6.0.0

[6.0.0] - 2026-02-08

⚠️ WARNING: This is a MAJOR release with breaking changes.

This release includes multiple significant changes that may affect compatibility:

1. Removed deprecated CLI arguments - Several CLI flags have been removed. Scripts, CI/CD pipelines, and automation using these flags will break.
2. Upgraded to .NET 10 - Runtime requirements have changed.
3. Updated System.CommandLine - Upgraded from beta4 to v2.0.0 final, which includes breaking API changes that may affect command-line behavior.
4. Updated dependency versions - NuGet packages, System.IO.Abstractions, and other dependencies have been upgraded.

Action required: Test thoroughly in a non-production environment before upgrading. Review all sections below for changes that may affect your use case.

Breaking Changes

• Remove deprecated CLI arguments (#996, 0ae5d6a)

  • Removed -f flag (replaced by -fn/--filename)
  • Removed -d flag (replaced by -ed/--exclude-dev)
  • Removed -r flag (replaced by -rs/--scan-project-references)
  • Removed --disable-github-licenses/-dgl flag (already default behavior)
  • Note: --out and --json flag were not removed in this release for backward compatibility but are still deprecated and will be removed in a future release.

• Upgraded System.CommandLine to v2.0.0 (#989, e11f8e7)

  • Upgraded from 2.0.0-beta4.22272.1 to 2.0.0 (stable release)
  • This version includes breaking API changes from the beta
  • Command-line parsing behavior may differ in edge cases

• Minimum .NET runtime requirement (#989, e11f8e7)

  • Now requires .NET 10 runtime (upgraded from .NET 9)
  • Docker images now use mcr.microsoft.com/dotnet/sdk:10.0

Added

• Documentation update (#987, f041ac2)
  • Added .slnx format to supported file types in README

Changed

• Dockerfile improvements (#993, edf2bd9)

  • Implemented multi-stage build (build + runtime stages) for smaller images
  • Changed from tool installation to direct publish deployment
  • Added environment variables for non-root execution: DOTNET_CLI_HOME, NUGET_PACKAGES
  • Made /tmp/dotnet-home and /tmp/nuget-packages writable for any user (chmod 0755)
  • Changed entrypoint from CycloneDX to dotnet /app/CycloneDX.dll
  • Fixed handling when no path argument is provided (now shows help instead of error)
  • Made path argument optional with ArgumentArity.ZeroOrOne

• Upgrade to .NET 10 (#989, e11f8e7)

  • Updated target framework to net10.0
  • Updated SDK image to mcr.microsoft.com/dotnet/sdk:10.0
  • Updated System.IO.Abstractions from 21.0.2 to 22.1.0
  • Updated test runner packages (xunit.runner.visualstudio, coverlet.collector)
  • Fixed devcontainer Ubuntu 22.04 Dockerfile

• Dependency updates

  • actions/checkout: 5.0.0 → 6.0.1 (#986, #991)
  • actions/upload-artifact: 4.6.2 → 5.0.0 (#979)
  • actions/setup-dotnet: 5.0.0 → 5.0.1 (#988)
  • danielpalme/ReportGenerator-GitHub-Action (version bump) (#992)

Fixed

• The error message, telling users what file types are valid, now also include the supported .slnx type.

Security

• Workflow security hardening (#975, 39b8986)

  • Changed global permissions: contents: read to permissions: read-all
  • Follows principle of least privilege by limiting default permissions

• Pin GitHub Actions versions (1145c82)

  • Pinned all GitHub Actions to specific commit SHAs for reproducibility

• Enable NuGet package locking (#972, fad44df)

  • Added packages.lock.json files for both main and test projects
  • Enabled RestorePackagesWithLockFile in Directory.Build.props
  • Updated CI/CD workflows to use locked restore

• Update NuGet dependencies (#973, e930da1)

  • Bumped NuGet.ProjectModel from 6.9.1 to 6.14.0
  • Bumped NuGet.Protocol from 6.9.1 to 6.14.0

5.5.0

🚀 CycloneDX .NET v5.5.0 Release Notes

✨ Features

• Added a spec version option to the CLI, allowing users to specify the desired CycloneDX specification version. [#958](#958) (thanks [@ben-hamida](https://github.com/ben-hamida))

🐛 Bug Fixes

• Fixed incorrect resolution of .csproj file locations in .slnf files — paths are now correctly resolved relative to the .sln file. [#967](#967) (thanks [@uo-uhbc](https://github.com/uo-uhbc))
• Updated IsTestProject detection to use the correct XML namespace when parsing project files. [#938](#938) (thanks [@benavidezb](https://github.com/benavidezb))

👥 New Contributors

• [@uo-uhbc](https://github.com/uo-uhbc) made their first contribution in [#967](#967)
• [@benavidezb](https://github.com/benavidezb) made their first contribution in [#938](#938)
• [@ben-hamida](https://github.com/ben-hamida) made their first contribution in [#958](#958)

📜 Full Changelog

[v5.4.0 → v5.5.0](v5.4.0...v5.5.0)

---

5.4.0

What's Changed

• Add support for solution filter file (#853) by @michha in #920

New Contributors

• @michha made their first contribution in #920

Full Changelog: v5.3.2...v5.4.0

5.3.2

🚀 CycloneDX .NET v5.3.2 Release Notes

🛠 Performance Improvement

Addressed the performance regression introduced in v5.3.1 that caused longer execution times. The CLI now attempts to locate the project.assets.json at its default location before falling back to invoking dotnet msbuild, restoring execution speed for projects that use the default /obj directory. #960

📜 Full Changelog

v5.3.1 → v5.3.2

5.3.1

🚀 CycloneDX .NET v5.3.1 Release Notes

Known Issue: Performance Degradation

We’re aware of a performance problems introduced in v5.3.1 that can significantly increase execution time, most likely when scanning large .sln files. SBOM generation may take noticeably longer compared to previous versions. We're investigating the root cause and working on improvements for a future release.

✅ This has been fixed in v5.3.2

✨ Features

• Analyzer Support for MSBuild-based project.assets.json Resolution – The CLI now supports analysis of MSBuild-based projects by resolving project.assets.json using MSBuild context. This improves compatibility with SDK-style projects. #952.

• New --output-format Parameter (Replaces --json) – A new --output-format parameter has been added, allowing explicit selection of output format (json, xml, unsafejson, or auto).
  ⚠️ The previously used --json flag is now deprecated and will be removed in a future release. Use --format json instead for the same behavior—with more flexibility.
  (https://github.com/mtsfoni) in #953.

• CycloneDX Format v1.6.1 – BOMs are now generated using the CycloneDX 1.6.1 specification, ensuring compatibility with the latest schema and supporting new fields/features defined in the spec.

📜 Full Changelog: v5.2.0 → v5.3.1

5.2.0

What's Changed

• Fix Error with Uppercase Characters in Version Strings by @JohnHunhoff in #902
• Add exclude filter option by @t-castelan in #939

New Contributors

• @JohnHunhoff made their first contribution in #902
• @t-castelan made their first contribution in #939

Full Changelog: v5.1.1...v5.2.0

5.1.1

Fixes a null reference exception that can occur in v5.1.0

Full Changelog: v5.1.0...v5.1.1

5.1.0

Caution

This version is defect, use v5.1.1 instead

🚀 CycloneDX .NET v5.1.0 Release Notes

✨ Features

• Trim License URL Whitespace – NuGet allows whitespaces in the license URL, which are now trimmed instead of creating invalid SBOM. Thanks to #935.
• Support for .slnx Solutions – Added support for analyzing .slnx solutions. Thanks to @MMonrad in #933.
• PURL in Metadata Component – Added an option to automatically generate Package URL (PURL) in the metadata component. Thanks to @Falco20019 in #931.

🛠️ Fixes

• Transitive Dev Dependency Handling – Fixed an issue where referenced projects with transitive dependencies that were dev dependencies caused the generation to fail. See [#934.]

🧪 Tests & Maintenance

• Test for Issue #911 – Added a test case to reproduce an issue. Thanks to @jesperolsson-se in #912.

🆕 New Contributors

A warm welcome to our first-time contributors:

• @MMonrad in #933
• @jesperolsson-se in #912

📜 Full Changelog: v5.0.1 → v5.1.0

5.0.1

🚀 CycloneDX .NET v5.0.1 Release Notes

🛠️ Fixes

• VCS URL Normalization – Resolved schema validation errors caused by Git-style URLs (e.g., git@github.com:user/repo.git) by converting them to valid URL formats, enhancing compatibility with tools like Dependency-Track. Thanks to @Alex-Stevens in #910. Issue #890

📦 Dependency Updates

• Upgraded xunit from 2.7.0 to 2.9.3 by @dependabot in #924.
• Upgraded xunit.runner.visualstudio from 2.5.7 to 3.0.1 by @dependabot in #925.

🆕 New Contributors

A big thank you to our first-time contributor:

• @Alex-Stevens in #910

📜 Full Changelog: v5.0.0 → v5.0.1

5.0.0

🚀 CycloneDX .NET v5.0.0 Release Notes

🔥 Breaking Changes

• cyclonedx-dotnet no longer runs on .NET 6 and .NET 7. However, you can still generate SBOMs for applications targeting these versions.

✨ What's New

• Improved Logging – Now logs package and version details when unzipping fails, thanks to @pregress in #922.
• .NET 9 Support – cyclonedx-dotnet now runs on .NET 9 by @nathan-mittelette in #914.

🆕 New Contributors

A big thank you to our first-time contributors:

• @nathan-mittelette in #914
• @pregress in #922

📜 Full Changelog: [v4.2.0 → v5.0.0](v4.2.0...v5.0.0)