Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate SBOMs for .NET components #159

Closed
toddbaert opened this issue Nov 1, 2023 · 2 comments · Fixed by #245
Closed

Generate SBOMs for .NET components #159

toddbaert opened this issue Nov 1, 2023 · 2 comments · Fixed by #245
Assignees
Labels
contribfest A good issue for Contribfest KubeCon EU '24 good first issue Good for newcomers security security related bugs/tasks

Comments

@toddbaert
Copy link
Member

We have SBOMs currently for Java and Go. We could use them here as well. I recommend this utility: https://github.com/marketplace/actions/cyclonedx-net-generate-sbom (we're using the clyclonedx format elsewhere and it's popular).

Definition of done:

  • SBOMs generated and attached to release artifact in GH, or otherwise made publicly available (for every release)
  • only includes dependencies of module in question (not of repo)
@toddbaert toddbaert added good first issue Good for newcomers help wanted Extra attention is needed security security related bugs/tasks labels Nov 1, 2023
@jenshenneberg
Copy link
Contributor

@toddbaert : Do you mind me picking this one up?

@beeme1mr beeme1mr removed the help wanted Extra attention is needed label Mar 10, 2024
@beeme1mr
Copy link
Member

@jenshenneberg that would be great, thanks!

@toddbaert toddbaert added the contribfest A good issue for Contribfest KubeCon EU '24 label Mar 11, 2024
toddbaert pushed a commit that referenced this issue Mar 14, 2024
## This PR
Generates Software Bill of Materials (SBOM) as described in #159. Once
NuGet/Home#12497 is implemented, the SBOM
file(s) should be embedded in the published nuget packages. Until then,
I've added the SBOM as an asset under the release.

### Known issue
The SBOM file lists the dependences for all target frameworks combined.
Once the above [NuGet ](NuGet/Home#12497
is implemented, it should be changed, so there is one sbom created for
each target framework with only the applicable references included.

### Related Issues
Fixes #159

### How to test
Unfortunately, this is somewhat cumbersome to test, as the logic in
question only kicks in upon a release from the main branch. I've tested
it myself this way:
- Create new fork of this repo
- Merge this branch to main in the new repo
- Create a release in the new repo

Signed-off-by: Jens Henneberg <[email protected]>
Co-authored-by: André Silva <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribfest A good issue for Contribfest KubeCon EU '24 good first issue Good for newcomers security security related bugs/tasks
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants