Skip to content

Commit

Permalink
Add a SBOM Generation Task (#674)
Browse files Browse the repository at this point in the history
* Experimenting with dotnet

* Add comments

* Make the Sbom.Targets project to build.

* Add all arguments to GenerateSBOMTask (#1)

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Add call to the SBOM API from GenerateSbomTask#Execute (#2)

* Start implementing Execute

* Make SBOM Targets test target .NET 8 only.

* Make the Component Path not required.

* Build the current project in test, and check that the manifest was generated.

* Ad a few comments for TODOs.

* Validate and Sanitize Arguments  (#3)

* Validate arguments

* ignore case for enum conversion

* create method for manifestinfo

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Add tests for Generate SBOM Task (#4)

* Add more tests for GenerateSbomTask.Execute logic

* Add SBOM Validation to the Generate SBOM Task tests.

* Add a utility method that validates the SBOM being generated during tests

* Make more tests use the new utility validator method

* Pass sbom specification during tests

* Refactor GenerateSbomTask tests to be parametrized through the SBOM Specification

* Fix typo

* Add an abstract method for the Sbom Specification of the AbstractGenerateSbomTaskTests

* Address PR suggestions

* Made fields internal instead of private in AbstractGenerateSbomTaskTests

* Add unit tests for GenerateSbomTask inputs (#6)

* add unit tests for GenerateSbomTask inputs

* remove console print

* Addressing feedback

* addressing feedback and adding more tests'

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Add additional unit tests for valid cases (#7)

* add additional unit tests for valid cases

* address feedback and add few more cases

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Merging Varshita's branch into our feature branch (#12)

* setting up imports

* Add reference to local Nuget package, for testing purposes

* rename targets and props, export them to the build folder

* Fix test project

* Fix Targets file to include props

* Manually adding the Sources Providers that support ProviderType.Packages

* Manually add the missing classes for SBOM generation

* Add MSBuild properties to our Props file (#8)

* Use MSBuild/.NET props for default values of the Generate SBOM task.

* Remove hardcoded path from the Targets

* Add default value to props file for SbomGenerationManifestDirPath

* Add final ManifestDirPath to SbomGenerationResult.

* Fix typo

* Change Summary comment for ManifestDirPath

* include sbom files in user's nuget packages (#11)

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Make the task target .net 8 and .net 6 (#13)

* Remove unrooted checks (#14)

* Downgrade Microsoft.Extensions.Hosting back to 7.0.1

* Remove LocalNuget configuration

* Stop tracking nuspec file

* Remove unnecessary comments.

* Remove reference to Microsoft.Sbom.Targets Nuget

* Apply suggestions from the linter and PR comments.

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
Co-authored-by: vpatakottu <47004464+vpatakottu@users.noreply.github.com>

* Fix ubuntu tests (#16)

* add users/gustavoca/net-sdk-sbom-tool branch to PR pipelines

* Fix Ubuntu tests for Targets project

* Update feature branch (#17)

* build(deps): bump actions/checkout from 4.1.1 to 4.1.6 (#574)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@b4ffde6...a5ac7e5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.24.3 to 3.25.8 (#591)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.25.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@3796146...2e230e8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add missing header to AbstractGenerateSbomTaskTests (#598)

* Create template tool task (#600)

* create template tool task

* Make the tests successfully run

* Include the SBOM CLI Tool to the .NET Framework package folder.

* refactor code a little and address feedback

@microsoft-github-policy-service agree company="Microsoft"

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
Co-authored-by: gustavoaca1997 <gustavoaca1997@gmail.com>

* Run the Github build also for feature branches.

* Implement SBOM CLI ToolTask (#607)

* implement ToolTask

* addressing feedback

* addressing feedback pt. 2

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Update System.Text.Json

* Stop importing the props twice when referencing the Nuget package (#612)

* Add tests for the MSBuild Full version of the Generate SBOM task (#613)

* Bring changes from feautre branch

* Make the Targets.Tests project also target .NET Framework

* Remove props file

* Implement tests for MSBuild Full version of the task

* Simplify how the CLI tool is called from the tests.

* Add test for file being in use.

* Test the output of the ToolTask.

* Change the name of AbstractGenerateSBomTaskInputTests to AbstractGenerateSbomTaskInputTests

* Include .NET Framework output in Sbom_Generation_Succeeds_For_Null_Verbosity

* Update src/Microsoft.Sbom.Targets/SbomCLIToolTask.cs

Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>

* Skip tests that are failing due to known issues

* Add debug messages for the test pipeline

* Fix .net core tests

* Target .NET Framework only on Windows

* Remove unnecessary comment.

* Update default Verbosity.

* Address comments.

* Change name of AbstractGenerateSbomTaskInputTests

* Address PR Comments

---------

Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>

* Update NuGet Package Format and Surface Errors (#619)

* update nuget package format and surface errors

* simplify sbom output

* update targets to use SbomPath output var for ToolTask

* fix bad merge

* append manifest folder name for manifestdirpath

* add path.combine and property checks

* append platform version

* create ManifestDirPath if needed

* temporarily comment out

* remove manifestdirpath logic for now

* use path.combine and full path

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Add README for Microsoft.Sbom.Targets project (#651)

* Adding readme

* add code quotes

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Workaround for generating a SBOM manifest at the root level of the Nuget Package (#656)

* Add buildMultiTargeting folder to the Nuget package

* Unzip and Zip again for including the SBOM into the Nuget package.

* Append GUID to the temporary unzipped folder.

* Use Path.Combine for Unzip and Nupkg paths (#663)

* Add E2E tests for Microsoft.Sbom.Targets project (#658)

* add base setup for tests

* updates to test

* cleanup

* Add more tests

* update package version

* cleanup

* mini fix for copying sample project

* add unloading step

* create separate project for E2E tests

* cleanup

* rearrange method

* cleanup

* check for platform

* try with locator

* disable analyzers for sample project

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Remove GenerateSBOMTest project (#673)

* Remove GenerateSBOMTest project

* Remove N/A comment

* Add ContinueOnError=ErrorAndContinue to the ZipDirectory, GenerateSBOM and Unzip (#672)

* User/gustavoca/update with main (#675)

* Bump Component Detection version (#624)

* Bump Component Detection version

* Bump NuGet Config and Framework versions

* Raise dependabot PR limit (#629)

* build(deps): bump stefanzweifel/git-auto-commit-action (#552)

Bumps [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases)
- [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md)
- [Commits](stefanzweifel/git-auto-commit-action@8756aa0...8621497)

---
updated-dependencies:
- dependency-name: stefanzweifel/git-auto-commit-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>

* build(deps): bump Microsoft.NET.Test.Sdk from 17.7.2 to 17.10.0 (#630)

Bumps [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest) from 17.7.2 to 17.10.0.
- [Release notes](https://github.com/microsoft/vstest/releases)
- [Changelog](https://github.com/microsoft/vstest/blob/main/docs/releases.md)
- [Commits](microsoft/vstest@v17.7.2...v17.10.0)

---
updated-dependencies:
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MSTest.TestAdapter from 3.1.1 to 3.5.0 (#644)

Bumps [MSTest.TestAdapter](https://github.com/microsoft/testfx) from 3.1.1 to 3.5.0.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.1.1...v3.5.0)

---
updated-dependencies:
- dependency-name: MSTest.TestAdapter
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Spectre.Console.Cli from 0.48.0 to 0.49.1 (#637)

Bumps [Spectre.Console.Cli](https://github.com/spectreconsole/spectre.console) from 0.48.0 to 0.49.1.
- [Release notes](https://github.com/spectreconsole/spectre.console/releases)
- [Commits](spectreconsole/spectre.console@0.48.0...0.49.1)

---
updated-dependencies:
- dependency-name: Spectre.Console.Cli
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.25.12 to 3.25.15 (#625)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.12 to 3.25.15.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@4fa2a79...afb54ba)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MSTest.TestFramework from 3.1.1 to 3.5.0 (#642)

Bumps [MSTest.TestFramework](https://github.com/microsoft/testfx) from 3.1.1 to 3.5.0.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.1.1...v3.5.0)

---
updated-dependencies:
- dependency-name: MSTest.TestFramework
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.VisualStudio.Threading.Analyzers (#638)

Bumps [Microsoft.VisualStudio.Threading.Analyzers](https://github.com/microsoft/vs-threading) from 17.7.30 to 17.10.48.
- [Release notes](https://github.com/microsoft/vs-threading/releases)
- [Commits](microsoft/vs-threading@v17.7.30...v17.10.48)

---
updated-dependencies:
- dependency-name: Microsoft.VisualStudio.Threading.Analyzers
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.25.15 to 3.26.0 (#654)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@afb54ba...eb055d7)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MSTest.TestAdapter from 3.5.0 to 3.5.1 (#653)

Bumps [MSTest.TestAdapter](https://github.com/microsoft/testfx) from 3.5.0 to 3.5.1.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.5.0...v3.5.1)

---
updated-dependencies:
- dependency-name: MSTest.TestAdapter
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sarah Oslund <sfoslund@microsoft.com>

* build(deps): bump MSTest.TestFramework from 3.5.0 to 3.5.1 (#652)

Bumps [MSTest.TestFramework](https://github.com/microsoft/testfx) from 3.5.0 to 3.5.1.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.5.0...v3.5.1)

---
updated-dependencies:
- dependency-name: MSTest.TestFramework
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sarah Oslund <sfoslund@microsoft.com>

* build(deps): bump Moq from 4.17.2 to 4.20.70 (#640)

Bumps [Moq](https://github.com/moq/moq) from 4.17.2 to 4.20.70.
- [Release notes](https://github.com/moq/moq/releases)
- [Changelog](https://github.com/devlooped/moq/blob/main/CHANGELOG.md)
- [Commits](moq/moq.spikes@v4.17.2...v4.20.70)

---
updated-dependencies:
- dependency-name: Moq
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump coverlet.collector from 6.0.0 to 6.0.2 (#641)

Bumps [coverlet.collector](https://github.com/coverlet-coverage/coverlet) from 6.0.0 to 6.0.2.
- [Release notes](https://github.com/coverlet-coverage/coverlet/releases)
- [Commits](coverlet-coverage/coverlet@v6.0.0...v6.0.2)

---
updated-dependencies:
- dependency-name: coverlet.collector
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump StyleCop.Analyzers (#636)

Bumps [StyleCop.Analyzers](https://github.com/DotNetAnalyzers/StyleCopAnalyzers) from 1.2.0-beta.507 to 1.2.0-beta.556.
- [Release notes](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/releases)
- [Changelog](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/KnownChanges.md)
- [Commits](DotNetAnalyzers/StyleCopAnalyzers@1.2.0-beta.507...1.2.0-beta.556)

---
updated-dependencies:
- dependency-name: StyleCop.Analyzers
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.SourceLink.GitHub from 1.1.1 to 8.0.0 (#645)

Bumps [Microsoft.SourceLink.GitHub](https://github.com/dotnet/sourcelink) from 1.1.1 to 8.0.0.
- [Release notes](https://github.com/dotnet/sourcelink/releases)
- [Commits](dotnet/sourcelink@1.1.1...8.0.0)

---
updated-dependencies:
- dependency-name: Microsoft.SourceLink.GitHub
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MinVer from 4.3.0 to 5.0.0 (#634)

Bumps [MinVer](https://github.com/adamralph/minver) from 4.3.0 to 5.0.0.
- [Changelog](https://github.com/adamralph/minver/blob/main/CHANGELOG.md)
- [Commits](adamralph/minver@4.3.0...5.0.0)

---
updated-dependencies:
- dependency-name: MinVer
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.Extensions.Http, Microsoft.Extensions.Logging.Abstractions and Microsoft.Extensions.DependencyInjection (#649)

Bumps [Microsoft.Extensions.Http](https://github.com/dotnet/runtime), [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/runtime) and [Microsoft.Extensions.DependencyInjection](https://github.com/dotnet/runtime). These dependencies needed to be updated together.

Updates `Microsoft.Extensions.Http` from 7.0.0 to 8.0.0
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.0...v8.0.0)

Updates `Microsoft.Extensions.Logging.Abstractions` from 7.0.1 to 8.0.0
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.1...v8.0.0)

Updates `Microsoft.Extensions.DependencyInjection` from 7.0.0 to 8.0.0
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.0...v8.0.0)

---
updated-dependencies:
- dependency-name: Microsoft.Extensions.Http
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.Extensions.DependencyInjection
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.Extensions.Logging.Abstractions and Microsoft.Extensions.DependencyInjection.Abstractions (#650)

Bumps [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/runtime) and [Microsoft.Extensions.DependencyInjection.Abstractions](https://github.com/dotnet/runtime). These dependencies needed to be updated together.

Updates `Microsoft.Extensions.Logging.Abstractions` from 7.0.1 to 8.0.1
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.1...v8.0.1)

Updates `Microsoft.Extensions.DependencyInjection.Abstractions` from 8.0.0 to 8.0.1
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v8.0.0...v8.0.1)

---
updated-dependencies:
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Scrutor from 4.2.0 to 4.2.2 (#646)

Bumps [Scrutor](https://github.com/khellang/Scrutor) from 4.2.0 to 4.2.2.
- [Release notes](https://github.com/khellang/Scrutor/releases)
- [Commits](khellang/Scrutor@v4.2.0...v4.2.2)

---
updated-dependencies:
- dependency-name: Scrutor
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix tests

* Bump Microsoft.Extensions.Hosting

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: José Renan <joserenansl99@gmail.com>
Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sarah Oslund <sfoslund@microsoft.com>

* Update README

* Address Feedback (#679)

* Address feedback and remove SbomPath

* remove whitespace

* remove comment

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* address more feedback (#682)

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Pack each project separately (#681)

* Pack each project separately

* Remove extra dotnet apck

* Inspect the content of the Nuget package instead of extracting to disk during e2e tests.

* User/gustavoca/dont extract e2e tests (#684)

* Inspect the content of the Nuget package instead of extracting to disk during e2e tests.

* Remove extra changes in Directory.Packages.Props

* Remove instance of Newtonsoft.Json

* Remove not needed Message

* Revert "Remove instance of Newtonsoft.Json"

This reverts commit 52329d4.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Sarah Oslund <sfoslund@microsoft.com>
Co-authored-by: vpatakottu <47004464+vpatakottu@users.noreply.github.com>
Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>
Co-authored-by: José Renan <joserenansl99@gmail.com>
  • Loading branch information
7 people authored Sep 9, 2024
1 parent a029b40 commit 08ba73d
Show file tree
Hide file tree
Showing 22 changed files with 2,171 additions and 4 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ PublishScripts/

# NuGet Packages
*.nupkg
*.nuspec
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
Expand Down
8 changes: 7 additions & 1 deletion Directory.Packages.props
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@
<PackageVersion Include="AutoMapper.Extensions.Microsoft.DependencyInjection" Version="8.1.1" />
<PackageVersion Include="coverlet.collector" Version="6.0.2" />
<PackageVersion Include="FluentAssertions" Version="6.12.0" />
<PackageVersion Include="Microsoft.Build" Version="17.3.2" />
<PackageVersion Include="Microsoft.Build.Framework" Version="17.10.4" />
<PackageVersion Include="Microsoft.Build.Locator" Version="1.7.8" />
<PackageVersion Include="Microsoft.Build.Utilities.Core" Version="17.10.4" />
<PackageVersion Include="Microsoft.CSharp" Version="4.7.0" />
<PackageVersion Include="MSTest.TestAdapter" Version="3.5.2" />
<PackageVersion Include="MSTest.TestFramework" Version="3.5.2" />
<PackageVersion Include="Microsoft.ComponentDetection.Common" Version="$(ComponentDetectionPackageVersion)" />
Expand All @@ -22,7 +27,7 @@
<PackageVersion Include="Microsoft.ComponentDetection.Orchestrator" Version="$(ComponentDetectionPackageVersion)" />
<PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
<PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.1" />
<PackageVersion Include="Microsoft.Extensions.Hosting" Version="7.0.1" />
<PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.0" />
<PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.0" />
<PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.1" />
<PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.0" />
Expand All @@ -44,6 +49,7 @@
<PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
<PackageVersion Include="Spectre.Console.Cli" Version="0.49.1" />
<PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
<PackageVersion Include="System.IO.Compression" Version="4.3.0" />
<PackageVersion Include="System.IO.FileSystem.AccessControl" Version="5.0.0" />
<PackageVersion Include="System.Linq.Async" Version="6.0.1" />
<PackageVersion Include="System.Memory" Version="4.5.5" />
Expand Down
18 changes: 18 additions & 0 deletions Microsoft.Sbom.sln
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,14 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.D
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.DependencyInjection.Tests", "test\Microsoft.Sbom.Extensions.DependencyInjection.Tests\Microsoft.Sbom.Extensions.DependencyInjection.Tests.csproj", "{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Targets", "src\Microsoft.Sbom.Targets\Microsoft.Sbom.Targets.csproj", "{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Targets.Tests", "test\Microsoft.Sbom.Targets.Tests\Microsoft.Sbom.Targets.Tests.csproj", "{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Tool.Tests", "test\Microsoft.Sbom.Tool.Tests\Microsoft.Sbom.Tool.Tests.csproj", "{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Sbom.Targets.E2E.Tests", "test\Microsoft.Sbom.Targets.E2E.Tests\Microsoft.Sbom.Targets.E2E.Tests.csproj", "{3FDE7800-F61F-4C45-93AB-648A4C7979C7}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Expand Down Expand Up @@ -109,10 +115,22 @@ Global
{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Debug|Any CPU.Build.0 = Debug|Any CPU
{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.ActiveCfg = Release|Any CPU
{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.Build.0 = Release|Any CPU
{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Debug|Any CPU.Build.0 = Debug|Any CPU
{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Release|Any CPU.ActiveCfg = Release|Any CPU
{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Release|Any CPU.Build.0 = Release|Any CPU
{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Debug|Any CPU.Build.0 = Debug|Any CPU
{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Release|Any CPU.ActiveCfg = Release|Any CPU
{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Release|Any CPU.Build.0 = Release|Any CPU
{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.Build.0 = Debug|Any CPU
{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.ActiveCfg = Release|Any CPU
{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.Build.0 = Release|Any CPU
{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Debug|Any CPU.Build.0 = Debug|Any CPU
{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Release|Any CPU.ActiveCfg = Release|Any CPU
{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
Expand Down
4 changes: 2 additions & 2 deletions nuget.config
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
</packageSources>
</configuration>
</configuration>
2 changes: 1 addition & 1 deletion pipelines/sbom-tool-main-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ extends:
]
condition: and(succeeded(), startswith(variables['Build.SourceBranch'], 'refs/tags/'))

- powershell: 'dotnet pack Microsoft.Sbom.sln -c $(BuildConfiguration) --no-restore --no-build -o $(Build.ArtifactStagingDirectory)/nuget --include-symbols -p:SymbolPackageFormat=snupkg'
- powershell: 'Get-ChildItem -Recurse -Filter *.csproj -Path src | ForEach-Object { dotnet pack $_.FullName -c $(BuildConfiguration) --no-restore --no-build -o $(Build.ArtifactStagingDirectory)/nuget --include-symbols -p:SymbolPackageFormat=snupkg }'
displayName: 'Pack NuGet package'

- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
Expand Down
102 changes: 102 additions & 0 deletions src/Microsoft.Sbom.Targets/GenerateSbom.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

namespace Microsoft.Sbom.Targets;

using System;
using System.Collections.Generic;
using System.Diagnostics.Tracing;
using Microsoft.Build.Framework;

/// <summary>
/// This partial class defines and sanitizes the arguments that will be passed
/// into the SBOM API and CLI tool for generation.
/// </summary>
public partial class GenerateSbom
{
/// <summary>
/// Gets or sets the path to the drop directory for which the SBOM will be generated.
/// </summary>
[Required]
public string BuildDropPath { get; set; }

/// <summary>
/// Gets or sets the supplier of the package the SBOM represents.
/// </summary>
[Required]
public string PackageSupplier { get; set; }

/// <summary>
/// Gets or sets the name of the package the SBOM represents.
/// </summary>
[Required]
public string PackageName { get; set; }

/// <summary>
/// Gets or sets the version of the package the SBOM represents.
/// </summary>
[Required]
public string PackageVersion { get; set; }

/// <summary>
/// Gets or sets the base path of the SBOM namespace uri.
/// </summary>
[Required]
public string NamespaceBaseUri { get; set; }

/// <summary>
/// Gets or sets the path to the directory containing build components and package information.
/// For example, path to a .csproj or packages.config file.
/// </summary>
public string BuildComponentPath { get; set; }

/// <summary>
/// Gets or sets a unique URI part that will be appended to NamespaceBaseUri.
/// </summary>
public string NamespaceUriUniquePart { get; set; }

/// <summary>
/// Gets or sets the path to a file containing a list of external SBOMs that will be appended to the
/// SBOM that is being generated.
/// </summary>
public string ExternalDocumentListFile { get; set; }

/// <summary>
/// Indicates whether licensing information will be fetched for detected packages.
/// </summary>
public bool FetchLicenseInformation { get; set; }

/// <summary>
/// Indicates whether to parse licensing and supplier information from a packages metadata file.
/// </summary>
public bool EnablePackageMetadataParsing { get; set; }

/// <summary>
/// Gets or sets the verbosity level for logging output.
/// </summary>
public string Verbosity { get; set; }

/// <summary>
/// Gets or sets a list of names and versions of the manifest format being used.
/// </summary>
public string ManifestInfo { get; set; }

/// <summary>
/// Indicates whether the previously generated SBOM manifest directory should be deleted
/// before generating a new SBOM in the directory specified by ManifestDirPath.
/// Defaults to true.
/// </summary>
public bool DeleteManifestDirIfPresent { get; set; } = true;

/// <summary>
/// Gets or sets the path where the SBOM will be generated. For now, this property
/// will be unset as the _manifest directory is intended to be at the root of a NuGet package
/// specified by BuildDropPath.
/// </summary>
public string ManifestDirPath { get; set; }

/// <summary>
/// Gets or sets the path to the SBOM CLI tool
/// </summary>
public string SbomToolPath { get; set; }
}
125 changes: 125 additions & 0 deletions src/Microsoft.Sbom.Targets/GenerateSbomTask.cs
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

namespace Microsoft.Sbom.Targets;

using System;
using System.Collections.Generic;
using System.Diagnostics.Tracing;
using System.IO;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Sbom.Api.Manifest.ManifestConfigHandlers;
using Microsoft.Sbom.Api.Metadata;
using Microsoft.Sbom.Api.Providers;
using Microsoft.Sbom.Api.Providers.ExternalDocumentReferenceProviders;
using Microsoft.Sbom.Api.Providers.FilesProviders;
using Microsoft.Sbom.Api.Providers.PackagesProviders;
using Microsoft.Sbom.Contracts;
using Microsoft.Sbom.Contracts.Entities;
using Microsoft.Sbom.Contracts.Interfaces;
using Microsoft.Sbom.Extensions;
using Microsoft.Sbom.Extensions.DependencyInjection;
using Microsoft.Sbom.Parsers.Spdx22SbomParser;

/// <summary>
/// MSBuild task for generating SBOMs from build output.
/// </summary>
public partial class GenerateSbom : Task
{
private ISBOMGenerator Generator { get; set; }

/// <summary>
/// Constructor for the GenerateSbomTask.
/// </summary>
public GenerateSbom()
{
var host = Host.CreateDefaultBuilder()
.ConfigureServices((host, services) =>
services
.AddSbomTool()
/* Manually adding some dependencies since `AddSbomTool()` does not add them when
* running the MSBuild Task from another project.
*/
.AddSingleton<ISourcesProvider, SBOMPackagesProvider>()
.AddSingleton<ISourcesProvider, CGExternalDocumentReferenceProvider>()
.AddSingleton<ISourcesProvider, DirectoryTraversingFileToJsonProvider>()
.AddSingleton<ISourcesProvider, ExternalDocumentReferenceFileProvider>()
.AddSingleton<ISourcesProvider, ExternalDocumentReferenceProvider>()
.AddSingleton<ISourcesProvider, FileListBasedFileToJsonProvider>()
.AddSingleton<ISourcesProvider, SbomFileBasedFileToJsonProvider>()
.AddSingleton<ISourcesProvider, CGScannedExternalDocumentReferenceFileProvider>()
.AddSingleton<ISourcesProvider, CGScannedPackagesProvider>()
.AddSingleton<IAlgorithmNames, AlgorithmNames>()
.AddSingleton<IManifestGenerator, Generator>()
.AddSingleton<IMetadataProvider, LocalMetadataProvider>()
.AddSingleton<IMetadataProvider, SBOMApiMetadataProvider>()
.AddSingleton<IManifestInterface, Validator>()
.AddSingleton<IManifestConfigHandler, SPDX22ManifestConfigHandler>())
.Build();
this.Generator = host.Services.GetRequiredService<ISBOMGenerator>();
}

/// <inheritdoc/>
public override bool Execute()
{
try
{
// Validate required args and args that take paths as input.
if (!ValidateAndSanitizeRequiredParams() || !ValidateAndSanitizeNamespaceUriUniquePart())
{
return false;
}

// Set other configurations. The GenerateSBOMAsync() already sanitizes and checks for
// a valid namespace URI and generates a random guid for NamespaceUriUniquePart if
// one is not provided.
var sbomMetadata = new SBOMMetadata
{
PackageSupplier = this.PackageSupplier,
PackageName = this.PackageName,
PackageVersion = this.PackageVersion,
};
var runtimeConfiguration = new RuntimeConfiguration
{
NamespaceUriBase = this.NamespaceBaseUri,
NamespaceUriUniquePart = this.NamespaceUriUniquePart,
DeleteManifestDirectoryIfPresent = this.DeleteManifestDirIfPresent,
Verbosity = ValidateAndAssignVerbosity(),
};
#pragma warning disable VSTHRD002 // Avoid problematic synchronous waits
var result = System.Threading.Tasks.Task.Run(() => this.Generator.GenerateSbomAsync(
rootPath: this.BuildDropPath,
manifestDirPath: this.ManifestDirPath,
metadata: sbomMetadata,
componentPath: this.BuildComponentPath,
runtimeConfiguration: runtimeConfiguration,
specifications: ValidateAndAssignSpecifications(),
externalDocumentReferenceListFile: this.ExternalDocumentListFile)).GetAwaiter().GetResult();
#pragma warning restore VSTHRD002 // Avoid problematic synchronous waits

return result.IsSuccessful;
}
catch (Exception e)
{
Log.LogError($"SBOM generation failed: {e.Message}");
return false;
}
}

/// <summary>
/// Check for ManifestInfo and create an SbomSpecification accordingly.
/// </summary>
/// <returns>A list of the parsed manifest info. Null if the manifest info is null or empty.</returns>
private IList<SbomSpecification> ValidateAndAssignSpecifications()
{
if (!string.IsNullOrWhiteSpace(this.ManifestInfo))
{
return [SbomSpecification.Parse(this.ManifestInfo)];
}

return null;
}
}
Loading

0 comments on commit 08ba73d

Please sign in to comment.