SDK versioning regarding CPE

[lg2de]

We want to build Software Build of Material (SBOM) for our projects.
I found a Common Platform Enumeration identifier (CPE) for the dotnet sdk as an example here: https://nvd.nist.gov/vuln/detail/CVE-2024-35264 => cpe:2.3:a:microsoft:.net:8.0.1:*:*:*:*:*:*:*.
The CPE for dotnet seams to use versions like "8.0.1".

I want to automate the SBOM generation while analyzing the solution.
Within a solution often we found the file global.json defining the sdk to be used.
Here the sdk version is defined as "8.0.101".

How to map from "8.0.101" to "8.0.1" to add the correct CPE in our SBOM file?
Why there are different version schema used?

[KalleOlaviNiemitalo]

The mapping from .NET SDK version 8.0.101 to .NET Runtime version 8.0.1 could be read from here: https://github.com/dotnet/core/blob/649080cc3a0e927abb88d05591256e23c29e2170/release-notes/8.0/releases.json#L6885-L6888

If you're going to write a tool that downloads those files and looks up the versions, I think you should start from the documentation at https://github.com/dotnet/core/blob/649080cc3a0e927abb88d05591256e23c29e2170/release-notes/schemas/README.md.

However, if you use .NET SDK 9.0.101 to build an application that targets net8.0, then I'm not sure it would be right to put "9.0.0" in the SBOM, even though both .NET SDK 9.0.100 and .NET SDK 9.0.101 correspond to .NET Runtime 9.0.0.

[baronfel]

The core question is what part of the .NET Toolchain is relevant for the SBOM. The SDK contains build logic, but after building/publishing what matters for runtime purposes is the version of the runtimes that your app was built with/run against (Microsoft.NETCore.App, Microsoft.AspNetcore.App, Microsoft.WindowsDesktop.App, etc) - these provide the actual running code that likely has security fixes/implications.

So from the perspective of the 'what are the runtime dependencies of my app, 8.0.1 would be the correct version to use here.

@lg2de what kinds of information are you interested in persisting to your SBOMs? We have a build-time integration with Microsoft's sbom-tool via the Microsoft.Sbom.Targets package that might help get you started, but that integration doesn't currently include information about the .NET SDK used to build the app.

[lg2de]

I think there are some situations which may influence the security of the build packages:

• Source Generators may create vulnerable code.
• The Compiler may create vulnerable IL code.

Interesting, in microsoft/sbom-tool/issues/592 similar discussion states that the building tools should be part of the SBOM.

Any ideas, why there are different versioning schema for sdk and runtime while CPE is only available for one of them?

[KalleOlaviNiemitalo]

I found cpe:2.3:a:microsoft:.net_core_sdk:1.1:*:*:*:*:*:*:* and cpe:2.3:a:microsoft:.net_core_sdk:2.1.500:*:*:*:*:*:*:* and cpe:2.3:a:microsoft:.net_core_sdk:2.2.100:*:*:*:*:*:*:*, but not later SDKs.

[lg2de]

Yes, some kind of inconsistency I already faced with Visual Studio C++ Runtime: https://developercommunity.visualstudio.com/t/CPE-Identifier-for-the-C-runtime/10603549?space=41&sort=newest

I hope that a MS guy takes responsibility on this issue to clarify.
Would it have been better if I had opened an issue instead of a discussion?