Bump cyclonedx from 6.1.0 to 6.2.0

[dependabot]

Updated cyclonedx from 6.1.0 to 6.2.0.

Release notes

Sourced from cyclonedx's releases.

6.2.0

Added

• `--configuration` / `-c` CLI option (#​1056, fixes #​1028) — passes `-p:Configuration=` to `dotnet restore` so MSBuild evaluates conditional `PackageReference` items during restore. Configuration-specific packages (e.g. debug-only `Avalonia.Diagnostics`) are no longer included in the SBOM when a Release configuration is requested.
• NuGet license file support (#​1011, #​1002) — packages declaring `` now have their license file embedded as base64-encoded text in the BOM when `--include-license-text` is specified; without the flag the license is still detected but not embedded

Fixed

• Suppress `aka.ms/deprecateLicenseUrl` stub URL (#​1011) — NuGet auto-injects `https://aka.ms/deprecateLicenseUrl\` into `` for packages packed with ``; this URL is now correctly ignored rather than being emitted as a license entry in the BOM
• Fix null-URL license stub (#​1011) — packages with no `` no longer produce a spurious `License { Name="Unknown - See URL", Url=null }` node in the BOM
• Fix `UNLICENSED` emitted as SPDX id (#​1004, fixes #​915) — `UNLICENSED` is a NuGet-specific token that is not a valid SPDX identifier; it is now emitted as `license.name` instead of `license.id` to keep BOM output valid

Changed

• Upgrade CycloneDX.Core from 12.0.1 to 12.1.1 (#​1084)
• Bump System.CommandLine from 2.0.0 to 2.0.5 (#​1083)

Contributors

Thanks to everyone who contributed to this release:

• @​mus65 — NuGet license file support (#​1011)
• @​jainlakshya — UNLICENSED license expression handling (#​1004, fixes #​915)
• @​trivalik — requested NuGet license file support (#​1002)
• @​alexandrehtrb — reported the conditional compilation issue that led to the `--configuration` flag (#​1028)
• @​south11235 — reported the UNLICENSED invalid BOM issue (#​915)

6.1.1

Fixed

• Fix crash when a nuspec declares an exact-range version constraint across multiple projects (#​1071) — when a package's nuspec dependency uses an exact version range (e.g. [1.0.0]) and multiple versions of that package are present in a multi-project solution, the tool no longer crashes with "Unable to locate valid bom ref"; the dependency edge is resolved to the version that satisfies the range

Commits viewable in compare view.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #184.