Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Epic] Support SBOMs for NuGet packages #12497

Open
5 tasks
JonDouglas opened this issue Mar 20, 2023 · 6 comments
Open
5 tasks

[Epic] Support SBOMs for NuGet packages #12497

JonDouglas opened this issue Mar 20, 2023 · 6 comments

Comments

@JonDouglas
Copy link
Contributor

JonDouglas commented Mar 20, 2023

A SBOM is a nested inventory; a list of ingredients that make up software components.

This epic tracks the work to support providing a SPDX formatted and NTIA compliant SBOM inside of a NuGet package based on the SBOM Everywhere initiative to bring a seamless interoperability end-to-end for security use cases at five major levels of software development:

  1. Clients and SDKs
  2. Package management plugins
  3. Native package manager integration
  4. Containerization integration
  5. Application/solution integration/deployment

We will most likely utilize sbom-tool to accomplish this task.

Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.

Further tracking issues will be created shortly as requirements are gathered and planned.

@TiberiusDRAIG
Copy link

Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX?

@nkolev92 nkolev92 modified the milestones: .NET 8.0, 6.8 Jun 29, 2023
@JonDouglas
Copy link
Contributor Author

@TiberiusDRAIG The intention would be to support what sbom-tool supports at this point.

@nkolev92 nkolev92 removed this from the 6.8 milestone Oct 31, 2023
@Malcolmnixon
Copy link

With this being removed from the 6.8 milestone:

  • Is there a new planned delivery for this?
  • Is there any information on where the SBOMs would/should be located in NuGet packages so we can manually construct compliant packages using sbom-tool today?

@JonDouglas
Copy link
Contributor Author

Don't read into our backlog tagging too much. It just means that we finished our 6.8 release recently.

toddbaert pushed a commit to open-feature/dotnet-sdk that referenced this issue Mar 14, 2024
## This PR
Generates Software Bill of Materials (SBOM) as described in #159. Once
NuGet/Home#12497 is implemented, the SBOM
file(s) should be embedded in the published nuget packages. Until then,
I've added the SBOM as an asset under the release.

### Known issue
The SBOM file lists the dependences for all target frameworks combined.
Once the above [NuGet ](NuGet/Home#12497
is implemented, it should be changed, so there is one sbom created for
each target framework with only the applicable references included.

### Related Issues
Fixes #159

### How to test
Unfortunately, this is somewhat cumbersome to test, as the logic in
question only kicks in upon a release from the main branch. I've tested
it myself this way:
- Create new fork of this repo
- Merge this branch to main in the new repo
- Create a release in the new repo

Signed-off-by: Jens Henneberg <[email protected]>
Co-authored-by: André Silva <[email protected]>
@JonDouglas
Copy link
Contributor Author

Just so people know, you can go try out the initial SBOM package by following this issue here:

microsoft/sbom-tool#674

@dotMorten
Copy link

@JonDouglas This looks cool. I have a native library inside my nuget package, and I do have an sbom for that native library. Is there a way to get that merged in as well?

arttonoyan pushed a commit to arttonoyan/dotnet-sdk that referenced this issue Nov 17, 2024
## This PR
Generates Software Bill of Materials (SBOM) as described in open-feature#159. Once
NuGet/Home#12497 is implemented, the SBOM
file(s) should be embedded in the published nuget packages. Until then,
I've added the SBOM as an asset under the release.

### Known issue
The SBOM file lists the dependences for all target frameworks combined.
Once the above [NuGet ](NuGet/Home#12497
is implemented, it should be changed, so there is one sbom created for
each target framework with only the applicable references included.

### Related Issues
Fixes open-feature#159

### How to test
Unfortunately, this is somewhat cumbersome to test, as the logic in
question only kicks in upon a release from the main branch. I've tested
it myself this way:
- Create new fork of this repo
- Merge this branch to main in the new repo
- Create a release in the new repo

Signed-off-by: Jens Henneberg <[email protected]>
Co-authored-by: André Silva <[email protected]>
Signed-off-by: Artyom Tonoyan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants