-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Epic] Support SBOMs for NuGet packages #12497
Labels
Epic
Functionality:Pack
Functionality:Restore
Partner:DotNet
Partner:MSBuild
Partner:1ES
Priority:2
Issues for the current backlog.
Product:dotnet.exe
Product:NuGet.exe
NuGet.exe
Type:Feature
Comments
17 tasks
Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX? |
@TiberiusDRAIG The intention would be to support what sbom-tool supports at this point. |
With this being removed from the 6.8 milestone:
|
Don't read into our backlog tagging too much. It just means that we finished our 6.8 release recently. |
This was referenced Jan 9, 2024
toddbaert
pushed a commit
to open-feature/dotnet-sdk
that referenced
this issue
Mar 14, 2024
## This PR Generates Software Bill of Materials (SBOM) as described in #159. Once NuGet/Home#12497 is implemented, the SBOM file(s) should be embedded in the published nuget packages. Until then, I've added the SBOM as an asset under the release. ### Known issue The SBOM file lists the dependences for all target frameworks combined. Once the above [NuGet ](NuGet/Home#12497 is implemented, it should be changed, so there is one sbom created for each target framework with only the applicable references included. ### Related Issues Fixes #159 ### How to test Unfortunately, this is somewhat cumbersome to test, as the logic in question only kicks in upon a release from the main branch. I've tested it myself this way: - Create new fork of this repo - Merge this branch to main in the new repo - Create a release in the new repo Signed-off-by: Jens Henneberg <[email protected]> Co-authored-by: André Silva <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Epic
Functionality:Pack
Functionality:Restore
Partner:DotNet
Partner:MSBuild
Partner:1ES
Priority:2
Issues for the current backlog.
Product:dotnet.exe
Product:NuGet.exe
NuGet.exe
Type:Feature
A SBOM is a nested inventory; a list of ingredients that make up software components.
This epic tracks the work to support providing a SPDX formatted and NTIA compliant SBOM inside of a NuGet package based on the SBOM Everywhere initiative to bring a seamless interoperability end-to-end for security use cases at five major levels of software development:
We will most likely utilize sbom-tool to accomplish this task.
Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.
Further tracking issues will be created shortly as requirements are gathered and planned.
The text was updated successfully, but these errors were encountered: