Fixed documentation and add SBOM generation to the build pipeline (#38)

.github/workflows/release.yml

@@ -46,13 +46,25 @@ jobs:
       - name: Build CLI self-contained
         run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:DebugType=None -p:PublishTrimmed=true ./src/Microsoft.Sbom.Tool
 
-      - name: Publish CLI tool
+      - name: Rename binary to short name
+        run: mv ./bin/Microsoft.Sbom.Tool${{ matrix.rid == 'win-x64' && '.exe' || '' }} ./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}
+
+      - name: Generate SBOM for sbom-tool
+        run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ github.event.release.tag_name }} -nsb https://sbom.microsoft
+
+      - name: Upload SBOM to release
         uses: shogo82148/[email protected]
         with:
           upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ./bin/*
-          asset_name: sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}
-
+          asset_path: ./bin/_manifest/spdx_2.2/manifest.spdx.json
+          asset_name: ${{ matrix.rid }}-manifest.spdx.json
+
+      - name: Upload binaries to release
+        uses: shogo82148/[email protected]
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}
+
       - name: Build NuGet packages
         run: dotnet pack --no-restore -p:DebugType=None --include-symbols --no-build --configuration Release --output ./out 
 

README.md

@@ -1,24 +1,54 @@
 # Salus - SBOM Tool
 
+[![Build](https://github.com/microsoft/sbom-tool/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/microsoft/sbom-tool/actions/workflows/build.yml)
+![GitHub release (latest by date)](https://img.shields.io/github/downloads/microsoft/sbom-tool/latest/total)
+![GitHub release (latest by date including pre-releases)](https://img.shields.io/github/v/release/microsoft/sbom-tool?include_prereleases)
+
 ## Introduction
 
 The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
 
 ## Table of Contents
 
-* [Installation](docs/installation.md)
-* [Building and running Sbom tool](docs/build-and-run.md)
+* [Installation](#installation)
+* [Run the tool](#run-the-tool-to-generate-an-sbom)
 * [Telemetry](#Telemetry)
 * [Contributing](#Contributing)
 * [Security](#Security)
 * [Trademarks](#Trademarks)
 
+## Installation
+
+### Windows, Mac and Linux executable.
+Please check the [Releases](https://github.com/microsoft/sbom-tool/releases) page to go to the version of the tool you want to install. Then download the tool from the release assets for the required runtime. 
+
+Please check the [arguments](docs/sbom-tool-arguments.md) that you can provide to the sbom tool.
+
+### Sbom tool C# Api
+Please add and authenticate the Microsoft GitHub NuGet package [registry](https://github.com/orgs/microsoft/packages?repo_name=sbom-tool) to your nuget.config. Then install the `Microsoft.Sbom.Api` package to your project using these [instructions](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry#installing-a-package)
+
+## Run the tool to generate an SBOM
+
+Once you have installed the command line tool for your OS, run the tool using this command:
+
+```
+generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -nsb <namespace uri base>
+```
+
+The drop path is the folder where all the files to be shipped are located. All these files will be hashed and added to the files section of the SBOM. The build components path is usually your source folder, we will scan this folder to search for project files like *.csproj or package.json to see what components were used to build the package. The package name and version represent the package the SBOM is describing. 
+
+Each SBOM has a unique namespace that uniquely identifies the SBOM, we generate a unique identifier for the namespace field inside the SBOM, however we need a base URI that would be common for your entire organization. For example, a sample value for the `-nsb` parameter could be `https://companyName.com/teamName`, then the generator will create the namespace that would look like `https://companyName.com/teamName/<packageName>/<packageVersion>/<new-guid>`. Read more about the document namespace field [here](https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field). 
+
+A more detailed list of available arguments can be found [here](sbom-tool-arguments.md)
+
 ## Telemetry
 
 By default, telemetry will output to your output file path and will be a JSON blob. No data is submitted to Microsoft.
 
 ## Contributing
 
+Please follow the steps [here](docs/build-and-run.md) to clone and build this repository from source.
+
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a
 Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
 the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.