Skip to content

chore: Bump Microsoft.Sbom.Targets from 3.0.1 to 4.1.5#227

Merged
AbongileBoja merged 1 commit intodevelopfrom
dependabot/nuget/develop/Microsoft.Sbom.Targets-4.1.5
Apr 28, 2026
Merged

chore: Bump Microsoft.Sbom.Targets from 3.0.1 to 4.1.5#227
AbongileBoja merged 1 commit intodevelopfrom
dependabot/nuget/develop/Microsoft.Sbom.Targets-4.1.5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 28, 2026
edited
Loading

Updated Microsoft.Sbom.Targets from 3.0.1 to 4.1.5.

Release notes

Sourced from Microsoft.Sbom.Targets's releases.

4.1.5

⚙️ Changes

  • Bump component detection to 6.2.1 by @​sebasgomez238 (#​1359)
  • Fix CG alert - .NET SDK by @​ZhengHong-Tan (#​1334)
  • Remove GH packages release step from pipeline by @​sfoslund (#​1333)
  • Fix release pipeline internal feed release by @​sfoslund (#​1325)

4.1.4

⚙️ Changes

  • Fix release pipeline internal feed release by @​sfoslund (#​1325)
  • Fix release pipeline internal feed logic by @​sfoslund (#​1324)
  • Major version bump for Component Detection by @​jlperkins (#​1323)
  • Fix validation errors for SBOM tool release by @​pragnya17 (#​1282)
  • Bump Microsoft.Build, Microsoft.Build.Framework, and Microsoft.Build.Utilities.Core by @dependabot[bot] (#​1276)
  • Revert "Update pipeline to use shared service connection" by @​pragnya17 (#​1275)
  • Bump System.Threading.Channels from 9.0.8 to 9.0.10 by @dependabot[bot] (#​1273)
  • Update pipeline to use shared service connection by @​pragnya17 (#​1262)

4.1.3

⚙️ Changes

  • Fix validation errors for SBOM tool release by @​pragnya17 (#​1282)
  • Bump Microsoft.Build, Microsoft.Build.Framework, and Microsoft.Build.Utilities.Core by @dependabot[bot] (#​1276)
  • Revert "Update pipeline to use shared service connection" by @​pragnya17 (#​1275)
  • Bump System.Threading.Channels from 9.0.8 to 9.0.10 by @dependabot[bot] (#​1273)
  • Update pipeline to use shared service connection by @​pragnya17 (#​1262)
  • Bump Microsoft.ComponentDetection.Contracts from 5.2.19 to 5.2.27 by @dependabot[bot] (#​1204)
  • Update readme to reflect new contribution policy by @​alisonlomaka (#​1235)
  • Bump NuGet.Configuration from 6.13.2 to 6.14.0 by @dependabot[bot] (#​1178)
  • Bump NuGet.Frameworks from 6.13.2 to 6.14.0 by @dependabot[bot] (#​1179)
  • Bump System.Linq.Async from 6.0.1 to 6.0.3 by @dependabot[bot] (#​1184)
  • Bump Scrutor from 6.0.1 to 6.1.0 by @dependabot[bot] (#​1181)
  • Bump Newtonsoft.Json from 13.0.3 to 13.0.4 by @dependabot[bot] (#​1226)
  • Bump actions/setup-dotnet from 4.3.1 to 5.0.0 by @dependabot[bot] (#​1202)
  • Bump System.Text.Json from 9.0.2 to 9.0.9 by @dependabot[bot] (#​1218)
  • Bump actions/github-script from 7.0.1 to 8.0.0 by @dependabot[bot] (#​1207)
  • Bump github/codeql-action from 3.29.11 to 3.30.3 by @dependabot[bot] (#​1219)
  • Convert SBOM tool release pipeline from classic to governed by @​pragnya17 (#​1212)
  • Bump Microsoft.VisualStudio.Threading.Analyzers from 17.12.19 to 17.14.15 by @dependabot[bot] (#​1176)
  • Bump System.Threading.Channels from 9.0.2 to 9.0.8 by @dependabot[bot] (#​1186)
  • Bump System.Threading.Tasks.Extensions from 4.6.1 to 4.6.3 by @dependabot[bot] (#​1187)
  • Bump github/codeql-action from 3.29.3 to 3.29.11 by @dependabot[bot] (#​1164)
  • Bump actions/checkout from 4 to 5 by @dependabot[bot] (#​1156)

4.1.2

  • Add COSE paths to SbomConfig by @​JoseRenan (#​1152)
  • Exit with appropriate exit code when providing version by @​GDWR (#​1161)

4.1.1

⚙️ Changes

  • Temporarily make NI policy permissive by @​pragnya17 (#​1157)
  • Scope FileHasher awaiting to just aggregation by @​DaveTryon (#​1160)
  • Add telemetry to record depends on relationships by @​pragnya17 (#​1153)
  • Exclude samples folder from externaldocreferences by @​DaveTryon (#​1146)

4.1.0

⚙️ Changes

  • Fix externalRefs parser bug by @​jlperkins (#​1147)
  • Add aggregation docs by @​DaveTryon (#​1145)
  • Bump github/codeql-action from 3.29.0 to 3.29.3 by @dependabot[bot] (#​1144)
  • Ignore SHA1 codeQL warnings by @​sfoslund (#​1143)
  • Refactor constructor for Generator class by @​DaveTryon (#​1142)
  • Add E2E tests for aggregation, fix race condition by @​DaveTryon (#​1141)
  • Include package relationships when aggregating by @​DaveTryon (#​1139)
  • Ignore SHA1 codeQL warnings by @​sfoslund (#​1138)
  • Restore writing of root dependencies by @​DaveTryon (#​1137)
  • Include empty files and relationships arrays in aggregated SBOMs by @​sfoslund (#​1136)
  • Convert info message about invalid aggregation input to warn by @​sfoslund (#​1135)
  • Capture more package fields in MergeableContent by @​DaveTryon (#​1134)
  • Add correct relationships to MergeableContent by @​DaveTryon (#​1133)
  • Fix SBOM aggregation signing bug by @​sfoslund (#​1132)
  • Add a simple class to wrap the SbomConsolidationWorkflow by @​DaveTryon (#​1130)
  • Add aggregation telemetry by @​DaveTryon (#​1128)
  • Add telemetry file path option to aggregate verb by @​sfoslund (#​1129)
  • Rename Consolidation to Aggregation by @​DaveTryon (#​1127)
  • Generated a consolidated SBOM by @​DaveTryon (#​1126)
  • Do not require outputPath in consolidate config file by @​sfoslund (#​1124)
  • Ignore SPDX 3.0 SBOMs in consolidation by @​sfoslund (#​1123)
  • Running validation workflow in consolidate by @​sfoslund (#​1118)
  • Follow try standard by @​DaveTryon (#​1121)
  • remove pointless returns xml docs by @​SimonCropp (#​1112)
  • Pass set of validated SBOMs to consolidation by @​DaveTryon (#​1119)
  • Add plumbing to collect packages from SPDX 2.2 files by @​DaveTryon (#​1117)
  • Adding validate plumbing to consolidate verb by @​sfoslund (#​1115)
  • remove broken param docs by @​SimonCropp (#​1111)
  • remove redundant interpolation by @​SimonCropp (#​1113)
  • Add simple unit tests for SbomConsolidationWorkflow by @​DaveTryon (#​1114)
  • Add SPDXFormatDetector for SPDX version detection by @​sfoslund (#​1108)
  • JSON encode env var values before config file insertion by @​sfoslund (#​1109)
  • Add config file for Consolidate action by @​DaveTryon (#​1110)
  • SBOM content diff checker between SPDX 2.2 and SPDX 3.0 by @​pragnya17 (#​1011)
  • Bump Microsoft.Build.Locator to 1.7.8, 1.9.1 by @dependabot[bot] (#​1102)
  • Expand env vars included in input config files by @​sfoslund (#​1105)
  • Complete the stubbed plumbing for Consolidate action by @​DaveTryon (#​1106)
  • Add skeleton for consolidation action by @​DaveTryon (#​1104)
  • Fix for package dependency bug by @​pragnya17 (#​1101)
  • build(deps): bump stefanzweifel/git-auto-commit-action from 5.2.0 to 6.0.1 by @dependabot[bot] (#​1099)
  • build(deps): bump github/codeql-action from 3.28.18 to 3.29.0 by @dependabot[bot] (#​1100)
  • Create GitHub-targeted artifacts by @​DaveTryon (#​1091)
  • Add IsPackable to target condition by @​bording (#​1075)
  • Properly account for the number of files validated in ValidationResult by @​joshuamay-ms (#​1095)
  • remove build badge by @​SimonCropp (#​1085)
  • remove redundant FileHashesDictionarySingleton by @​SimonCropp (#​1084)
  • remove unused Program fields by @​SimonCropp (#​1086)
  • remove some dead variables by @​SimonCropp (#​1087)
  • disable this prefix convention by @​SimonCropp (#​1088)
    ... (truncated)

4.0.3

⚙️ Changes

  • Bump component-detection from 5.2.13 to 5.2.19 by @​DaveTryon (#​1051)
  • Add migration guide to V4 API by @​DaveTryon (#​1028)
  • Add documentation for SPDX 3.0 by @​pragnya17 (#​1027)

4.0.2

API BREAKING CHANGES

  • Please see #​1028 for details

New features

  • This release enables SPDX 3.0 support in generation and validation (not yet in redaction). Specify the -mi:SPDX3.0 parameter on the command line to enable the new functionality. Please see #​1027 for more details.

⚙️ Changes

  • Tidy interfaces just a bit by @​DaveTryon (#​1044)
  • Generate only supported manifests, get target configs, and use SourcesProviders as the source of truth by @​pragnya17 (#​1043)
  • Avoid Exception if an unsupported format is requested by @​DaveTryon (#​1034)
  • Teach ManifestValidator about extensions by @​DaveTryon (#​1033)
  • Rename NTIA to NTIAMin - no functional changes by @​DaveTryon (#​1031)
  • Rename "Compliance" to "Conformance" by @​DaveTryon (#​1030)
  • Add ability to pass additional telemetry data back from ISignValidator.Validate by @​DaveTryon (#​1026)
  • Fix SPDX 3.0 relationship generation by @​pragnya17 (#​1015)
  • Fix casing of ValidatedSbomFactory.CreateValidatedSBOM by @​DaveTryon (#​1023)
  • Bug fix for supplier and suppliedBy for root package in SPDX 3.0 by @​pragnya17 (#​1019)
  • NoAssertion bug for SBOM file and package generation by @​pragnya17 (#​1016)
  • Package DependOnId bug fix by @​pragnya17 (#​1017)
  • Add null check for SPDX 3.0 external identifiers by @​pragnya17 (#​1020)
  • Update spdx22 external doc ref extension by @​pragnya17 (#​1018)
  • Add AdditionalComponentDetectorArgs to RuntimeConfiguration by @​MichielOda (#​996)
  • Add SPDX 3.0 extensions to convert to internal SBOM components by @​pragnya17 (#​1012)
  • External Map generation bug by @​pragnya17 (#​1014)
  • Introduce new telemetry method to record signature validation results by @​ZhengHong-Tan (#​1002)
  • Write E2E tests for validation success and failure (SPDX 2.2 and 3.0) by @​pragnya17 (#​1005)
  • Refactor SPDX 3.0 extension methods by @​pragnya17 (#​1001)
  • Move spdx extensions to common utils and refactor SPDX 2.2 by @​pragnya17 (#​998)
  • Validate compliance standard for SPDX 3.0 by @​pragnya17 (#​992)
  • Fix SPDX 3.0 manifest missing files bug by @​pragnya17 (#​997)
  • Add DotNet Component Adapter by @​grvillic (#​994)
  • Don't run auto-comment workflow on PR's from forks by @​DaveTryon (#​1000)
  • build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] (#​990)
  • Delay E2E tests until other test projects have built by @​DaveTryon (#​985)
  • Remove suppression of IDE0040 by @​DaveTryon (#​984)
  • Address new warnings from .NET 9 by @​DaveTryon (#​982)
  • Fix problems running E2E tests locally by @​DaveTryon (#​957)
  • Refactor GenerationResult to restore the original behavior of writing JSON arrays for SPDX 2.2 by @​pragnya17 (#​975)
  • Throw validation error if customer attempts to redact SPDX 3.0 SBOM by @​pragnya17 (#​977)
  • build(deps): bump System.Threading.Tasks.Extensions from 4.6.0 to 4.6.1 by @dependabot[bot] (#​978)
  • build(deps): bump Microsoft.Testing.Extensions.TrxReport from 1.6.2 to 1.6.3 by @dependabot[bot] (#​980)
  • build(deps): bump actions/setup-dotnet from 4.3.0 to 4.3.1 by @dependabot[bot] (#​976)
  • Manifest info name should be case insensitive by @​pragnya17 (#​973)
  • Validate manifest info with attributes by @​pragnya17 (#​961)
  • build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @dependabot[bot] (#​966)
  • Parsing SPDX 3.0 packages and validating with NTIA by @​pragnya17 (#​963)
  • Generate singular SBOM based on manifestInfo parameter by @​pragnya17 (#​959)
  • build(deps): bump Microsoft.Testing.Extensions.TrxReport from 1.5.3 to 1.6.2 by @dependabot[bot] (#​937)
  • build(deps): bump Microsoft.NETFramework.ReferenceAssemblies, NuGet.Configuration and NuGet.Frameworks by @dependabot[bot] (#​960)
  • API BREAKING CHANGE: Remove back-compat interface shims by @​DaveTryon (#​952)
    ... (truncated)

3.1.0

⚙️ Changes

  • Add interface pin, split IConfiguration to be non-breaking by @​DaveTryon (#​919)
  • Update metadata contract to be backcompatible with SPDX 2.2 parser by @​pragnya17 (#​918)
  • Remove unnecessary parser errors which disallow syft SBOMs by @​sfoslund (#​917)
  • Disable CodeQL until they fix the osx-arm64 problem by @​DaveTryon (#​916)
  • build(deps): bump github/codeql-action from 3.28.3 to 3.28.8 by @dependabot[bot] (#​914)
  • Specify correct image for running on osx-arm64 by @​DaveTryon (#​913)
  • Update MSTest to metapackage and MTP by @​Youssef1313 (#​881)
  • build(deps): bump actions/setup-dotnet from 4.2.0 to 4.3.0 by @dependabot[bot] (#​911)
  • Target E2E tests with net472 only on Windows by @​DaveTryon (#​910)
  • Bump GitHub Actions versions in sample code by @​rufer7 (#​908)
  • build(deps): bump MSTest.TestAdapter from 3.7.2 to 3.7.3 by @dependabot[bot] (#​905)
  • build(deps): bump MSTest.TestFramework from 3.7.2 to 3.7.3 by @dependabot[bot] (#​906)
  • Enable MSTest analyzers by @​Youssef1313 (#​898)
  • Address a targeted set of analyzer warnings by @​DaveTryon (#​901)
  • Revert extra dependency that we added in #​758 by @​DaveTryon (#​902)
  • Update CLI arg help text by @​sfoslund (#​899)
  • Bump component-detection from 5.1.6 to 5.2.1 by @​DaveTryon (#​894)
  • Remove FluentAssertions from tests by @​DaveTryon (#​896)
  • build(deps): bump release-drafter/release-drafter from 6.0.0 to 6.1.0 by @dependabot[bot] (#​883)
  • build(deps): bump Scrutor from 5.1.0 to 6.0.1 by @dependabot[bot] (#​872)
  • build(deps): bump github/codeql-action from 3.28.0 to 3.28.3 by @dependabot[bot] (#​892)
  • build(deps): bump coverlet.collector from 6.0.3 to 6.0.4 by @dependabot[bot] (#​882)
  • build(deps): bump stefanzweifel/git-auto-commit-action from 5.0.1 to 5.1.0 by @dependabot[bot] (#​861)
  • build(deps): bump System.Threading.Channels from 9.0.0 to 9.0.1 by @dependabot[bot] (#​871)
  • Bump MSTest.Test* from 3.7.0 to 3.7.2 by @​DaveTryon (#​891)
  • Add a workflow to comment on API changes by @​DaveTryon (#​885)
  • Switch DataTestMethod to DataTestMethod (part 2) by @​DaveTryon (#​880)
  • Switch DataTestMethod to TestMethod by @​Youssef1313 (#​849)
  • Add skipBuildTagsForGitHubPullRequests setting to PR pipeline by @​sfoslund (#​879)
  • Reenable SBOM targets e2e test by @​sfoslund (#​876)
  • Remove GH action PR build by @​sfoslund (#​875)
  • Add ADO PR build by @​sfoslund (#​874)
  • Spdx 3.0 Parser for SBOM files by @​pragnya17 (#​860)
  • Revert bump to Microsoft.Extensions.DependencyModel (Revert part of #​847) by @​DaveTryon (#​851)
  • Pin ubuntu runner to 22.04 by @​DaveTryon (#​856)
  • build(deps): bump Microsoft.Extensions.DependencyModel from 8.0.2 to 9.0.0 by @dependabot[bot] (#​847)
  • Decouple test packages from release bits by @​DaveTryon (#​850)
  • build(deps): bump coverlet.collector from 6.0.2 to 6.0.3 by @dependabot[bot] (#​846)
  • Revert "build(deps): bump Microsoft.Extensions.DependencyModel" by @​DaveTryon (#​845)
  • build(deps): bump FluentAssertions from 6.12.2 to 7.0.0 by @dependabot[bot] (#​818)
  • build(deps): bump Microsoft.Extensions.DependencyModel from 8.0.2 to 9.0.0 by @dependabot[bot] (#​784)
  • build(deps): bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot[bot] (#​840)
  • build(deps): bump Scrutor from 5.0.2 to 5.1.0 by @dependabot[bot] (#​842)
  • build(deps): bump actions/setup-dotnet from 4.1.0 to 4.2.0 by @dependabot[bot] (#​843)
  • build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot[bot] (#​832)
  • build(deps): bump codecov/codecov-action from 5.0.7 to 5.1.2 by @dependabot[bot] (#​838)
  • Defining and generating spdx 3.0 json elements by @​pragnya17 (#​830)
  • Add running unit tests to CI pipeline by @​sfoslund (#​835)
  • Made the Timeout in LicenseInformationService configurable via CLI argument (#​584) by @​kidcline1 (#​773)
    ... (truncated)

Commits viewable in compare view.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 28, 2026

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot force-pushed the dependabot/nuget/develop/Microsoft.Sbom.Targets-4.1.5 branch 2 times, most recently from a134705 to 022e07b Compare April 28, 2026 14:46
This was referenced Apr 28, 2026
Closed
Merged
@AbongileBoja
Copy link
Copy Markdown
Owner

AbongileBoja commented Apr 28, 2026

@dependabot recreate

@dependabot dependabot Bot changed the title deps: Bump Microsoft.Sbom.Targets from 3.0.1 to 4.1.5 chore: Bump Microsoft.Sbom.Targets from 3.0.1 to 4.1.5 Apr 28, 2026
@dependabot dependabot Bot force-pushed the dependabot/nuget/develop/Microsoft.Sbom.Targets-4.1.5 branch 2 times, most recently from 2eb227e to 8f67af9 Compare April 28, 2026 16:00
@AbongileBoja AbongileBoja enabled auto-merge (squash) April 28, 2026 16:03
@AbongileBoja
Copy link
Copy Markdown
Owner

AbongileBoja commented Apr 28, 2026

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/nuget/develop/Microsoft.Sbom.Targets-4.1.5 branch from 8f67af9 to d03c49c Compare April 28, 2026 16:11
@dependabot
chore: Bump Microsoft.Sbom.Targets from 3.0.1 to 4.1.5
39870e5 
---
updated-dependencies:
- dependency-name: Microsoft.Sbom.Targets
  dependency-version: 4.1.5
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/nuget/develop/Microsoft.Sbom.Targets-4.1.5 branch from d03c49c to 39870e5 Compare April 28, 2026 17:02
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 28, 2026

Code Coverage

Package Line Rate Branch Rate Complexity Health
QuerySpec.Analyzers 93% 84% 133
QuerySpec.Analyzers.CodeFixes 90% 70% 50
QuerySpec.Core 93% 84% 959
QuerySpec.DependencyInjection 92% 75% 43
QuerySpec.EFCore 86% 77% 303
Summary 91% (2118 / 2316) 81% (930 / 1143) 1488

@AbongileBoja AbongileBoja merged commit 6915779 into develop Apr 28, 2026
12 checks passed
@dependabot dependabot Bot deleted the dependabot/nuget/develop/Microsoft.Sbom.Targets-4.1.5 branch April 28, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AbongileBoja