sbom-tool
sbom-tool copied to clipboard
microsoft
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
My team is responsible for packaging VSIX files (normally used for VS extensions). I have been trying to use the -bl option to supply a list of the files that...
It was recently brought to our attention that package level SBOMs can cause problems when generating and validating SBOMs with this tool. Consider the following flow: - Project references a...
The `GenerateSbomTarget` target generates the wrong path to the .nupkg file and fails. Example: ```xml net8.0 1.2.3.0 true runtime; build; native; contentfiles; analyzers; buildtransitive all ``` 1. delete the /bin...
With the release of V3, I see that sbom-tool can generate correct relationships between packages. But somehow the relationship graph of Maven is different from others. For example here is...
The scan manifest file that Component Detection creates shows license and author information of each pip package that was detected. The sbom-tool does not correctly collect that information - it...
We've seen cases where a single pipeline run produces multiple artifacts, meaning that the `BuildDropPath` parameter varies, but the `BuildComponentPath` is the same--same commit, same build iteration, etc. It could...
The underlying component detector for nuget packages includes, among other things, `*.nuspec` files. This means that if a .nuspec file is present during SBOM generation, the package that it defines...
In reference to https://github.com/dotnet/dotnet-docker/issues/5973 We (.NET Team) have been working closely with Canonical on Chiseled images: - https://devblogs.microsoft.com/dotnet/announcing-dotnet-chiseled-containers/ - https://github.com/dotnet/dotnet-docker/issues/4667 - https://discourse.ubuntu.com/t/chisel-manifest-is-supported-in-newly-released-v1-0-0/48944 At present, we use an interim solution to...
When I use sbom-tool v3 to scan a simple python project with requirements.txt containing: ``` Flask Flask-MySQL ``` the relationship graph looks like this:  I expect Flask as a...
Best practice in actions these days is to pin an action to its sha commit number. This prevents problems when an attacker compromises an action and releases a newer version...
