[Epic] Support SBOMs for NuGet packages #12497
Assignees
Labels
Epic
Functionality:Pack
Functionality:Restore
Partner:DotNet
Partner:MSBuild
Partner:1ES
Priority:2
Issues for the current backlog.
Product:dotnet.exe
Product:NuGet.exe
NuGet.exe
Type:Feature
Comments
17 tasks
|
Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX? |
|
@TiberiusDRAIG The intention would be to support what sbom-tool supports at this point. |
|
With this being removed from the 6.8 milestone:
|
|
Don't read into our backlog tagging too much. It just means that we finished our 6.8 release recently. |
This was referenced Jan 9, 2024
toddbaert
pushed a commit
to open-feature/dotnet-sdk
that referenced
this issue
Mar 14, 2024
## This PR Generates Software Bill of Materials (SBOM) as described in #159. Once NuGet/Home#12497 is implemented, the SBOM file(s) should be embedded in the published nuget packages. Until then, I've added the SBOM as an asset under the release. ### Known issue The SBOM file lists the dependences for all target frameworks combined. Once the above [NuGet ](NuGet/Home#12497 is implemented, it should be changed, so there is one sbom created for each target framework with only the applicable references included. ### Related Issues Fixes #159 ### How to test Unfortunately, this is somewhat cumbersome to test, as the logic in question only kicks in upon a release from the main branch. I've tested it myself this way: - Create new fork of this repo - Merge this branch to main in the new repo - Create a release in the new repo Signed-off-by: Jens Henneberg <jens.henneberg@phocassoftware.com> Co-authored-by: André Silva <2493377+askpt@users.noreply.github.com>
|
Just so people know, you can go try out the initial SBOM package by following this issue here: |
|
@JonDouglas This looks cool. I have a native library inside my nuget package, and I do have an sbom for that native library. Is there a way to get that merged in as well? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A SBOM is a nested inventory; a list of ingredients that make up software components.
This epic tracks the work to support providing a SPDX formatted and NTIA compliant SBOM inside of a NuGet package based on the SBOM Everywhere initiative to bring a seamless interoperability end-to-end for security use cases at five major levels of software development:
We will most likely utilize sbom-tool to accomplish this task.
Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.
Further tracking issues will be created shortly as requirements are gathered and planned.
The text was updated successfully, but these errors were encountered: