Skip to content

🚧 Add SBOM generation to NuGet Package output using Microsoft.Sbom.Targets#636

Draft
michael-hawker wants to merge 1 commit intomainfrom
mhawker/sbom
Draft

🚧 Add SBOM generation to NuGet Package output using Microsoft.Sbom.Targets#636
michael-hawker wants to merge 1 commit intomainfrom
mhawker/sbom

Conversation

@michael-hawker
Copy link
Member

@michael-hawker michael-hawker commented Jan 29, 2025

@michael-hawker michael-hawker added enhancement Improvement to an existing feature CI/pipeline 🔬 nuget 📦 partner ⏹ Label for issues that are being depended on by Toolkit partners. external ⤴️ Requires an update to an external dependency or due to code outside the Toolkit. in progress 🚧 improvements ✨ feature request 📬 labels Jan 29, 2025
@michael-hawker
Copy link
Member Author

michael-hawker commented Jan 30, 2025
edited
Loading

This seemed to work:
image

manifest.spdx.json

It does list the dependencies, though not sure if it's supposed to find the licenses and locations? I haven't been able to find another example of a package with this same type of embedded manifest...

@Arlodotexe
Copy link
Member

Arlodotexe commented Mar 18, 2025

It does list the dependencies, though not sure if it's supposed to find the licenses and locations? I haven't been able to find another example of a package with this same type of embedded manifest...

@michael-hawker I'm seeing the same thing, but I'm thinking these things are meant to be handled by Source Link and the licensing tooling in NuGet. Do these need to be included in the sbom?

@michael-hawker
Copy link
Member Author

michael-hawker commented May 5, 2025

Open issue about documenting the tool: microsoft/sbom-tool#909

@Arlodotexe
Copy link
Member

Arlodotexe commented May 5, 2025

Noting that GitHub makes use of SBOM already in the network/dependencies Insights tab in any repo.

image

@michael-hawker
Copy link
Member Author

michael-hawker commented Jun 6, 2025

Thanks Arlo, I know GitHub and NuGet do some tracking here, so not sure if they generate their own. I think this is mostly about us including the file within the package as well. I haven't gotten a lot of clarity on the requirements and how to validate our packages.

I've filed the request before here on the tool itself: microsoft/sbom-tool#909 - and am awaiting more documentation and guidance still for us to validate compliance.

@HotCakeX
Copy link

HotCakeX commented Jun 27, 2025
edited
Loading

I create SBOMs in my workflow and attach the file to the releases in this file:
https://github.com/HotCakeX/Harden-Windows-Security/blob/main/.github/workflows/Build%20AppControl%20Manager%20MSIX%20Package.yml

Maybe it can be useful for implementing it in this repository.

The main command i run is this

. "${Env:RUNNER_TEMP}\sbom-tool.exe" generate -b $MSIXBundleOutput -bc .\ -pn 'AppControl Manager' -ps 'Violet Hansen' -pv $MSIXVersion -nsb 'https://github.com/HotCakeX/Harden-Windows-Security' -V Verbose -gt true -li true -pm true -D true -lto 80

This command needs to run after the projects are built and compiled.
It doesn't scan the CsProj files to detect NuGet dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI/pipeline 🔬 enhancement Improvement to an existing feature external ⤴️ Requires an update to an external dependency or due to code outside the Toolkit. feature request 📬 improvements ✨ in progress 🚧 nuget 📦 partner ⏹ Label for issues that are being depended on by Toolkit partners.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michael-hawker @Arlodotexe @HotCakeX