From 8c26ccb01b6b737d8128f67dd682b68565143956 Mon Sep 17 00:00:00 2001
From: Aasim Malladi <aamallad@microsoft.com>
Date: Tue, 5 Jul 2022 20:30:22 -0400
Subject: [PATCH] Fixed documentation and add SBOM generation to the build
 pipeline (#38)

---
 .github/workflows/release.yml | 20 ++++++++++++++++----
 README.md                     | 34 ++++++++++++++++++++++++++++++++--
 docs/installation.md          |  9 ---------
 3 files changed, 48 insertions(+), 15 deletions(-)
 delete mode 100644 docs/installation.md

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1f2b131c..541cd2c0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,13 +46,25 @@ jobs:
       - name: Build CLI self-contained
         run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:DebugType=None -p:PublishTrimmed=true ./src/Microsoft.Sbom.Tool
 
-      - name: Publish CLI tool
+      - name: Rename binary to short name
+        run: mv ./bin/Microsoft.Sbom.Tool${{ matrix.rid == 'win-x64' && '.exe' || '' }} ./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}
+
+      - name: Generate SBOM for sbom-tool
+        run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ github.event.release.tag_name }} -nsb https://sbom.microsoft
+
+      - name: Upload SBOM to release
         uses: shogo82148/actions-upload-release-asset@v1.6.2
         with:
           upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ./bin/*
-          asset_name: sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}
-
+          asset_path: ./bin/_manifest/spdx_2.2/manifest.spdx.json
+          asset_name: ${{ matrix.rid }}-manifest.spdx.json
+      
+      - name: Upload binaries to release
+        uses: shogo82148/actions-upload-release-asset@v1.6.2
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: ./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}
+      
       - name: Build NuGet packages
         run: dotnet pack --no-restore -p:DebugType=None --include-symbols --no-build --configuration Release --output ./out 
 
diff --git a/README.md b/README.md
index e89a7845..d7b6b5d7 100644
--- a/README.md
+++ b/README.md
@@ -1,24 +1,54 @@
 # Salus - SBOM Tool
 
+[![Build](https://github.com/microsoft/sbom-tool/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/microsoft/sbom-tool/actions/workflows/build.yml)
+![GitHub release (latest by date)](https://img.shields.io/github/downloads/microsoft/sbom-tool/latest/total)
+![GitHub release (latest by date including pre-releases)](https://img.shields.io/github/v/release/microsoft/sbom-tool?include_prereleases)
+
 ## Introduction
 
 The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
 
 ## Table of Contents
 
-* [Installation](docs/installation.md)
-* [Building and running Sbom tool](docs/build-and-run.md)
+* [Installation](#installation)
+* [Run the tool](#run-the-tool-to-generate-an-sbom)
 * [Telemetry](#Telemetry)
 * [Contributing](#Contributing)
 * [Security](#Security)
 * [Trademarks](#Trademarks)
 
+## Installation
+
+### Windows, Mac and Linux executable.
+Please check the [Releases](https://github.com/microsoft/sbom-tool/releases) page to go to the version of the tool you want to install. Then download the tool from the release assets for the required runtime. 
+
+Please check the [arguments](docs/sbom-tool-arguments.md) that you can provide to the sbom tool.
+
+### Sbom tool C# Api
+Please add and authenticate the Microsoft GitHub NuGet package [registry](https://github.com/orgs/microsoft/packages?repo_name=sbom-tool) to your nuget.config. Then install the `Microsoft.Sbom.Api` package to your project using these [instructions](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry#installing-a-package)
+
+## Run the tool to generate an SBOM
+
+Once you have installed the command line tool for your OS, run the tool using this command:
+
+```
+generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -nsb <namespace uri base>
+```
+
+The drop path is the folder where all the files to be shipped are located. All these files will be hashed and added to the files section of the SBOM. The build components path is usually your source folder, we will scan this folder to search for project files like *.csproj or package.json to see what components were used to build the package. The package name and version represent the package the SBOM is describing. 
+
+Each SBOM has a unique namespace that uniquely identifies the SBOM, we generate a unique identifier for the namespace field inside the SBOM, however we need a base URI that would be common for your entire organization. For example, a sample value for the `-nsb` parameter could be `https://companyName.com/teamName`, then the generator will create the namespace that would look like `https://companyName.com/teamName/<packageName>/<packageVersion>/<new-guid>`. Read more about the document namespace field [here](https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field). 
+
+A more detailed list of available arguments can be found [here](sbom-tool-arguments.md)
+
 ## Telemetry
 
 By default, telemetry will output to your output file path and will be a JSON blob. No data is submitted to Microsoft.
 
 ## Contributing
 
+Please follow the steps [here](docs/build-and-run.md) to clone and build this repository from source.
+
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a
 Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
 the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
diff --git a/docs/installation.md b/docs/installation.md
deleted file mode 100644
index 458870cc..00000000
--- a/docs/installation.md
+++ /dev/null
@@ -1,9 +0,0 @@
-# Installation
-
-## Windows, Mac and Linux executable.
-Please check the [Releases](https://github.com/microsoft/sbom-tool/releases) page to go to the version of the tool you want to install. Then download the tool from the release assets for the required runtime. 
-
-Please check the [arguments](sbom-tool-arguments.md) that you can provide to the sbom tool.
-
-## Sbom tool C# Api
-Please add and authenticate the Microsoft GitHub NuGet package [registry](https://github.com/orgs/microsoft/packages?repo_name=sbom-tool) to your nuget.config. Then install the `Microsoft.Sbom.Api` package to your project using these [instructions](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry#installing-a-package)