Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a SBOM Generation Task #674

Merged
merged 43 commits into from
Sep 9, 2024
Merged

Add a SBOM Generation Task #674

merged 43 commits into from
Sep 9, 2024

Conversation

gustavoaca1997
Copy link
Contributor

@gustavoaca1997 gustavoaca1997 commented Aug 16, 2024

SBOM Generation for .NET Projects

Microsoft.Sbom.Targets

This project implements a custom MSBuild task that generates an SBOM using the SBOM API and CLI tool. The MSBuild task binaries along with the associated targets are packaged as a NuGet package and can be consumed within a .NET project. Once installed, an SBOM will automatically be generated upon building the .NET project.

MSBuild Task Implementation

The custom MSBuild task is implemented across the following partial classes:

  • GenerateSbom.cs
  • GenerateSbomTask.cs
  • SbomCLIToolTask.cs
  • SbomInputValidator.cs

Due to differences in MSBuild versions between Visual Studio and the .Net Core CLI tool, the SBOM generation logic needed to be split into two parts:

  1. GenerateSbomTask.cs is invoked if the MSBuild version targets the "Core" (.NET Core) runtime bundled with the .NET Core CLI tool. This class utilizes the SBOM API to generate an SBOM.

  2. SbomCLIToolTask.cs is invoked if the MSBuild version targets the "Full" (.NET Framework) runtime bundled with Visual Studio. Because the SBOM API does not support .NET Framework, this class utilizes the SBOM CLI Tool to generate an SBOM.

Finally, the Microsoft.Sbom.Targets.targets file creates a target that will execute the custom MSBuild task. This file will be automatically imported when consuming the NuGet package.

SBOM Generation Properties

The custom MSBuild task accepts most of the arguments available for the SBOM CLI Tool. After the .targets file is imported into a .NET project, the following properties can be set:

Property Default Value Required
<GenerateSBOM> false No. To enable SBOM generation, set this to true.
<SbomGenerationBuildComponentPath> $(MSBuildProjectDirectory) No
<SbomGenerationPackageSupplier> $(Authors). If $(Authors) is null, it will set $(AssemblyName) Yes
<SbomGenerationPackageName> $(PackageId). If $(PackageId) is null, it will set $(AssemblyName) Yes
<SbomGenerationPackageVersion> $(Version). If $(Version) is null, it will set "1.0.0" Yes
<SbomGenerationNamespaceBaseUri> http://spdx.org/spdxdocs/$(SbomGenerationPackageName) Yes
<SbomGenerationNamespaceUriUniquePart> N/A No
<SbomGenerationExternalDocumentReferenceListFile> N/A No
<SbomGenerationFetchLicenseInformation> false No
<SbomGenerationEnablePackageMetadataParsing> false No
<SbomGenerationVerbosity> Information No
<SbomGenerationManifestInfo> SPDX:2.2 No
<SbomGenerationDeleteManifestDirIfPresent> true No

Local SBOM Generation Workflow

After building the Microsoft.Sbom.Targets project, it will generate a NuGet package containing the MSBuild task's binaries and associated .targets file in the bin\$(Configuration) folder. The following steps describe how to consume this NuGet package and generate an SBOM:

  1. Create a sample .NET project.
  2. Open the project's NuGet package manager.
  3. Add the path to the Microsoft.Sbom.Targets NuGet package as a package source. You can name it "Local".
  4. Look for the Microsoft.Sbom.Targets package within the package manager and install it.
  5. Add the following to your sample project's .csproj file:
<PropertyGroup>
  <GenerateSBOM>true</GenerateSBOM>
</PropertyGroup>
  1. Build the sample project.
  2. Pack the sample project. The SBOM will be generated under the _manifest folder at the root of the NuGet package.

NOTE: Code Coverage is being reported as 0% for SBOMCLIToolTask. This class is being tested by the Windows tests that target .NET Framework, which are indeed running. There could be a bug on the code coverage report that is not reflecting this .NET Framework tests.

sfoslund and others added 27 commits March 22, 2024 10:20
Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Start implementing Execute

* Make SBOM Targets test target .NET 8 only.

* Make the Component Path not required.

* Build the current project in test, and check that the manifest was generated.

* Ad a few comments for TODOs.
* Validate arguments

* ignore case for enum conversion

* create method for manifestinfo

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Add more tests for GenerateSbomTask.Execute logic

* Add SBOM Validation to the Generate SBOM Task tests.

* Add a utility method that validates the SBOM being generated during tests

* Make more tests use the new utility validator method

* Pass sbom specification during tests

* Refactor GenerateSbomTask tests to be parametrized through the SBOM Specification

* Fix typo

* Add an abstract method for the Sbom Specification of the AbstractGenerateSbomTaskTests

* Address PR suggestions

* Made fields internal instead of private in AbstractGenerateSbomTaskTests
* add unit tests for GenerateSbomTask inputs

* remove console print

* Addressing feedback

* addressing feedback and adding more tests'

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* add additional unit tests for valid cases

* address feedback and add few more cases

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* setting up imports

* Add reference to local Nuget package, for testing purposes

* rename targets and props, export them to the build folder

* Fix test project

* Fix Targets file to include props

* Manually adding the Sources Providers that support ProviderType.Packages

* Manually add the missing classes for SBOM generation

* Add MSBuild properties to our Props file (#8)

* Use MSBuild/.NET props for default values of the Generate SBOM task.

* Remove hardcoded path from the Targets

* Add default value to props file for SbomGenerationManifestDirPath

* Add final ManifestDirPath to SbomGenerationResult.

* Fix typo

* Change Summary comment for ManifestDirPath

* include sbom files in user's nuget packages (#11)

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>

* Make the task target .net 8 and .net 6 (#13)

* Remove unrooted checks (#14)

* Downgrade Microsoft.Extensions.Hosting back to 7.0.1

* Remove LocalNuget configuration

* Stop tracking nuspec file

* Remove unnecessary comments.

* Remove reference to Microsoft.Sbom.Targets Nuget

* Apply suggestions from the linter and PR comments.

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
Co-authored-by: vpatakottu <47004464+vpatakottu@users.noreply.github.com>
* add users/gustavoca/net-sdk-sbom-tool branch to PR pipelines

* Fix Ubuntu tests for Targets project
* build(deps): bump actions/checkout from 4.1.1 to 4.1.6 (#574)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@b4ffde6...a5ac7e5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.24.3 to 3.25.8 (#591)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.25.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@3796146...2e230e8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* create template tool task

* Make the tests successfully run

* Include the SBOM CLI Tool to the .NET Framework package folder.

* refactor code a little and address feedback

@microsoft-github-policy-service agree company="Microsoft"

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
Co-authored-by: gustavoaca1997 <gustavoaca1997@gmail.com>
* implement ToolTask

* addressing feedback

* addressing feedback pt. 2

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Bring changes from feautre branch

* Make the Targets.Tests project also target .NET Framework

* Remove props file

* Implement tests for MSBuild Full version of the task

* Simplify how the CLI tool is called from the tests.

* Add test for file being in use.

* Test the output of the ToolTask.

* Change the name of AbstractGenerateSBomTaskInputTests to AbstractGenerateSbomTaskInputTests

* Include .NET Framework output in Sbom_Generation_Succeeds_For_Null_Verbosity

* Update src/Microsoft.Sbom.Targets/SbomCLIToolTask.cs

Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>

* Skip tests that are failing due to known issues

* Add debug messages for the test pipeline

* Fix .net core tests

* Target .NET Framework only on Windows

* Remove unnecessary comment.

* Update default Verbosity.

* Address comments.

* Change name of AbstractGenerateSbomTaskInputTests

* Address PR Comments

---------

Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>
* update nuget package format and surface errors

* simplify sbom output

* update targets to use SbomPath output var for ToolTask

* fix bad merge

* append manifest folder name for manifestdirpath

* add path.combine and property checks

* append platform version

* create ManifestDirPath if needed

* temporarily comment out

* remove manifestdirpath logic for now

* use path.combine and full path

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Adding readme

* add code quotes

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
…get Package (#656)

* Add buildMultiTargeting folder to the Nuget package

* Unzip and Zip again for including the SBOM into the Nuget package.

* Append GUID to the temporary unzipped folder.
* add base setup for tests

* updates to test

* cleanup

* Add more tests

* update package version

* cleanup

* mini fix for copying sample project

* add unloading step

* create separate project for E2E tests

* cleanup

* rearrange method

* cleanup

* check for platform

* try with locator

* disable analyzers for sample project

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
@gustavoaca1997 gustavoaca1997 force-pushed the feature/sbom-targets-task branch from aeed94c to d0929da Compare August 16, 2024 02:41
@codecov-commenter
Copy link

codecov-commenter commented Aug 16, 2024

Codecov Report

Attention: Patch coverage is 98.93617% with 2 lines in your changes missing coverage. Please review.

Project coverage is 69.66%. Comparing base (a029b40) to head (2faeea6).
Report is 76 commits behind head on main.

Files with missing lines Patch % Lines
src/Microsoft.Sbom.Targets/GenerateSbomTask.cs 96.96% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #674      +/-   ##
==========================================
+ Coverage   68.51%   69.66%   +1.14%     
==========================================
  Files         273      277       +4     
  Lines        8441     8629     +188     
  Branches      990     1004      +14     
==========================================
+ Hits         5783     6011     +228     
+ Misses       2144     2101      -43     
- Partials      514      517       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

* Remove GenerateSBOMTest project

* Remove N/A comment
@gustavoaca1997 gustavoaca1997 marked this pull request as ready for review August 16, 2024 22:46
@gustavoaca1997 gustavoaca1997 requested a review from a team as a code owner August 16, 2024 22:46
* Address feedback and remove SbomPath

* remove whitespace

* remove comment

---------

Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Pack each project separately

* Remove extra dotnet apck
* Inspect the content of the Nuget package instead of extracting to disk during e2e tests.

* Remove extra changes in Directory.Packages.Props
@gustavoaca1997 gustavoaca1997 merged commit 08ba73d into main Sep 9, 2024
7 checks passed
@gustavoaca1997 gustavoaca1997 deleted the feature/sbom-targets-task branch September 9, 2024 18:13
<TargetFrameworks>net6.0;net8.0;net472</TargetFrameworks>
<RuntimeIdentifiers>win-x64;osx-x64;linux-x64</RuntimeIdentifiers>
<IsPublishable>true</IsPublishable>
<IsPackable>true</IsPackable>

This comment was marked as resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants