Skip to content

Commit

Permalink
Workaround for generating a SBOM manifest at the root level of the Nu…
Browse files Browse the repository at this point in the history
…get Package (#656)

* Add buildMultiTargeting folder to the Nuget package

* Unzip and Zip again for including the SBOM into the Nuget package.

* Append GUID to the temporary unzipped folder.
  • Loading branch information
gustavoaca1997 authored Aug 9, 2024
1 parent d2c4dc6 commit 4c9354c
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 24 deletions.
1 change: 1 addition & 0 deletions src/Microsoft.Sbom.Targets/Microsoft.Sbom.Targets.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@
by convention, the .NET SDK will look for build\<Package Id>.props and build\<Package Id>.targets
for automatic inclusion in the build. -->
<Content Include="Microsoft.Sbom.Targets.targets" PackagePath="\build" />
<Content Include="Microsoft.Sbom.Targets.targets" PackagePath="\buildMultiTargeting" />
</ItemGroup>

<ItemGroup>
Expand Down
44 changes: 20 additions & 24 deletions src/Microsoft.Sbom.Targets/Microsoft.Sbom.Targets.targets
Original file line number Diff line number Diff line change
Expand Up @@ -20,20 +20,12 @@
<ManifestFolderName>_manifest</ManifestFolderName>
<SbomSpecification>spdx_2.2</SbomSpecification>
</PropertyGroup>

<!-- Copy the SBOM files to each respective target framework folder within the .nupkg -->
<PropertyGroup>
<TargetsForTfmSpecificContentInPackage>
$(TargetsForTfmSpecificContentInPackage);CopySbomOutput
</TargetsForTfmSpecificContentInPackage>
</PropertyGroup>

<!--Based on the MSBuild runtime, GenerateSbom will either pull the GenerateSbomTask or SbomCLIToolTask logic-->
<UsingTask TaskName="Microsoft.Sbom.Targets.GenerateSbom" AssemblyFile="$(AssemblyFilePath)" />

<PropertyGroup>
<GenerateSBOM Condition=" '$(GenerateSBOM)' == '' ">false</GenerateSBOM>
<SbomGenerationBuildDropPath Condition=" '$(SbomGenerationBuildDropPath)' == '' ">$(OutDir)</SbomGenerationBuildDropPath>
<SbomGenerationBuildComponentPath Condition=" '$(SbomGenerationBuildComponentPath)' == '' ">$(MSBuildProjectDirectory)</SbomGenerationBuildComponentPath>
<SbomGenerationPackageSupplier Condition=" '$(SbomGenerationPackageSupplier)' == '' And $(Authors) != '' ">$(Authors)</SbomGenerationPackageSupplier>
<SbomGenerationPackageSupplier Condition=" '$(SbomGenerationPackageSupplier)' == '' And $(Authors) == '' ">$(AssemblyName)</SbomGenerationPackageSupplier>
Expand All @@ -47,12 +39,27 @@
<SbomGenerationVerbosity Condition=" '$(SbomGenerationVerbosity)' == '' ">information</SbomGenerationVerbosity>
<SbomGenerationManifestInfo Condition=" '$(SbomGenerationManifestInfo)' == '' ">SPDX:2.2</SbomGenerationManifestInfo>
<SbomGenerationDeleteManifestDirIfPresent Condition=" '$(SbomGenerationDeleteManifestDirIfPresent)' == '' ">true</SbomGenerationDeleteManifestDirIfPresent>
<UnzipGuid>$([System.Guid]::NewGuid())</UnzipGuid>
</PropertyGroup>

<Target Name="GenerateSbomTarget" AfterTargets="Build" Condition=" '$(GenerateSBOM)' == 'true'">
<!-- After the Nuget Package is generated, we will unzip, scan, generate the SBOM and zip again. -->
<Target Name="GenerateSbomTarget" AfterTargets="Pack" Condition=" '$(GenerateSBOM)' == 'true'" >
<Error Condition="'$(BuildOutputTargetFolder)' == ''" Text="The GenerationSbomTarget requires the BuildOutputTargetFolder property to be non-null. Please set a folder name."/>

<!-- Unzip Nuget package, so it can be scanned by the SBOM Task. -->
<PropertyGroup>
<NugetPackage>
$(PackageOutputPath)\$(PackageId).$(PackageVersion).nupkg
</NugetPackage>
<NugetPackageUnzip>
$(PackageOutputPath)\$(PackageId).$(PackageVersion).$(UnzipGuid).temp
</NugetPackageUnzip>
</PropertyGroup>
<Unzip DestinationFolder="$(NugetPackageUnzip)" SourceFiles="$(NugetPackage)" OverwriteReadOnlyFiles="true" />

<!-- Call the SBOM Task to generate a SBOM. -->
<GenerateSbom
BuildDropPath="$(SbomGenerationBuildDropPath)"
BuildDropPath="$(NugetPackageUnzip)"
BuildComponentPath="$(SbomGenerationBuildComponentPath)"
PackageSupplier="$(SbomGenerationPackageSupplier)"
PackageName="$(SbomGenerationPackageName)"
Expand All @@ -70,20 +77,9 @@
<Output TaskParameter="SbomPath" PropertyName="SbomPathResult" />
</GenerateSbom>
<Message Importance="High" Text="Task result: $(SbomPathResult)" />
</Target>

<!-- Specify the SBOM files to copy into the nuget package -->
<Target Name="CopySbomOutput" DependsOnTargets="GenerateSbomTarget">
<PropertyGroup>
<!--When building frameworks such as net8.0-windows, the platform version is appended to the framework in the NuGet package-->
<TargetFrameworkWithPlatformVersion Condition="$(TargetPlatformVersion) != ''">$(TargetFramework)$(TargetPlatformVersion)</TargetFrameworkWithPlatformVersion>
<TargetFrameworkWithPlatformVersion Condition="$(TargetPlatformVersion) == ''">$(TargetFramework)</TargetFrameworkWithPlatformVersion>
</PropertyGroup>
<ItemGroup>
<!--Add manifest and SHA file from the GenerateSbom target execution-->
<TfmSpecificPackageFile Include="$([System.IO.Path]::Combine($(SbomPathResult),$(SbomSpecification)))\**">
<PackagePath>$([System.IO.Path]::Combine($(BuildOutputTargetFolder),$(TargetFrameworkWithPlatformVersion),$(ManifestFolderName),$(SbomSpecification)))</PackagePath>
</TfmSpecificPackageFile>
</ItemGroup>
<!-- Zip the Nuget package back up and delete the temporary unzipped package. -->
<ZipDirectory SourceDirectory="$(NugetPackageUnzip)" DestinationFile="$(NugetPackage)" Overwrite="true" />
<RemoveDir Directories="$(NugetPackageUnzip)" ContinueOnError="true" />
</Target>
</Project>

0 comments on commit 4c9354c

Please sign in to comment.