Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add README for Microsoft.Sbom.Targets project #651

Merged
merged 2 commits into from
Aug 3, 2024
Merged

Add README for Microsoft.Sbom.Targets project #651

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a0758fc
Adding readme
Aug 2, 2024
bccc6aa
add code quotes
Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions src/Microsoft.Sbom.Targets/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# SBOM Generation for .NET Projects
## Microsoft.Sbom.Targets
This project implements a custom MSBuild task that generates an SBOM using the SBOM API and CLI tool. The MSBuild task binaries along with the associated targets are packaged as a NuGet package and can be consumed within a .NET project. Once installed, an SBOM will automatically be generated upon building the .NET project.

## MSBuild Task Implementation
The custom MSBuild task is implemented across the following partial classes:
- `GenerateSbom.cs`
- `GenerateSbomTask.cs`
- `SbomCLIToolTask.cs`
- `SbomInputValidator.cs`

Due to differences in [MSBuild versions](https://learn.microsoft.com/en-us/visualstudio/msbuild/tutorial-custom-task-code-generation?view=vs-2022#create-the-appsettingstronglytyped-project) between Visual Studio and the .Net Core CLI tool, the SBOM generation logic needed to be split into two parts:

1) `GenerateSbomTask.cs` is invoked if the MSBuild version targets the "Core" (.NET Core) runtime bundled with the .NET Core CLI tool. This class utilizes the SBOM API to generate an SBOM.

2) `SbomCLIToolTask.cs` is invoked if the MSBuild version targets the "Full" (.NET Framework) runtime bundled with Visual Studio. Because the SBOM API does not support .NET Framework, this class utilizes the SBOM CLI Tool to generate an SBOM.

Finally, the `Microsoft.Sbom.Targets.targets` file creates a target that will execute the custom MSBuild task. This file will be automatically imported when consuming the NuGet package.

## SBOM Generation Properties
The custom MSBuild task accepts most of the arguments available for the [SBOM CLI Tool](../../docs/sbom-tool-arguments.md). After the .targets file is imported into a .NET project, the following properties can be set:

| Property | Default Value | Required |
|-----------------------------------------------------|-------------|---------|
| `<GenerateSBOM>` | `false` | No. To enable SBOM generation, set this to true. |
| `<SbomGenerationBuildDropPath>` | `$(OutDir)` | Yes |
| `<SbomGenerationBuildComponentPath>` | `$(MSBuildProjectDirectory)` | No |
| `<SbomGenerationPackageSupplier>` | `$(Authors)`. If `$(Authors)` is null, it will set `$(AssemblyName)` | Yes |
| `<SbomGenerationPackageName>` | `$(PackageId)`. If `$(PackageId)` is null, it will set `$(AssemblyName)` | Yes |
| `<SbomGenerationPackageVersion>` | `$(Version)`. If `$(Version)` is null, it will set "1.0.0" | Yes |
| `<SbomGenerationNamespaceBaseUri>` | `http://spdx.org/spdxdocs/$(SbomGenerationPackageName)` | Yes |
| `<SbomGenerationNamespaceUriUniquePart>` | N/A | No |
| `<SbomGenerationExternalDocumentReferenceListFile>` | N/A | No |
| `<SbomGenerationFetchLicenseInformation>` | `false` | No |
| `<SbomGenerationEnablePackageMetadataParsing>` | `false` | No |
| `<SbomGenerationVerbosity>` | `Information` | No |
| `<SbomGenerationManifestInfo>` | `SPDX:2.2` | No |
| `<SbomGenerationDeleteManifestDirIfPresent>` | `true` | No |
| `<SbomGenerationManifestDirPath>` | N/A | No |

## Local SBOM Generation Workflow
After building the Microsoft.Sbom.Targets project, it will generate a NuGet package containing the MSBuild task's binaries and associated .targets file in the `bin\$(Configuration)` folder. The following steps describe how to consume this NuGet package and generate an SBOM:

1) Create a sample .NET project.
2) Open the project's NuGet package manager.
3) Add the path to the Microsoft.Sbom.Targets NuGet package as a package source. You can name it "Local".
4) Look for the Microsoft.Sbom.Targets package within the package manager and install it.
5) Add the following to your sample project's .csproj file:
```
<PropertyGroup>
<GenerateSBOM>true</GenerateSBOM>
</PropertyGroup>
```
6) Build the sample project. An SBOM should be generated under the `bin\$(Configuration)\$(TargetFramework)` folder.
7) Pack the sample project. The generated SBOM will be copied into the `$(BuildOutputTargetFolder)\$(TargetFramework)` folder.