Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate SBOM generation into application publishing #46274

Open
baronfel opened this issue Jan 24, 2025 · 0 comments
Open

Integrate SBOM generation into application publishing #46274

baronfel opened this issue Jan 24, 2025 · 0 comments
Labels
Area-NetSDK Area-SBOM untriaged Request triage from a team member

Comments

@baronfel
Copy link
Member

Is your feature request related to a problem? Please describe.

The .NET SDK should generate SBOMs for published applications. As part of publishing, we should trigger SBOM generation from Microsoft.SBOM.Targets. The SBOMs should contain information about the NuGet packages consumed by the application, as well as relevant data about the SDK, Workloads, and Toolchain used to build the application.

Today, the NuGet package detection is handled well, but the build-time information is not currently represented in microsoft/sbom-tool. We may need additional integration points to provide that information to the tool.

Additional context

A quick version of what this integration might look like is available at https://github.com/baronfel/dotnet-app-sbom-sample.
@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged Request triage from a team member label Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-NetSDK Area-SBOM untriaged Request triage from a team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@baronfel