SBOM?

[robrich]

How do I get an SBOM for .NET SDK-built OCI image?

[baronfel]

The images produced by this tooling are normal container images in every sense, so you can use any SBOM generation tooling that could otherwise detect and report on .NET dependencies.

Here's an example using syft on a simple WebAPI container generated from this tooling. Note the dotnet dependencies at the top - these are only mostly correct because Syft doesn't pick the correct data out. We're looking at better SBOM generation across the .NET ecosystem, so this should get better over time.

syft packages sdk-container-demo:1.0.0

syft packages sdk-container-demo:1.0.0
NAME                                        VERSION                       TYPE
DotNet.ReproducibleBuilds                   1.1.1                         dotnet
Microsoft.AspNetCore.App.Runtime.linux-x64  7.0.5                         dotnet
Microsoft.Build.Tasks.Git                   1.1.1                         dotnet
Microsoft.NET.Build.Containers              7.0.400-dev                   dotnet
Microsoft.NETCore.App.Runtime.linux-x64     7.0.5                         dotnet
Microsoft.SourceLink.AzureRepos.Git         1.1.1                         dotnet
Microsoft.SourceLink.Bitbucket.Git          1.1.1                         dotnet
Microsoft.SourceLink.Common                 1.1.1                         dotnet
Microsoft.SourceLink.GitHub                 1.1.1                         dotnet
Microsoft.SourceLink.GitLab                 1.1.1                         dotnet
adduser                                     3.118                         deb
apt                                         2.2.4                         deb
base-files                                  11.1+deb11u7                  deb
base-passwd                                 3.5.51                        deb
bash                                        5.1-2+deb11u1                 deb
bsdutils                                    1:2.36.1-8+deb11u1            deb
ca-certificates                             20210119                      deb
coreutils                                   8.32-4+b1                     deb
dash                                        0.5.11+git20200708+dd9ef66-5  deb
debconf                                     1.5.77                        deb
debian-archive-keyring                      2021.1.1+deb11u1              deb
debianutils                                 4.11.2                        deb
diffutils                                   1:3.7-5                       deb
dpkg                                        1.20.12                       deb
e2fsprogs                                   1.46.2-2                      deb
findutils                                   4.8.0-1                       deb
gcc-10-base                                 10.2.1-6                      deb
gcc-9-base                                  9.3.0-22                      deb
gpgv                                        2.2.27-2+deb11u2              deb
grep                                        3.6-1+deb11u1                 deb
gzip                                        1.10-4+deb11u1                deb
hostname                                    3.23                          deb
init-system-helpers                         1.60                          deb
libacl1                                     2.2.53-10                     deb
libapt-pkg6.0                               2.2.4                         deb
libattr1                                    1:2.4.48-6                    deb
libaudit-common                             1:3.0-2                       deb
libaudit1                                   1:3.0-2                       deb
libblkid1                                   2.36.1-8+deb11u1              deb
libbz2-1.0                                  1.0.8-4                       deb
libc-bin                                    2.31-13+deb11u6               deb
libc6                                       2.31-13+deb11u6               deb
libcap-ng0                                  0.7.9-2.2+b1                  deb
libcom-err2                                 1.46.2-2                      deb
libcrypt1                                   1:4.4.18-4                    deb
libdb5.3                                    5.3.28+dfsg1-0.8              deb
libdebconfclient0                           0.260                         deb
libext2fs2                                  1.46.2-2                      deb
libffi7                                     3.3-6                         deb
libgcc-s1                                   10.2.1-6                      deb
libgcrypt20                                 1.8.7-6                       deb
libgmp10                                    2:6.2.1+dfsg-1+deb11u1        deb
libgnutls30                                 3.7.1-5+deb11u3               deb
libgpg-error0                               1.38-2                        deb
libgssapi-krb5-2                            1.18.3-6+deb11u3              deb
libhogweed6                                 3.7.3-1                       deb
libicu67                                    67.1-7                        deb
libidn2-0                                   2.3.0-5                       deb
libk5crypto3                                1.18.3-6+deb11u3              deb
libkeyutils1                                1.6.1-2                       deb
libkrb5-3                                   1.18.3-6+deb11u3              deb
libkrb5support0                             1.18.3-6+deb11u3              deb
liblz4-1                                    1.9.3-2                       deb
liblzma5                                    5.2.5-2.1~deb11u1             deb
libmount1                                   2.36.1-8+deb11u1              deb
libnettle8                                  3.7.3-1                       deb
libnsl2                                     1.3.0-2                       deb
libp11-kit0                                 0.23.22-1                     deb
libpam-modules                              1.4.0-9+deb11u1               deb
libpam-modules-bin                          1.4.0-9+deb11u1               deb
libpam-runtime                              1.4.0-9+deb11u1               deb
libpam0g                                    1.4.0-9+deb11u1               deb
libpcre2-8-0                                10.36-2+deb11u1               deb
libpcre3                                    2:8.39-13                     deb
libseccomp2                                 2.5.1-1+deb11u1               deb
libselinux1                                 3.1-3                         deb
libsemanage-common                          3.1-1                         deb
libsemanage1                                3.1-1+b2                      deb
libsepol1                                   3.1-1                         deb
libsmartcols1                               2.36.1-8+deb11u1              deb
libss2                                      1.46.2-2                      deb
libssl1.1                                   1.1.1n-0+deb11u4              deb
libstdc++6                                  10.2.1-6                      deb
libsystemd0                                 247.3-7+deb11u2               deb
libtasn1-6                                  4.16.0-2+deb11u1              deb
libtinfo6                                   6.2+20201114-2+deb11u1        deb
libtirpc-common                             1.3.1-1+deb11u1               deb
libtirpc3                                   1.3.1-1+deb11u1               deb
libudev1                                    247.3-7+deb11u2               deb
libunistring2                               0.9.10-4                      deb
libuuid1                                    2.36.1-8+deb11u1              deb
libxxhash0                                  0.8.0-2                       deb
libzstd1                                    1.4.8+dfsg-2.1                deb
login                                       1:4.8.1-1                     deb
logsave                                     1.46.2-2                      deb
lsb-base                                    11.1.0                        deb
mawk                                        1.3.4.20200120-2              deb
mount                                       2.36.1-8+deb11u1              deb
ncurses-base                                6.2+20201114-2+deb11u1        deb
ncurses-bin                                 6.2+20201114-2+deb11u1        deb
openssl                                     1.1.1n-0+deb11u4              deb
passwd                                      1:4.8.1-1                     deb
perl-base                                   5.32.1-4+deb11u2              deb
sed                                         4.7-1                         deb
sysvinit-utils                              2.96-7+deb11u1                deb
tar                                         1.34+dfsg-1                   deb
tzdata                                      2021a-1+deb11u10              deb
util-linux                                  2.36.1-8+deb11u1              deb
zlib1g                                      1:1.2.11.dfsg-2+deb11u2       deb

[baronfel]

There's an effort to bake in SBOM generation support into the .NET SDK, which is being tracked at NuGet/Home#12497.

As that progresses, we definitely will figure out what needs to happen to produce SBOMs for generated container images as well.

Prior art here: https://docs.docker.com/engine/sbom/ (though this includes OS libraries, etc that we don't have direct knowledge of here).