sbom-tool
sbom-tool copied to clipboard
microsoft
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
We have a GitHub actions pipeline, but the documentation provided here is hard to follow: https://github.com/microsoft/sbom-tool/blob/main/docs/setting-up-github-actions.md 1. There are images after the intro section which don't seem to make sense...
We have a [request](https://teams.microsoft.com/l/message/19:[email protected]/1746470815154?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47&groupId=ef54ced4-3f58-4488-a2fd-6511552227ea&parentMessageId=1746470815154&teamName=SBOM%20Support&channelName=SBOM%20Support%20-%20General&createdTime=1746470815154) to change RootPathFilter's accepted values from a semicolon-separated list of path prefixes, to file matching patterns. This would help 1ES PT to seamlessly route through the...
#1082 surfaced a case where we _might_ have a problem with case-differing file names. We should investigate this on a linux system to be sure. Scenario is as follows: 1....
In Android Libraries (ALs) repo `dotnet/android-libraries` https://github.com/dotnet/android-libraries there is `Microsoft.Sbom.Targets` used to generate SBOM. https://github.com/dotnet/android-libraries/blob/main/source/AndroidXProject.cshtml#L157 Windows builds are OK, but on MacOSX there are intermittent hangs both locally, but more...
There has been a customer request to add sbom-tool.exe to the NuGet package we release, instead of just including the .dll. We should evaluate how much of a lift this...
The sbom-tool generates cargo purl references with an extra "/", for crates pulled from the default repository (https://crates.io). Example: pkg:cargo//[email protected] This behavior does not repro for other package managers, such...
sbom-tool version: 3.1.0 I execute the following command in an Azure Devops pipeline: sbom-tool generate -b $(Build.ArtifactStagingDirectory) -bc ${{ parameters.workingDirectory }} -pn $(Build.DefinitionName) -pv 1.0.0 -ps sbom -nsb https://sbom.com -li...
We occasionally receive SBOMs where the SPDX Created field has values with datestamps from year 1403. This suggests that the SBOM generation code is creating invalid timestamps under some circumstances....
`globalPackagesFolder` can be redefined by `nuget.config`. `NullSettings` does not use `nuget.config`. We should use `DefaultSettings` instead of `NullSettings`.
During SBOM generation (regardless of SPDX version), we skip SPDX 3.0 documents if they are in the build drop path. This means that they do not get added to the...
