You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of the efforts of including Software Bill of Materials (SBOM) generation into .NET, we need a target or hook that occurs right before the compression of the Nuget package's content, so that we can:
Scan the content of the package.
Generate and include the SBOM manifest.
By integrating SBOM generation into NuGet packages, we can provide developers with a transparent and comprehensive view of the components within their applications. This addition not only enhances security but also streamlines compliance and fosters trust within the developer community.
Additional Context and Details
Right now, the only way we have for adding a SBOM manifest into the Nuget package is by doing the following:
Extracting the content of the package.
Scan it and generate the SBOM manifest.
Compress it again.
Ideally we could skip the unzip-zip part, and use a target that will let us scan the whole content of the package right before it's compressed. We would need a property with the path to the content. Something like this:
<TargetName="GenerateSbomTarget"AfterTargets="PreCompress"Condition=" '$(GenerateSBOM)' == 'true'" >
<!-- Call the SBOM Task to generate a SBOM. -->
<GenerateSbomBuildDropPath="$(PackageContentPath)"
...
</GenerateSbom>
</Target>
The text was updated successfully, but these errors were encountered:
jeffkl
added
Priority:3
Issues under consideration. With enough upvotes, will be reconsidered to be added to the backlog.
help wanted
Considered good issues for community contributions.
labels
Sep 9, 2024
NuGet Product(s) Involved
dotnet.exe
The Elevator Pitch
As part of the efforts of including Software Bill of Materials (SBOM) generation into .NET, we need a target or hook that occurs right before the compression of the Nuget package's content, so that we can:
By integrating SBOM generation into NuGet packages, we can provide developers with a transparent and comprehensive view of the components within their applications. This addition not only enhances security but also streamlines compliance and fosters trust within the developer community.
Additional Context and Details
Right now, the only way we have for adding a SBOM manifest into the Nuget package is by doing the following:
Ideally we could skip the unzip-zip part, and use a target that will let us scan the whole content of the package right before it's compressed. We would need a property with the path to the content. Something like this:
The text was updated successfully, but these errors were encountered: