Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Epic] Support SBOMs for NuGet packages #12497

Open
5 tasks
JonDouglas opened this issue Mar 20, 2023 · 4 comments
Open
5 tasks

[Epic] Support SBOMs for NuGet packages #12497

JonDouglas opened this issue Mar 20, 2023 · 4 comments
Assignees
@JonDouglas
Labels
Epic Functionality:Pack Functionality:Restore Partner:DotNet Partner:MSBuild Partner:1ES Priority:2 Issues for the current backlog. Product:dotnet.exe Product:NuGet.exe NuGet.exe Type:Feature

Comments

@JonDouglas
Copy link
Contributor

JonDouglas commented Mar 20, 2023
edited
Loading

A SBOM is a nested inventory; a list of ingredients that make up software components.

This epic tracks the work to support providing a SPDX formatted and NTIA compliant SBOM inside of a NuGet package based on the SBOM Everywhere initiative to bring a seamless interoperability end-to-end for security use cases at five major levels of software development:

  1. Clients and SDKs
  2. Package management plugins
  3. Native package manager integration
  4. Containerization integration
  5. Application/solution integration/deployment

We will most likely utilize sbom-tool to accomplish this task.

Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.

Further tracking issues will be created shortly as requirements are gathered and planned.
@JonDouglas JonDouglas self-assigned this Mar 20, 2023
@JonDouglas JonDouglas mentioned this issue Mar 20, 2023
Closed
@nkolev92 nkolev92 added the Priority:2 Issues for the current backlog. label Mar 20, 2023
@JonDouglas JonDouglas mentioned this issue Mar 21, 2023
Open
17 tasks
@JonDouglas JonDouglas added this to the .NET 8.0 milestone Mar 22, 2023
@TiberiusDRAIG
Copy link

Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX?

@nkolev92 nkolev92 modified the milestones: .NET 8.0, 6.8 Jun 29, 2023
@JonDouglas
Copy link
Contributor Author

@TiberiusDRAIG The intention would be to support what sbom-tool supports at this point.

@nkolev92 nkolev92 removed this from the 6.8 milestone Oct 31, 2023
@Malcolmnixon
Copy link

With this being removed from the 6.8 milestone:

  • Is there a new planned delivery for this?
  • Is there any information on where the SBOMs would/should be located in NuGet packages so we can manually construct compliant packages using sbom-tool today?

@JonDouglas
Copy link
Contributor Author

Don't read into our backlog tagging too much. It just means that we finished our 6.8 release recently.

This was referenced Jan 9, 2024
Open
Open
@jenshenneberg jenshenneberg mentioned this issue Mar 10, 2024
Merged
toddbaert pushed a commit to open-feature/dotnet-sdk that referenced this issue Mar 14, 2024
@jenshenneberg @askpt
ci: Generate SBOM (#245)
3bdcf77 
## This PR
Generates Software Bill of Materials (SBOM) as described in #159. Once
NuGet/Home#12497 is implemented, the SBOM
file(s) should be embedded in the published nuget packages. Until then,
I've added the SBOM as an asset under the release.

### Known issue
The SBOM file lists the dependences for all target frameworks combined.
Once the above [NuGet ](NuGet/Home#12497
is implemented, it should be changed, so there is one sbom created for
each target framework with only the applicable references included.

### Related Issues
Fixes #159

### How to test
Unfortunately, this is somewhat cumbersome to test, as the logic in
question only kicks in upon a release from the main branch. I've tested
it myself this way:
- Create new fork of this repo
- Merge this branch to main in the new repo
- Create a release in the new repo

Signed-off-by: Jens Henneberg <jens.henneberg@phocassoftware.com>
Co-authored-by: André Silva <2493377+askpt@users.noreply.github.com>
@baronfel baronfel mentioned this issue Mar 20, 2024
Open
@Nigusu-Allehu Nigusu-Allehu mentioned this issue Aug 9, 2024
Open
@JonDouglas JonDouglas mentioned this issue Sep 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JonDouglas JonDouglas

Labels
Epic Functionality:Pack Functionality:Restore Partner:DotNet Partner:MSBuild Partner:1ES Priority:2 Issues for the current backlog. Product:dotnet.exe Product:NuGet.exe NuGet.exe Type:Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JonDouglas @Malcolmnixon @nkolev92 @TiberiusDRAIG