Add a SBOM Generation Task (#674)

* Experimenting with dotnet * Add comments * Make the Sbom.Targets project to build. * Add all arguments to GenerateSBOMTask (#1) Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Add call to the SBOM API from GenerateSbomTask#Execute (#2) * Start implementing Execute * Make SBOM Targets test target .NET 8 only. * Make the Component Path not required. * Build the current project in test, and check that the manifest was generated. * Ad a few comments for TODOs. * Validate and Sanitize Arguments (#3) * Validate arguments * ignore case for enum conversion * create method for manifestinfo --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Add tests for Generate SBOM Task (#4) * Add more tests for GenerateSbomTask.Execute logic * Add SBOM Validation to the Generate SBOM Task tests. * Add a utility method that validates the SBOM being generated during tests * Make more tests use the new utility validator method * Pass sbom specification during tests * Refactor GenerateSbomTask tests to be parametrized through the SBOM Specification * Fix typo * Add an abstract method for the Sbom Specification of the AbstractGenerateSbomTaskTests * Address PR suggestions * Made fields internal instead of private in AbstractGenerateSbomTaskTests * Add unit tests for GenerateSbomTask inputs (#6) * add unit tests for GenerateSbomTask inputs * remove console print * Addressing feedback * addressing feedback and adding more tests' --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Add additional unit tests for valid cases (#7) * add additional unit tests for valid cases * address feedback and add few more cases --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Merging Varshita's branch into our feature branch (#12) * setting up imports * Add reference to local Nuget package, for testing purposes * rename targets and props, export them to the build folder * Fix test project * Fix Targets file to include props * Manually adding the Sources Providers that support ProviderType.Packages * Manually add the missing classes for SBOM generation * Add MSBuild properties to our Props file (#8) * Use MSBuild/.NET props for default values of the Generate SBOM task. * Remove hardcoded path from the Targets * Add default value to props file for SbomGenerationManifestDirPath * Add final ManifestDirPath to SbomGenerationResult. * Fix typo * Change Summary comment for ManifestDirPath * include sbom files in user's nuget packages (#11) Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Make the task target .net 8 and .net 6 (#13) * Remove unrooted checks (#14) * Downgrade Microsoft.Extensions.Hosting back to 7.0.1 * Remove LocalNuget configuration * Stop tracking nuspec file * Remove unnecessary comments. * Remove reference to Microsoft.Sbom.Targets Nuget * Apply suggestions from the linter and PR comments. --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> Co-authored-by: vpatakottu <47004464+vpatakottu@users.noreply.github.com> * Fix ubuntu tests (#16) * add users/gustavoca/net-sdk-sbom-tool branch to PR pipelines * Fix Ubuntu tests for Targets project * Update feature branch (#17) * build(deps): bump actions/checkout from 4.1.1 to 4.1.6 (#574) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@b4ffde6...a5ac7e5) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.24.3 to 3.25.8 (#591) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.25.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3796146...2e230e8) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add missing header to AbstractGenerateSbomTaskTests (#598) * Create template tool task (#600) * create template tool task * Make the tests successfully run * Include the SBOM CLI Tool to the .NET Framework package folder. * refactor code a little and address feedback @microsoft-github-policy-service agree company="Microsoft" --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> Co-authored-by: gustavoaca1997 <gustavoaca1997@gmail.com> * Run the Github build also for feature branches. * Implement SBOM CLI ToolTask (#607) * implement ToolTask * addressing feedback * addressing feedback pt. 2 --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Update System.Text.Json * Stop importing the props twice when referencing the Nuget package (#612) * Add tests for the MSBuild Full version of the Generate SBOM task (#613) * Bring changes from feautre branch * Make the Targets.Tests project also target .NET Framework * Remove props file * Implement tests for MSBuild Full version of the task * Simplify how the CLI tool is called from the tests. * Add test for file being in use. * Test the output of the ToolTask. * Change the name of AbstractGenerateSBomTaskInputTests to AbstractGenerateSbomTaskInputTests * Include .NET Framework output in Sbom_Generation_Succeeds_For_Null_Verbosity * Update src/Microsoft.Sbom.Targets/SbomCLIToolTask.cs Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com> * Skip tests that are failing due to known issues * Add debug messages for the test pipeline * Fix .net core tests * Target .NET Framework only on Windows * Remove unnecessary comment. * Update default Verbosity. * Address comments. * Change name of AbstractGenerateSbomTaskInputTests * Address PR Comments --------- Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com> * Update NuGet Package Format and Surface Errors (#619) * update nuget package format and surface errors * simplify sbom output * update targets to use SbomPath output var for ToolTask * fix bad merge * append manifest folder name for manifestdirpath * add path.combine and property checks * append platform version * create ManifestDirPath if needed * temporarily comment out * remove manifestdirpath logic for now * use path.combine and full path --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Add README for Microsoft.Sbom.Targets project (#651) * Adding readme * add code quotes --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Workaround for generating a SBOM manifest at the root level of the Nuget Package (#656) * Add buildMultiTargeting folder to the Nuget package * Unzip and Zip again for including the SBOM into the Nuget package. * Append GUID to the temporary unzipped folder. * Use Path.Combine for Unzip and Nupkg paths (#663) * Add E2E tests for Microsoft.Sbom.Targets project (#658) * add base setup for tests * updates to test * cleanup * Add more tests * update package version * cleanup * mini fix for copying sample project * add unloading step * create separate project for E2E tests * cleanup * rearrange method * cleanup * check for platform * try with locator * disable analyzers for sample project --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Remove GenerateSBOMTest project (#673) * Remove GenerateSBOMTest project * Remove N/A comment * Add ContinueOnError=ErrorAndContinue to the ZipDirectory, GenerateSBOM and Unzip (#672) * User/gustavoca/update with main (#675) * Bump Component Detection version (#624) * Bump Component Detection version * Bump NuGet Config and Framework versions * Raise dependabot PR limit (#629) * build(deps): bump stefanzweifel/git-auto-commit-action (#552) Bumps [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases) - [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md) - [Commits](stefanzweifel/git-auto-commit-action@8756aa0...8621497) --- updated-dependencies: - dependency-name: stefanzweifel/git-auto-commit-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com> * build(deps): bump Microsoft.NET.Test.Sdk from 17.7.2 to 17.10.0 (#630) Bumps [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest) from 17.7.2 to 17.10.0. - [Release notes](https://github.com/microsoft/vstest/releases) - [Changelog](https://github.com/microsoft/vstest/blob/main/docs/releases.md) - [Commits](microsoft/vstest@v17.7.2...v17.10.0) --- updated-dependencies: - dependency-name: Microsoft.NET.Test.Sdk dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump MSTest.TestAdapter from 3.1.1 to 3.5.0 (#644) Bumps [MSTest.TestAdapter](https://github.com/microsoft/testfx) from 3.1.1 to 3.5.0. - [Release notes](https://github.com/microsoft/testfx/releases) - [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md) - [Commits](microsoft/testfx@v3.1.1...v3.5.0) --- updated-dependencies: - dependency-name: MSTest.TestAdapter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump Spectre.Console.Cli from 0.48.0 to 0.49.1 (#637) Bumps [Spectre.Console.Cli](https://github.com/spectreconsole/spectre.console) from 0.48.0 to 0.49.1. - [Release notes](https://github.com/spectreconsole/spectre.console/releases) - [Commits](spectreconsole/spectre.console@0.48.0...0.49.1) --- updated-dependencies: - dependency-name: Spectre.Console.Cli dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.25.12 to 3.25.15 (#625) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.12 to 3.25.15. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4fa2a79...afb54ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump MSTest.TestFramework from 3.1.1 to 3.5.0 (#642) Bumps [MSTest.TestFramework](https://github.com/microsoft/testfx) from 3.1.1 to 3.5.0. - [Release notes](https://github.com/microsoft/testfx/releases) - [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md) - [Commits](microsoft/testfx@v3.1.1...v3.5.0) --- updated-dependencies: - dependency-name: MSTest.TestFramework dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump Microsoft.VisualStudio.Threading.Analyzers (#638) Bumps [Microsoft.VisualStudio.Threading.Analyzers](https://github.com/microsoft/vs-threading) from 17.7.30 to 17.10.48. - [Release notes](https://github.com/microsoft/vs-threading/releases) - [Commits](microsoft/vs-threading@v17.7.30...v17.10.48) --- updated-dependencies: - dependency-name: Microsoft.VisualStudio.Threading.Analyzers dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.25.15 to 3.26.0 (#654) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@afb54ba...eb055d7) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump MSTest.TestAdapter from 3.5.0 to 3.5.1 (#653) Bumps [MSTest.TestAdapter](https://github.com/microsoft/testfx) from 3.5.0 to 3.5.1. - [Release notes](https://github.com/microsoft/testfx/releases) - [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md) - [Commits](microsoft/testfx@v3.5.0...v3.5.1) --- updated-dependencies: - dependency-name: MSTest.TestAdapter dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sarah Oslund <sfoslund@microsoft.com> * build(deps): bump MSTest.TestFramework from 3.5.0 to 3.5.1 (#652) Bumps [MSTest.TestFramework](https://github.com/microsoft/testfx) from 3.5.0 to 3.5.1. - [Release notes](https://github.com/microsoft/testfx/releases) - [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md) - [Commits](microsoft/testfx@v3.5.0...v3.5.1) --- updated-dependencies: - dependency-name: MSTest.TestFramework dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sarah Oslund <sfoslund@microsoft.com> * build(deps): bump Moq from 4.17.2 to 4.20.70 (#640) Bumps [Moq](https://github.com/moq/moq) from 4.17.2 to 4.20.70. - [Release notes](https://github.com/moq/moq/releases) - [Changelog](https://github.com/devlooped/moq/blob/main/CHANGELOG.md) - [Commits](moq/moq.spikes@v4.17.2...v4.20.70) --- updated-dependencies: - dependency-name: Moq dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump coverlet.collector from 6.0.0 to 6.0.2 (#641) Bumps [coverlet.collector](https://github.com/coverlet-coverage/coverlet) from 6.0.0 to 6.0.2. - [Release notes](https://github.com/coverlet-coverage/coverlet/releases) - [Commits](coverlet-coverage/coverlet@v6.0.0...v6.0.2) --- updated-dependencies: - dependency-name: coverlet.collector dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump StyleCop.Analyzers (#636) Bumps [StyleCop.Analyzers](https://github.com/DotNetAnalyzers/StyleCopAnalyzers) from 1.2.0-beta.507 to 1.2.0-beta.556. - [Release notes](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/releases) - [Changelog](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/KnownChanges.md) - [Commits](DotNetAnalyzers/StyleCopAnalyzers@1.2.0-beta.507...1.2.0-beta.556) --- updated-dependencies: - dependency-name: StyleCop.Analyzers dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump Microsoft.SourceLink.GitHub from 1.1.1 to 8.0.0 (#645) Bumps [Microsoft.SourceLink.GitHub](https://github.com/dotnet/sourcelink) from 1.1.1 to 8.0.0. - [Release notes](https://github.com/dotnet/sourcelink/releases) - [Commits](dotnet/sourcelink@1.1.1...8.0.0) --- updated-dependencies: - dependency-name: Microsoft.SourceLink.GitHub dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump MinVer from 4.3.0 to 5.0.0 (#634) Bumps [MinVer](https://github.com/adamralph/minver) from 4.3.0 to 5.0.0. - [Changelog](https://github.com/adamralph/minver/blob/main/CHANGELOG.md) - [Commits](adamralph/minver@4.3.0...5.0.0) --- updated-dependencies: - dependency-name: MinVer dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump Microsoft.Extensions.Http, Microsoft.Extensions.Logging.Abstractions and Microsoft.Extensions.DependencyInjection (#649) Bumps [Microsoft.Extensions.Http](https://github.com/dotnet/runtime), [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/runtime) and [Microsoft.Extensions.DependencyInjection](https://github.com/dotnet/runtime). These dependencies needed to be updated together. Updates `Microsoft.Extensions.Http` from 7.0.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v7.0.0...v8.0.0) Updates `Microsoft.Extensions.Logging.Abstractions` from 7.0.1 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v7.0.1...v8.0.0) Updates `Microsoft.Extensions.DependencyInjection` from 7.0.0 to 8.0.0 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v7.0.0...v8.0.0) --- updated-dependencies: - dependency-name: Microsoft.Extensions.Http dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.Logging.Abstractions dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.DependencyInjection dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump Microsoft.Extensions.Logging.Abstractions and Microsoft.Extensions.DependencyInjection.Abstractions (#650) Bumps [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/runtime) and [Microsoft.Extensions.DependencyInjection.Abstractions](https://github.com/dotnet/runtime). These dependencies needed to be updated together. Updates `Microsoft.Extensions.Logging.Abstractions` from 7.0.1 to 8.0.1 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v7.0.1...v8.0.1) Updates `Microsoft.Extensions.DependencyInjection.Abstractions` from 8.0.0 to 8.0.1 - [Release notes](https://github.com/dotnet/runtime/releases) - [Commits](dotnet/runtime@v8.0.0...v8.0.1) --- updated-dependencies: - dependency-name: Microsoft.Extensions.Logging.Abstractions dependency-type: direct:production update-type: version-update:semver-major - dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump Scrutor from 4.2.0 to 4.2.2 (#646) Bumps [Scrutor](https://github.com/khellang/Scrutor) from 4.2.0 to 4.2.2. - [Release notes](https://github.com/khellang/Scrutor/releases) - [Commits](khellang/Scrutor@v4.2.0...v4.2.2) --- updated-dependencies: - dependency-name: Scrutor dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix tests * Bump Microsoft.Extensions.Hosting --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: José Renan <joserenansl99@gmail.com> Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sarah Oslund <sfoslund@microsoft.com> * Update README * Address Feedback (#679) * Address feedback and remove SbomPath * remove whitespace * remove comment --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * address more feedback (#682) Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Pack each project separately (#681) * Pack each project separately * Remove extra dotnet apck * Inspect the content of the Nuget package instead of extracting to disk during e2e tests. * User/gustavoca/dont extract e2e tests (#684) * Inspect the content of the Nuget package instead of extracting to disk during e2e tests. * Remove extra changes in Directory.Packages.Props * Remove instance of Newtonsoft.Json * Remove not needed Message * Revert "Remove instance of Newtonsoft.Json" This reverts commit 52329d4. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Sarah Oslund <sfoslund@microsoft.com> Co-authored-by: vpatakottu <47004464+vpatakottu@users.noreply.github.com> Co-authored-by: vpatakottu <vpatakottu@microsoft.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com> Co-authored-by: José Renan <joserenansl99@gmail.com>
microsoft · Sep 9, 2024 · 08ba73d · 08ba73d
1 parent a029b40
commit 08ba73d
Show file tree

Hide file tree

Showing 22 changed files with 2,171 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -189,6 +189,7 @@ PublishScripts/
 
 # NuGet Packages
 *.nupkg
+*.nuspec
 # NuGet Symbol Packages
 *.snupkg
 # The packages folder can be ignored because of Package Restore

diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -14,6 +14,11 @@
  <PackageVersion Include="AutoMapper.Extensions.Microsoft.DependencyInjection" Version="8.1.1" />
  <PackageVersion Include="coverlet.collector" Version="6.0.2" />
  <PackageVersion Include="FluentAssertions" Version="6.12.0" />
+ <PackageVersion Include="Microsoft.Build" Version="17.3.2" />
+ <PackageVersion Include="Microsoft.Build.Framework" Version="17.10.4" />
+ <PackageVersion Include="Microsoft.Build.Locator" Version="1.7.8" />
+ <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="17.10.4" />
+ <PackageVersion Include="Microsoft.CSharp" Version="4.7.0" />
  <PackageVersion Include="MSTest.TestAdapter" Version="3.5.2" />
  <PackageVersion Include="MSTest.TestFramework" Version="3.5.2" />
  <PackageVersion Include="Microsoft.ComponentDetection.Common" Version="$(ComponentDetectionPackageVersion)" />
@@ -22,7 +27,7 @@
  <PackageVersion Include="Microsoft.ComponentDetection.Orchestrator" Version="$(ComponentDetectionPackageVersion)" />
  <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
  <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.1" />
- <PackageVersion Include="Microsoft.Extensions.Hosting" Version="7.0.1" />
+ <PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.0" />
  <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.0" />
  <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.1" />
  <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.0" />
@@ -44,6 +49,7 @@
  <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
  <PackageVersion Include="Spectre.Console.Cli" Version="0.49.1" />
  <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
+ <PackageVersion Include="System.IO.Compression" Version="4.3.0" />
  <PackageVersion Include="System.IO.FileSystem.AccessControl" Version="5.0.0" />
  <PackageVersion Include="System.Linq.Async" Version="6.0.1" />
  <PackageVersion Include="System.Memory" Version="4.5.5" />

diff --git a/Microsoft.Sbom.sln b/Microsoft.Sbom.sln
@@ -49,8 +49,14 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.D
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.DependencyInjection.Tests", "test\Microsoft.Sbom.Extensions.DependencyInjection.Tests\Microsoft.Sbom.Extensions.DependencyInjection.Tests.csproj", "{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Targets", "src\Microsoft.Sbom.Targets\Microsoft.Sbom.Targets.csproj", "{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Targets.Tests", "test\Microsoft.Sbom.Targets.Tests\Microsoft.Sbom.Targets.Tests.csproj", "{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}"
+EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Tool.Tests", "test\Microsoft.Sbom.Tool.Tests\Microsoft.Sbom.Tool.Tests.csproj", "{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Sbom.Targets.E2E.Tests", "test\Microsoft.Sbom.Targets.E2E.Tests\Microsoft.Sbom.Targets.E2E.Tests.csproj", "{3FDE7800-F61F-4C45-93AB-648A4C7979C7}"
+EndProject
 Global
  GlobalSection(SolutionConfigurationPlatforms) = preSolution
  Debug|Any CPU = Debug|Any CPU
@@ -109,10 +115,22 @@ Global
  {EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Debug|Any CPU.Build.0 = Debug|Any CPU
  {EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.ActiveCfg = Release|Any CPU
  {EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.Build.0 = Release|Any CPU
+ {E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Release|Any CPU.Build.0 = Release|Any CPU
+ {E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Release|Any CPU.Build.0 = Release|Any CPU
  {FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
  {FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.Build.0 = Debug|Any CPU
  {FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.ActiveCfg = Release|Any CPU
  {FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.Build.0 = Release|Any CPU
+ {3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Release|Any CPU.Build.0 = Release|Any CPU
  EndGlobalSection
  GlobalSection(SolutionProperties) = preSolution
  HideSolutionNode = FALSE

diff --git a/nuget.config b/nuget.config
@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
  <packageSources>
  <clear />
  <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
-</configuration>
+</configuration>
diff --git a/pipelines/sbom-tool-main-build.yaml b/pipelines/sbom-tool-main-build.yaml
@@ -105,7 +105,7 @@ extends:
  ]
  condition: and(succeeded(), startswith(variables['Build.SourceBranch'], 'refs/tags/'))
 
- - powershell: 'dotnet pack Microsoft.Sbom.sln -c $(BuildConfiguration) --no-restore --no-build -o $(Build.ArtifactStagingDirectory)/nuget --include-symbols -p:SymbolPackageFormat=snupkg'
+ - powershell: 'Get-ChildItem -Recurse -Filter *.csproj -Path src | ForEach-Object { dotnet pack $_.FullName -c $(BuildConfiguration) --no-restore --no-build -o $(Build.ArtifactStagingDirectory)/nuget --include-symbols -p:SymbolPackageFormat=snupkg }'
  displayName: 'Pack NuGet package'
 
  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3

diff --git a/src/Microsoft.Sbom.Targets/GenerateSbom.cs b/src/Microsoft.Sbom.Targets/GenerateSbom.cs
@@ -0,0 +1,102 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+namespace Microsoft.Sbom.Targets;
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics.Tracing;
+using Microsoft.Build.Framework;
+
+/// <summary>
+/// This partial class defines and sanitizes the arguments that will be passed
+/// into the SBOM API and CLI tool for generation.
+/// </summary>
+public partial class GenerateSbom
+{
+ /// <summary>
+ /// Gets or sets the path to the drop directory for which the SBOM will be generated.
+ /// </summary>
+ [Required]
+ public string BuildDropPath { get; set; }
+
+ /// <summary>
+ /// Gets or sets the supplier of the package the SBOM represents.
+ /// </summary>
+ [Required]
+ public string PackageSupplier { get; set; }
+
+ /// <summary>
+ /// Gets or sets the name of the package the SBOM represents.
+ /// </summary>
+ [Required]
+ public string PackageName { get; set; }
+
+ /// <summary>
+ /// Gets or sets the version of the package the SBOM represents.
+ /// </summary>
+ [Required]
+ public string PackageVersion { get; set; }
+
+ /// <summary>
+ /// Gets or sets the base path of the SBOM namespace uri.
+ /// </summary>
+ [Required]
+ public string NamespaceBaseUri { get; set; }
+
+ /// <summary>
+ /// Gets or sets the path to the directory containing build components and package information.
+ /// For example, path to a .csproj or packages.config file.
+ /// </summary>
+ public string BuildComponentPath { get; set; }
+
+ /// <summary>
+ /// Gets or sets a unique URI part that will be appended to NamespaceBaseUri.
+ /// </summary>
+ public string NamespaceUriUniquePart { get; set; }
+
+ /// <summary>
+ /// Gets or sets the path to a file containing a list of external SBOMs that will be appended to the
+ /// SBOM that is being generated.
+ /// </summary>
+ public string ExternalDocumentListFile { get; set; }
+
+ /// <summary>
+ /// Indicates whether licensing information will be fetched for detected packages.
+ /// </summary>
+ public bool FetchLicenseInformation { get; set; }
+
+ /// <summary>
+ /// Indicates whether to parse licensing and supplier information from a packages metadata file.
+ /// </summary>
+ public bool EnablePackageMetadataParsing { get; set; }
+
+ /// <summary>
+ /// Gets or sets the verbosity level for logging output.
+ /// </summary>
+ public string Verbosity { get; set; }
+
+ /// <summary>
+ /// Gets or sets a list of names and versions of the manifest format being used.
+ /// </summary>
+ public string ManifestInfo { get; set; }
+
+ /// <summary>
+ /// Indicates whether the previously generated SBOM manifest directory should be deleted
+ /// before generating a new SBOM in the directory specified by ManifestDirPath.
+ /// Defaults to true.
+ /// </summary>
+ public bool DeleteManifestDirIfPresent { get; set; } = true;
+
+ /// <summary>
+ /// Gets or sets the path where the SBOM will be generated. For now, this property
+ /// will be unset as the _manifest directory is intended to be at the root of a NuGet package
+ /// specified by BuildDropPath.
+ /// </summary>
+ public string ManifestDirPath { get; set; }
+
+ /// <summary>
+ /// Gets or sets the path to the SBOM CLI tool
+ /// </summary>
+ public string SbomToolPath { get; set; }
+}
diff --git a/src/Microsoft.Sbom.Targets/GenerateSbomTask.cs b/src/Microsoft.Sbom.Targets/GenerateSbomTask.cs
@@ -0,0 +1,125 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+namespace Microsoft.Sbom.Targets;
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics.Tracing;
+using System.IO;
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Sbom.Api.Manifest.ManifestConfigHandlers;
+using Microsoft.Sbom.Api.Metadata;
+using Microsoft.Sbom.Api.Providers;
+using Microsoft.Sbom.Api.Providers.ExternalDocumentReferenceProviders;
+using Microsoft.Sbom.Api.Providers.FilesProviders;
+using Microsoft.Sbom.Api.Providers.PackagesProviders;
+using Microsoft.Sbom.Contracts;
+using Microsoft.Sbom.Contracts.Entities;
+using Microsoft.Sbom.Contracts.Interfaces;
+using Microsoft.Sbom.Extensions;
+using Microsoft.Sbom.Extensions.DependencyInjection;
+using Microsoft.Sbom.Parsers.Spdx22SbomParser;
+
+/// <summary>
+/// MSBuild task for generating SBOMs from build output.
+/// </summary>
+public partial class GenerateSbom : Task
+{
+ private ISBOMGenerator Generator { get; set; }
+
+ /// <summary>
+ /// Constructor for the GenerateSbomTask.
+ /// </summary>
+ public GenerateSbom()
+ {
+ var host = Host.CreateDefaultBuilder()
+ .ConfigureServices((host, services) =>
+ services
+ .AddSbomTool()
+ /* Manually adding some dependencies since `AddSbomTool()` does not add them when
+ * running the MSBuild Task from another project.
+ */
+ .AddSingleton<ISourcesProvider, SBOMPackagesProvider>()
+ .AddSingleton<ISourcesProvider, CGExternalDocumentReferenceProvider>()
+ .AddSingleton<ISourcesProvider, DirectoryTraversingFileToJsonProvider>()
+ .AddSingleton<ISourcesProvider, ExternalDocumentReferenceFileProvider>()
+ .AddSingleton<ISourcesProvider, ExternalDocumentReferenceProvider>()
+ .AddSingleton<ISourcesProvider, FileListBasedFileToJsonProvider>()
+ .AddSingleton<ISourcesProvider, SbomFileBasedFileToJsonProvider>()
+ .AddSingleton<ISourcesProvider, CGScannedExternalDocumentReferenceFileProvider>()
+ .AddSingleton<ISourcesProvider, CGScannedPackagesProvider>()
+ .AddSingleton<IAlgorithmNames, AlgorithmNames>()
+ .AddSingleton<IManifestGenerator, Generator>()
+ .AddSingleton<IMetadataProvider, LocalMetadataProvider>()
+ .AddSingleton<IMetadataProvider, SBOMApiMetadataProvider>()
+ .AddSingleton<IManifestInterface, Validator>()
+ .AddSingleton<IManifestConfigHandler, SPDX22ManifestConfigHandler>())
+ .Build();
+ this.Generator = host.Services.GetRequiredService<ISBOMGenerator>();
+ }
+
+ /// <inheritdoc/>
+ public override bool Execute()
+ {
+ try
+ {
+ // Validate required args and args that take paths as input.
+ if (!ValidateAndSanitizeRequiredParams() || !ValidateAndSanitizeNamespaceUriUniquePart())
+ {
+ return false;
+ }
+
+ // Set other configurations. The GenerateSBOMAsync() already sanitizes and checks for
+ // a valid namespace URI and generates a random guid for NamespaceUriUniquePart if
+ // one is not provided.
+ var sbomMetadata = new SBOMMetadata
+ {
+ PackageSupplier = this.PackageSupplier,
+ PackageName = this.PackageName,
+ PackageVersion = this.PackageVersion,
+ };
+ var runtimeConfiguration = new RuntimeConfiguration
+ {
+ NamespaceUriBase = this.NamespaceBaseUri,
+ NamespaceUriUniquePart = this.NamespaceUriUniquePart,
+ DeleteManifestDirectoryIfPresent = this.DeleteManifestDirIfPresent,
+ Verbosity = ValidateAndAssignVerbosity(),
+ };
+#pragma warning disable VSTHRD002 // Avoid problematic synchronous waits
+ var result = System.Threading.Tasks.Task.Run(() => this.Generator.GenerateSbomAsync(
+ rootPath: this.BuildDropPath,
+ manifestDirPath: this.ManifestDirPath,
+ metadata: sbomMetadata,
+ componentPath: this.BuildComponentPath,
+ runtimeConfiguration: runtimeConfiguration,
+ specifications: ValidateAndAssignSpecifications(),
+ externalDocumentReferenceListFile: this.ExternalDocumentListFile)).GetAwaiter().GetResult();
+#pragma warning restore VSTHRD002 // Avoid problematic synchronous waits
+
+ return result.IsSuccessful;
+ }
+ catch (Exception e)
+ {
+ Log.LogError($"SBOM generation failed: {e.Message}");
+ return false;
+ }
+ }
+
+ /// <summary>
+ /// Check for ManifestInfo and create an SbomSpecification accordingly.
+ /// </summary>
+ /// <returns>A list of the parsed manifest info. Null if the manifest info is null or empty.</returns>
+ private IList<SbomSpecification> ValidateAndAssignSpecifications()
+ {
+ if (!string.IsNullOrWhiteSpace(this.ManifestInfo))
+ {
+ return [SbomSpecification.Parse(this.ManifestInfo)];
+ }
+
+ return null;
+ }
+}