add skeleton for consolidation action by @​DaveTryon (#​1104)
• Fix for package dependency bug by @​pragnya17 (#​1101)
• build(deps): bump stefanzweifel/git-auto-commit-action from 5.2.0 to 6.0.1 by @dependabot[bot] (#​1099)
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.0 by @dependabot[bot] (#​1100)
• Create GitHub-targeted artifacts by @​DaveTryon (#​1091)
• Add IsPackable to target condition by @​bording (#​1075)
• Properly account for the number of files validated in ValidationResult by @​joshuamay-ms (#​1095)
• remove build badge by @​SimonCropp (#​1085)
• remove redundant FileHashesDictionarySingleton by @​SimonCropp (#​1084)
• remove unused Program fields by @​SimonCropp (#​1086)
• remove some dead variables by @​SimonCropp (#​1087)
• disable this prefix convention by @​SimonCropp (#​1088)
  ... (truncated)

4.0.3

⚙️ Changes

• Bump component-detection from 5.2.13 to 5.2.19 by @​DaveTryon (#​1051)
• Add migration guide to V4 API by @​DaveTryon (#​1028)
• Add documentation for SPDX 3.0 by @​pragnya17 (#​1027)

4.0.2

API BREAKING CHANGES

• Please see #​1028 for details

New features

• This release enables SPDX 3.0 support in generation and validation (not yet in redaction). Specify the -mi:SPDX3.0 parameter on the command line to enable the new functionality. Please see #​1027 for more details.

⚙️ Changes

• Tidy interfaces just a bit by @​DaveTryon (#​1044)
• Generate only supported manifests, get target configs, and use SourcesProviders as the source of truth by @​pragnya17 (#​1043)
• Avoid Exception if an unsupported format is requested by @​DaveTryon (#​1034)
• Teach ManifestValidator about extensions by @​DaveTryon (#​1033)
• Rename NTIA to NTIAMin - no functional changes by @​DaveTryon (#​1031)
• Rename "Compliance" to "Conformance" by @​DaveTryon (#​1030)
• Add ability to pass additional telemetry data back from ISignValidator.Validate by @​DaveTryon (#​1026)
• Fix SPDX 3.0 relationship generation by @​pragnya17 (#​1015)
• Fix casing of ValidatedSbomFactory.CreateValidatedSBOM by @​DaveTryon (#​1023)
• Bug fix for supplier and suppliedBy for root package in SPDX 3.0 by @​pragnya17 (#​1019)
• NoAssertion bug for SBOM file and package generation by @​pragnya17 (#​1016)
• Package DependOnId bug fix by @​pragnya17 (#​1017)
• Add null check for SPDX 3.0 external identifiers by @​pragnya17 (#​1020)
• Update spdx22 external doc ref extension by @​pragnya17 (#​1018)
• Add AdditionalComponentDetectorArgs to RuntimeConfiguration by @​MichielOda (#​996)
• Add SPDX 3.0 extensions to convert to internal SBOM components by @​pragnya17 (#​1012)
• External Map generation bug by @​pragnya17 (#​1014)
• Introduce new telemetry method to record signature validation results by @​ZhengHong-Tan (#​1002)
• Write E2E tests for validation success and failure (SPDX 2.2 and 3.0) by @​pragnya17 (#​1005)
• Refactor SPDX 3.0 extension methods by @​pragnya17 (#​1001)
• Move spdx extensions to common utils and refactor SPDX 2.2 by @​pragnya17 (#​998)
• Validate compliance standard for SPDX 3.0 by @​pragnya17 (#​992)
• Fix SPDX 3.0 manifest missing files bug by @​pragnya17 (#​997)
• Add DotNet Component Adapter by @​grvillic (#​994)
• Don't run auto-comment workflow on PR's from forks by @​DaveTryon (#​1000)
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] (#​990)
• Delay E2E tests until other test projects have built by @​DaveTryon (#​985)
• Remove suppression of IDE0040 by @​DaveTryon (#​984)
• Address new warnings from .NET 9 by @​DaveTryon (#​982)
• Fix problems running E2E tests locally by @​DaveTryon (#​957)
• Refactor GenerationResult to restore the original behavior of writing JSON arrays for SPDX 2.2 by @​pragnya17 (#​975)
• Throw validation error if customer attempts to redact SPDX 3.0 SBOM by @​pragnya17 (#​977)
• build(deps): bump System.Threading.Tasks.Extensions from 4.6.0 to 4.6.1 by @dependabot[bot] (#​978)
• build(deps): bump Microsoft.Testing.Extensions.TrxReport from 1.6.2 to 1.6.3 by @dependabot[bot] (#​980)
• build(deps): bump actions/setup-dotnet from 4.3.0 to 4.3.1 by @dependabot[bot] (#​976)
• Manifest info name should be case insensitive by @​pragnya17 (#​973)
• Validate manifest info with attributes by @​pragnya17 (#​961)
• build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @dependabot[bot] (#​966)
• Parsing SPDX 3.0 packages and validating with NTIA by @​pragnya17 (#​963)
• Generate singular SBOM based on manifestInfo parameter by @​pragnya17 (#​959)
• build(deps): bump Microsoft.Testing.Extensions.TrxReport from 1.5.3 to 1.6.2 by @dependabot[bot] (#​937)
• build(deps): bump Microsoft.NETFramework.ReferenceAssemblies, NuGet.Configuration and NuGet.Frameworks by @dependabot[bot] (#​960)
• API BREAKING CHANGE: Remove back-compat interface shims by @​DaveTryon (#​952)
  ... (truncated)

3.1.0

⚙️ Changes

• Add interface pin, split IConfiguration to be non-breaking by @​DaveTryon (#​919)
• Update metadata contract to be backcompatible with SPDX 2.2 parser by @​pragnya17 (#​918)
• Remove unnecessary parser errors which disallow syft SBOMs by @​sfoslund (#​917)
• Disable CodeQL until they fix the osx-arm64 problem by @​DaveTryon (#​916)
• build(deps): bump github/codeql-action from 3.28.3 to 3.28.8 by @dependabot[bot] (#​914)
• Specify correct image for running on osx-arm64 by @​DaveTryon (#​913)
• Update MSTest to metapackage and MTP by @​Youssef1313 (#​881)
• build(deps): bump actions/setup-dotnet from 4.2.0 to 4.3.0 by @dependabot[bot] (#​911)
• Target E2E tests with net472 only on Windows by @​DaveTryon (#​910)
• Bump GitHub Actions versions in sample code by @​rufer7 (#​908)
• build(deps): bump MSTest.TestAdapter from 3.7.2 to 3.7.3 by @dependabot[bot] (#​905)
• build(deps): bump MSTest.TestFramework from 3.7.2 to 3.7.3 by @dependabot[bot] (#​906)
• Enable MSTest analyzers by @​Youssef1313 (#​898)
• Address a targeted set of analyzer warnings by @​DaveTryon (#​901)
• Revert extra dependency that we added in #​758 by @​DaveTryon (#​902)
• Update CLI arg help text by @​sfoslund (#​899)
• Bump component-detection from 5.1.6 to 5.2.1 by @​DaveTryon (#​894)
• Remove FluentAssertions from tests by @​DaveTryon (#​896)
• build(deps): bump release-drafter/release-drafter from 6.0.0 to 6.1.0 by @dependabot[bot] (#​883)
• build(deps): bump Scrutor from 5.1.0 to 6.0.1 by @dependabot[bot] (#​872)
• build(deps): bump github/codeql-action from 3.28.0 to 3.28.3 by @dependabot[bot] (#​892)
• build(deps): bump coverlet.collector from 6.0.3 to 6.0.4 by @dependabot[bot] (#​882)
• build(deps): bump stefanzweifel/git-auto-commit-action from 5.0.1 to 5.1.0 by @dependabot[bot] (#​861)
• build(deps): bump System.Threading.Channels from 9.0.0 to 9.0.1 by @dependabot[bot] (#​871)
• Bump MSTest.Test* from 3.7.0 to 3.7.2 by @​DaveTryon (#​891)
• Add a workflow to comment on API changes by @​DaveTryon (#​885)
• Switch DataTestMethod to DataTestMethod (part 2) by @​DaveTryon (#​880)
• Switch DataTestMethod to TestMethod by @​Youssef1313 (#​849)
• Add skipBuildTagsForGitHubPullRequests setting to PR pipeline by @​sfoslund (#​879)
• Reenable SBOM targets e2e test by @​sfoslund (#​876)
• Remove GH action PR build by @​sfoslund (#​875)
• Add ADO PR build by @​sfoslund (#​874)
• Spdx 3.0 Parser for SBOM files by @​pragnya17 (#​860)
• Revert bump to Microsoft.Extensions.DependencyModel (Revert part of #​847) by @​DaveTryon (#​851)
• Pin ubuntu runner to 22.04 by @​DaveTryon (#​856)
• build(deps): bump Microsoft.Extensions.DependencyModel from 8.0.2 to 9.0.0 by @dependabot[bot] (#​847)
• Decouple test packages from release bits by @​DaveTryon (#​850)
• build(deps): bump coverlet.collector from 6.0.2 to 6.0.3 by @dependabot[bot] (#​846)
• Revert "build(deps): bump Microsoft.Extensions.DependencyModel" by @​DaveTryon (#​845)
• build(deps): bump FluentAssertions from 6.12.2 to 7.0.0 by @dependabot[bot] (#​818)
• build(deps): bump Microsoft.Extensions.DependencyModel from 8.0.2 to 9.0.0 by @dependabot[bot] (#​784)
• build(deps): bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot[bot] (#​840)
• build(deps): bump Scrutor from 5.0.2 to 5.1.0 by @dependabot[bot] (#​842)
• build(deps): bump actions/setup-dotnet from 4.1.0 to 4.2.0 by @dependabot[bot] (#​843)
• build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot[bot] (#​832)
• build(deps): bump codecov/codecov-action from 5.0.7 to 5.1.2 by @dependabot[bot] (#​838)
• Defining and generating spdx 3.0 json elements by @​pragnya17 (#​830)
• Add running unit tests to CI pipeline by @​sfoslund (#​835)
• Made the Timeout in LicenseInformationService configurable via CLI argument (#​584) by @​kidcline1 (#​773)
  ... (truncated)

3.0.1

⚙️ Changes

• Add support for osx-arm64 by @​DaveTryon (#​756)

3.0.0

⚙️ Changes

• BREAKING CHANGE : Update to .NET 8 versions of Component Detection by @​DaveTryon (#​755)
• BREAKING CHANGE : Include dependency tree data about nuget and maven packages by @​jalkire (#​746)
• Add dependency graph support to remaining ecosystems by @​jalkire (#​754)
• Fix typos and Markdown lint warnings by @​bact (#​740)
• build(deps): bump github/codeql-action from 3.26.8 to 3.26.13 by @​dependabot (#​753)
• build(deps): bump MSTest.TestFramework from 3.6.0 to 3.6.1 by @​dependabot (#​735)
• build(deps): bump MSTest.TestAdapter from 3.6.0 to 3.6.1 by @​dependabot (#​736)
• build(deps): bump Microsoft.Extensions.Http from 8.0.0 to 8.0.1 by @​dependabot (#​752)
• build(deps): bump Microsoft.Extensions.Hosting, Microsoft.Extensions.DependencyInjection.Abstractions, Microsoft.Extensions.DependencyInjection and Microsoft.Extensions.Logging.Abstractions by @​dependabot (#​749)
• Bump Microsoft.IO.Redist version by @​sfoslund (#​751)
• build(deps): bump NuGet.Configuration from 6.11.0 to 6.11.1 by @​dependabot (#​742)
• build(deps): bump actions/checkout from 4.2.0 to 4.2.1 by @​dependabot (#​741)
• Use tool-driven indents for *.props by @​DaveTryon (#​750)
• Address CVE-2024-43485 by updating System.Text.Json by @​DaveTryon (#​748)
• build(deps): bump Microsoft.Extensions.DependencyModel and System.Text.Json by @​dependabot (#​744)
• Deprecate .NET 6 support by @​DaveTryon (#​739)
• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @​dependabot (#​724)
• build(deps): bump MinVer from 5.0.0 to 6.0.0 by @​dependabot (#​695)
• build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 by @​dependabot (#​732)
• Make targets package a dev dependency and fix package supplier trimming by @​sfoslund (#​726)
• Include SBOM tool in targets nuget package by @​sfoslund (#​722)
• build(deps): bump Serilog.Sinks.Console and System.Threading.Channels by @​dependabot (#​648)
• build(deps): bump Serilog.Sinks.File and System.Threading.Channels by @​dependabot (#​632)
• build(deps): bump Serilog.Sinks.Async and System.Threading.Channels by @​dependabot (#​647)
• build(deps): bump Serilog.Sinks.Map and System.Threading.Channels by @​dependabot (#​631)
• build(deps): bump github/codeql-action from 3.26.7 to 3.26.8 by @​dependabot (#​720)

2.2.9

⚙️ Changes

• Add support for Conan package to spdx file again by @​tarun06 (#​549)
• build(deps): bump MSTest.TestAdapter from 3.5.2 to 3.6.0 by @​dependabot (#​701)
• build(deps): bump Microsoft.Build.Utilities.Core and Microsoft.Build.Framework by @​dependabot (#​699)
• build(deps): bump FluentAssertions from 6.12.0 to 6.12.1 by @​dependabot (#​698)
• build(deps): bump Moq from 4.20.70 to 4.20.72 by @​dependabot (#​697)
• build(deps): bump Microsoft.NET.Test.Sdk from 17.11.0 to 17.11.1 by @​dependabot (#​696)
• build(deps): bump MSTest.TestFramework from 3.5.2 to 3.6.0 by @​dependabot (#​702)
• Include multiple DirectoryExclusionList example in sbom-tool-cli-reference.md documentation by @​ChristophHornung (#​705)
• build(deps): bump github/codeql-action from 3.26.5 to 3.26.7 by @​dependabot (#​706)
• Use ComponentDetection 4.9.6 by @​DaveTryon (#​700)

Commits viewable in compare view.

Updated SonarAnalyzer.CSharp from 10.4.0.108396 to 10.18.0.131500.

Release notes

Sourced from SonarAnalyzer.CSharp's releases.

10.18

This releases focuses on fixing the false-positives that are raised on code making use of the new features in C# 14.

Improvement

• NET-2921 - Fix passthrough calculation in ModelBuilder
• NET-2903 - Remove manual extension methods
• NET-2895 - Cleanup handling of ParameterList of primary constructors

Task

• NET-2917 - Update RSPEC before 10.18 release

False Positive

• NET-2898 - Fix S2583/S2589 FP: Extension Members
• NET-2877 - Fix S2225 FP: Extension member
• NET-2832 - Fix S3063 FP: NullConditionalOperator
• NET-2825 - Fix S1144 FP: Partial events
• NET-2821 - Fix S3264 FP: Partial events
• NET-2805 - Fix S1144 FP: S1144 Is confused by Debugger Display attribute
• NET-2748 - Fix S3459 FP: NullConditional Assignment
• NET-2716 - Fix S2325 FP: Field Keyword
• NET-2712 - Fix S2953 FP: Extension block member
• NET-2707 - Fix S3877 FP: Equals method without IEquatable
• NET-2684 - Fix S7039 FP/FN: Null-conditional assignment
• NET-2672 - Fix S3928 FP: Extension block
• NET-2671 - Fix S2970 FP: Null Conditional Assignment
• NET-2668 - Fix S3398 FP: On private methods in C#​14 extensions classes
• NET-2644 - Fix S1144 FP: Always raises on private methods in extension block
• NET-2621 - Fix S2325 FP: Incorrectly reports on C# 14 extensions
• NET-2620 - Fix S4545 FP: Extension Methods
• NET-2391 - Fix S1121 FP: Extract (null-forgiving) assignment from expression
• NET-1914 - Fix S3264 FP: when using +=

False Negative

• NET-2813 - Fix S2292 FN: FieldKeyword
• NET-2681 - Fix S2692 FN: Support Spans

10.17



False Negative

• NET-2840 - Improve S2077: Support more methods

Task

• NET-2839 - Update RSPEC before 10.17 release

New Feature

• NET-2820 - ShimLayer: Implement Factory
• NET-2789 - ShimLayer Generator: Enums
• NET-2728 - ShimLayer Generator: SyntaxNodes

Bug

• NET-2816 - Fix S3603 AD0001: NRE when LocalFunction inside Record constructor in C#​7

Improvement

• NET-2722 - Activate new ShimLayer
• NET-2721 - Create diff for ShimLayer
• NET-2720 - Create ShimLayer projects

10.16.2

Rotations of binary signing keys

10.16.1

Rotations of binary signing keys

10.16

False Positive

• NET-1729 - Fix S2114 FP: list.AddRange(list) and list.Concat(list) are sensible

False Negative

• NET-399 - Fix S4790 FN: Support CryptographicOperations data methods

Bug

• NET-2686 - Fix S3604 AD0001: NRE with partial constructor

10.15

False Positive

• NET-2198 - Fix S1905 FP: Cast of default! expression is required
• NET-2197 - Fix S1905 FP: stackalloc and Span conversions
• NET-1641 - Fix S1905 FP: casting IEnumerable<string?> to IEnumerable<string>
• NET-2157 - Fix S2589 FP: Don't raise an issue after a delegate is invoked
• NET-2073 - Fix S2699 FP: Add support for FsCheck property tests
• NET-1537 - Fix S6964 FP: Don't raise on properties annotated with the BindRequiredAttribute

Improvement

• NET-2112 - Consider ExplodedNodes relevant if a successor would be relevant
• NET-2183 - SE: Set constraint on operation when learning from IsPattern

False Negative

• NET-429 - Fix S4275 FN: Support partial properties

Task

• NET-2208 - Update RSpec before release

10.14

Hey everyone,

This release mostly focuses on mitigating (NET-2196) a performance regression that was introduced in 10.13.

Improvement

• NET-2196 - Fix path algorithm for execution flows to mitigate performance regression
• NET-2177 - Improve how the Symbolic Execution engine handles exception paths
• NET-2135 - Support xUnit V3
• NET-2163 - Provide Interface for other plugins to add rules to VB.NET SonarWay profile

False Negative

• NET-235 - Fix S2053: Adjust required salt length to be 32 bytes

Task

• NET-2170 - Update RSPEC before 10.14 release

10.13

Hello everyone,

In this release, we've focused on:

• False positive fixes
• Enhancing S2259's secondary locations to provide clearer, step-by-step explanations of null pointer dereferences issues.

False Positives

• NET-2099 - Fix S3885 FP: Do not raise in ResolutionEventHandler
• NET-2023 - Fix S3257 FP: Array with target-typed new
• NET-1646 - Fix S3267 FP: Loops should be simplified with LINQ expressions
• NET-1588 - Fix S1066 FP: Combination of dynamic and out should not raise
• NET-882 - Fix S3257 FP: Don't raise for C# 10 and later when there's explicit delegate creation

Improvements

• NET-2095 - Improve incremental PR analysis path detection
• SE: S2259 - Improve secondary locations

10.12

This release brings the VB version of S6418 and a few FP and FN fixes.

New Rule

• NET-1379 - New Rule: Implement S6418 Hard-coded secrets are security-sensitive for VB.NET

False Positive

• NET-1526 - Fix S3267 FP: Only raise on IEnumerable

False Negative

• NET-1260 - Fix S1215 FN: GC.GetTotalMemory(forceFullCollection: true) should not be called
• NET-1258 - Fix S6678 FN: Lowercase placeholders in interpolated string
• NET-1255 - Fix S3267 FN: Logical operators are not supported

Task

• NET-2060 - Update RSPEC before 11.12 release

10.11

Hello everyone!
In this release we fixed a bunch of false positives and false negatives.
Additionally this version adds support for telemetry in order to gather information on feature usage. Telemetry, requires scanner 10.2.0 or greater.

False Positive

• NET-1522 - Fix S2068 FP: Do not raise on password:secret
• NET-1149 - Fix S3626 FP: Add exception when return statement is preceding local functions

False Negative

• NET-1263 - Fix S1871 FN: Nested if .. else if chain
• NET-1256 - S2068: Remove word boundary(\b) from regex
• NET-1254 - Fix S3878 FN: When params are passed as array through an attribute
• NET-1252 - FN S1168: Support IndexerDeclaration and ConversionOperatorDeclaration
• NET-459 - Fix S1168 FN: Add support for partial indexers

10.10.1

Bugfix release to fix combability with SonarQube Cloud + a simplification to the ProfileRegistrar

Task

• NET-1463 - Update RSPEC before 10.10.1 release
• NET-1461 - Make CSharpSonarWayProfile be compatible and simplify ProfileRegistrar

10.10

Hey everyone, this release mostly focuses on internal and technical things.

General

• NET-1444 - Move ProfileRegistrar to org.sonar.plugins.csharpenterprise.api
• NET-1326 - Update RSPEC before 10.10 release

Internal Styling Rules

• NET-1378 - New Rule T0045: Use var
• NET-1359 - New Rule T0043: Avoid primary constructors on normal classes and structs
• NET-1358 - New Rule T0042: Indent raw string literal +4
• NET-1357 - New Rule T0041: Use raw string literals for multiline strings
• NET-1356 - New Rule T0040: Use minimum necessary interpolation characters
• NET-1355 - New Rule T0039: Protected field should start with lower case letter
• NET-1354 - New Rule T0038: Use fields instead of auto-implemented private or protected properties
• NET-1347 - New Rule T0000: Don't use Get prefixes
• NET-1346 - New Rule T0037: Use .Test suffix namespace
• NET-1345 - New rule T0046: Move extension method to dedicated class
• NET-1344 - New Rule T0035: Do not use var for this deconstruction
• NET-1343 - New Rule T0034: Do not embed var into this condition
• NET-1342 - New Rule T0033: Swap the logic to use positive conditions instead
• NET-1341 - New Rule T0032: Move the method body to the next line
• NET-1339 - New Rule T0030: Move the field initializer on the same line
• NET-1338 - New Rule T0029: Indent all arguments +4 further than the invocation line
• NET-1337 - New Rule T0028: Move all arguments on the same line, or wrap all of them
• NET-1336 - New Rule T0027: Move subsequent expressions on separate lines
• NET-1335 - New Rule T0026: Indent member access +4 further than the initial line
• NET-1334 - New Rule T0025: Indent ‘?’ and ‘:’ +4 further than the condition line
• NET-1333 - New Rule T0024: Place multiline ‘?’ and ‘:’ on separate lines
• NET-1332 - New Rule T0022: Indent all parameters with the first one
• NET-1331 - New Rule T0021: Use extension methods for Linq
• NET-1329 - New Rule T0019: Indent operator correctly
• NET-1328 - New Rule T0018: Move the operator to the beginning of the next line
• NET-1327 - New Rule T0015: Move local function at the end of the method
• NET-1237 - New Rule T0044: Don't add Arrange, Act, and Assert(s) comments
• NET-1325 - Improve T0007: Raise on nondeclaring is { } check

10.9

Hello everyone!

This is a mega-hardening release! Enjoy 😄

False Positive

• NET-1309 - Fix S2583 FP: Support overrides in IsImplementingInterfaceMember
• NET-1308 - Fix S2583 FP: Add support for AdressOf operator
• NET-1302 - Fix S4158 FP: Don't raise on GetEnumerator() calls
• NET-1295 - Fix S3236 FP: Exclude Debug.Assert
• NET-1290 - Fix S4158 FP: Support RouteValueDictionary in AspNetCore
• NET-1289 - Fix S4158 FP: Adding methods with well defined sematics
• NET-1288 - Fix S4158 FP: Recognize Add methods with bool return type
• NET-1287 - Fix S4158 FP: Don't raise on SetValue
• NET-1280 - Fix S2342 FP: Flaky reports
• NET-1278 - Fix S3440 FP: Variable assignment and switch expression
• NET-1246 - Fix S1481 FP: Don't report on discard like looking variables
• NET-1242 - Fix S2583/S4158 FP: Support for collections that are initialized with object
• NET-1241 - Fix S2589 FP: Don't tr....

Description has been truncated