-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Epic] Support SBOMs for NuGet packages #12497
Comments
Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX? |
@TiberiusDRAIG The intention would be to support what sbom-tool supports at this point. |
With this being removed from the 6.8 milestone:
|
Don't read into our backlog tagging too much. It just means that we finished our 6.8 release recently. |
## This PR Generates Software Bill of Materials (SBOM) as described in #159. Once NuGet/Home#12497 is implemented, the SBOM file(s) should be embedded in the published nuget packages. Until then, I've added the SBOM as an asset under the release. ### Known issue The SBOM file lists the dependences for all target frameworks combined. Once the above [NuGet ](NuGet/Home#12497 is implemented, it should be changed, so there is one sbom created for each target framework with only the applicable references included. ### Related Issues Fixes #159 ### How to test Unfortunately, this is somewhat cumbersome to test, as the logic in question only kicks in upon a release from the main branch. I've tested it myself this way: - Create new fork of this repo - Merge this branch to main in the new repo - Create a release in the new repo Signed-off-by: Jens Henneberg <jens.henneberg@phocassoftware.com> Co-authored-by: André Silva <2493377+askpt@users.noreply.github.com>
Just so people know, you can go try out the initial SBOM package by following this issue here: |
@JonDouglas This looks cool. I have a native library inside my nuget package, and I do have an sbom for that native library. Is there a way to get that merged in as well? |
## This PR Generates Software Bill of Materials (SBOM) as described in open-feature#159. Once NuGet/Home#12497 is implemented, the SBOM file(s) should be embedded in the published nuget packages. Until then, I've added the SBOM as an asset under the release. ### Known issue The SBOM file lists the dependences for all target frameworks combined. Once the above [NuGet ](NuGet/Home#12497 is implemented, it should be changed, so there is one sbom created for each target framework with only the applicable references included. ### Related Issues Fixes open-feature#159 ### How to test Unfortunately, this is somewhat cumbersome to test, as the logic in question only kicks in upon a release from the main branch. I've tested it myself this way: - Create new fork of this repo - Merge this branch to main in the new repo - Create a release in the new repo Signed-off-by: Jens Henneberg <jens.henneberg@phocassoftware.com> Co-authored-by: André Silva <2493377+askpt@users.noreply.github.com> Signed-off-by: Artyom Tonoyan <artonoyan@servicetitan.com>
A SBOM is a nested inventory; a list of ingredients that make up software components.
This epic tracks the work to support providing a SPDX formatted and NTIA compliant SBOM inside of a NuGet package based on the SBOM Everywhere initiative to bring a seamless interoperability end-to-end for security use cases at five major levels of software development:
We will most likely utilize sbom-tool to accomplish this task.
Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.
Further tracking issues will be created shortly as requirements are gathered and planned.
The text was updated successfully, but these errors were encountered: