Add a SBOM Generation Task #674
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Start implementing Execute * Make SBOM Targets test target .NET 8 only. * Make the Component Path not required. * Build the current project in test, and check that the manifest was generated. * Ad a few comments for TODOs.
* Validate arguments * ignore case for enum conversion * create method for manifestinfo --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Add more tests for GenerateSbomTask.Execute logic * Add SBOM Validation to the Generate SBOM Task tests. * Add a utility method that validates the SBOM being generated during tests * Make more tests use the new utility validator method * Pass sbom specification during tests * Refactor GenerateSbomTask tests to be parametrized through the SBOM Specification * Fix typo * Add an abstract method for the Sbom Specification of the AbstractGenerateSbomTaskTests * Address PR suggestions * Made fields internal instead of private in AbstractGenerateSbomTaskTests
* add unit tests for GenerateSbomTask inputs * remove console print * Addressing feedback * addressing feedback and adding more tests' --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* add additional unit tests for valid cases * address feedback and add few more cases --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* setting up imports * Add reference to local Nuget package, for testing purposes * rename targets and props, export them to the build folder * Fix test project * Fix Targets file to include props * Manually adding the Sources Providers that support ProviderType.Packages * Manually add the missing classes for SBOM generation * Add MSBuild properties to our Props file (#8) * Use MSBuild/.NET props for default values of the Generate SBOM task. * Remove hardcoded path from the Targets * Add default value to props file for SbomGenerationManifestDirPath * Add final ManifestDirPath to SbomGenerationResult. * Fix typo * Change Summary comment for ManifestDirPath * include sbom files in user's nuget packages (#11) Co-authored-by: vpatakottu <vpatakottu@microsoft.com> * Make the task target .net 8 and .net 6 (#13) * Remove unrooted checks (#14) * Downgrade Microsoft.Extensions.Hosting back to 7.0.1 * Remove LocalNuget configuration * Stop tracking nuspec file * Remove unnecessary comments. * Remove reference to Microsoft.Sbom.Targets Nuget * Apply suggestions from the linter and PR comments. --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> Co-authored-by: vpatakottu <47004464+vpatakottu@users.noreply.github.com>
* add users/gustavoca/net-sdk-sbom-tool branch to PR pipelines * Fix Ubuntu tests for Targets project
* build(deps): bump actions/checkout from 4.1.1 to 4.1.6 (#574) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@b4ffde6...a5ac7e5) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump github/codeql-action from 3.24.3 to 3.25.8 (#591) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.25.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3796146...2e230e8) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* create template tool task * Make the tests successfully run * Include the SBOM CLI Tool to the .NET Framework package folder. * refactor code a little and address feedback @microsoft-github-policy-service agree company="Microsoft" --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com> Co-authored-by: gustavoaca1997 <gustavoaca1997@gmail.com>
* implement ToolTask * addressing feedback * addressing feedback pt. 2 --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Bring changes from feautre branch * Make the Targets.Tests project also target .NET Framework * Remove props file * Implement tests for MSBuild Full version of the task * Simplify how the CLI tool is called from the tests. * Add test for file being in use. * Test the output of the ToolTask. * Change the name of AbstractGenerateSBomTaskInputTests to AbstractGenerateSbomTaskInputTests * Include .NET Framework output in Sbom_Generation_Succeeds_For_Null_Verbosity * Update src/Microsoft.Sbom.Targets/SbomCLIToolTask.cs Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com> * Skip tests that are failing due to known issues * Add debug messages for the test pipeline * Fix .net core tests * Target .NET Framework only on Windows * Remove unnecessary comment. * Update default Verbosity. * Address comments. * Change name of AbstractGenerateSbomTaskInputTests * Address PR Comments --------- Co-authored-by: Dave Tryon <45672944+DaveTryon@users.noreply.github.com>
* update nuget package format and surface errors * simplify sbom output * update targets to use SbomPath output var for ToolTask * fix bad merge * append manifest folder name for manifestdirpath * add path.combine and property checks * append platform version * create ManifestDirPath if needed * temporarily comment out * remove manifestdirpath logic for now * use path.combine and full path --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
* Adding readme * add code quotes --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
…get Package (#656) * Add buildMultiTargeting folder to the Nuget package * Unzip and Zip again for including the SBOM into the Nuget package. * Append GUID to the temporary unzipped folder.
* add base setup for tests * updates to test * cleanup * Add more tests * update package version * cleanup * mini fix for copying sample project * add unloading step * create separate project for E2E tests * cleanup * rearrange method * cleanup * check for platform * try with locator * disable analyzers for sample project --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
gustavoaca1997
force-pushed
the
feature/sbom-targets-task
branch
from
aeed94c
to
d0929da
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #674 +/- ##
==========================================
+ Coverage 68.51% 69.66% +1.14%
==========================================
Files 273 277 +4
Lines 8441 8629 +188
Branches 990 1004 +14
==========================================
+ Hits 5783 6011 +228
+ Misses 2144 2101 -43
- Partials 514 517 +3 ☔ View full report in Codecov by Sentry. |
* Remove GenerateSBOMTest project * Remove N/A comment
zivkan
reviewed
Aug 16, 2024
nschwerzler
approved these changes
Aug 17, 2024
sfoslund
reviewed
Aug 19, 2024
test/Microsoft.Sbom.Targets.Tests/AbstractGenerateSbomTaskTests.cs
Outdated
Show resolved
Hide resolved
* Address feedback and remove SbomPath * remove whitespace * remove comment --------- Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
5 tasks
Co-authored-by: vpatakottu <vpatakottu@microsoft.com>
zivkan
reviewed
Aug 23, 2024
zivkan
reviewed
Aug 23, 2024
* Pack each project separately * Remove extra dotnet apck
…k during e2e tests.
…oft/sbom-tool into feature/sbom-targets-task
* Inspect the content of the Nuget package instead of extracting to disk during e2e tests. * Remove extra changes in Directory.Packages.Props
13 tasks
sfoslund
approved these changes
Sep 6, 2024
| <TargetFrameworks>net6.0;net8.0;net472</TargetFrameworks> | ||
| <RuntimeIdentifiers>win-x64;osx-x64;linux-x64</RuntimeIdentifiers> | ||
| <IsPublishable>true</IsPublishable> | ||
| <IsPackable>true</IsPackable> |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This was referenced Sep 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SBOM Generation for .NET Projects
Microsoft.Sbom.Targets
This project implements a custom MSBuild task that generates an SBOM using the SBOM API and CLI tool. The MSBuild task binaries along with the associated targets are packaged as a NuGet package and can be consumed within a .NET project. Once installed, an SBOM will automatically be generated upon building the .NET project.
MSBuild Task Implementation
The custom MSBuild task is implemented across the following partial classes:
GenerateSbom.csGenerateSbomTask.csSbomCLIToolTask.csSbomInputValidator.csDue to differences in MSBuild versions between Visual Studio and the .Net Core CLI tool, the SBOM generation logic needed to be split into two parts:
GenerateSbomTask.csis invoked if the MSBuild version targets the "Core" (.NET Core) runtime bundled with the .NET Core CLI tool. This class utilizes the SBOM API to generate an SBOM.SbomCLIToolTask.csis invoked if the MSBuild version targets the "Full" (.NET Framework) runtime bundled with Visual Studio. Because the SBOM API does not support .NET Framework, this class utilizes the SBOM CLI Tool to generate an SBOM.Finally, the
Microsoft.Sbom.Targets.targetsfile creates a target that will execute the custom MSBuild task. This file will be automatically imported when consuming the NuGet package.SBOM Generation Properties
The custom MSBuild task accepts most of the arguments available for the SBOM CLI Tool. After the .targets file is imported into a .NET project, the following properties can be set:
<GenerateSBOM>false<SbomGenerationBuildComponentPath>$(MSBuildProjectDirectory)<SbomGenerationPackageSupplier>$(Authors). If$(Authors)is null, it will set$(AssemblyName)<SbomGenerationPackageName>$(PackageId). If$(PackageId)is null, it will set$(AssemblyName)<SbomGenerationPackageVersion>$(Version). If$(Version)is null, it will set "1.0.0"<SbomGenerationNamespaceBaseUri>http://spdx.org/spdxdocs/$(SbomGenerationPackageName)<SbomGenerationNamespaceUriUniquePart><SbomGenerationExternalDocumentReferenceListFile><SbomGenerationFetchLicenseInformation>false<SbomGenerationEnablePackageMetadataParsing>false<SbomGenerationVerbosity>Information<SbomGenerationManifestInfo>SPDX:2.2<SbomGenerationDeleteManifestDirIfPresent>trueLocal SBOM Generation Workflow
After building the Microsoft.Sbom.Targets project, it will generate a NuGet package containing the MSBuild task's binaries and associated .targets file in the
bin\$(Configuration)folder. The following steps describe how to consume this NuGet package and generate an SBOM:_manifestfolder at the root of the NuGet package.NOTE: Code Coverage is being reported as 0% for
SBOMCLIToolTask. This class is being tested by the Windows tests that target .NET Framework, which are indeed running. There could be a bug on the code coverage report that is not reflecting this .NET Framework tests.