cyclonedx-dotnet icon indicating copy to clipboard operation
cyclonedx-dotnet copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

.NET6 Client-Side Libraries Missing from BOM

Open curnsey opened this issue 2 years ago • 10 comments

I noticed today that a .NET6 project in Dependency Track was missing Bootstrap and jQuery components. Project is a basic .NET6 webapp generated from CLI with default folder structure.

wwwroot --css --js --lib ----boostrap ------dist ----jquery ------dist

I generated a libman.json file and updated the bootstrap and jquery references for the client side libraries thinking maybe that would get picked up and processed.

  "version": "1.0",
  "defaultProvider": "cdnjs",
  "libraries": [
    {
      "provider": "cdnjs",
      "library": "[email protected]",
      "destination": "wwwroot/lib/bootstrap/dist"
    },
    {
      "provider": "cdnjs",
      "library": "[email protected]",
      "destination": "wwwroot/lib/jquery/dist"
    }
  ]
}

Attempted to recreate the BOM after the references were restored and the same result - missing client-side libraries. Any thoughts, suggestions, advice? TIA

curnsey avatar Sep 28 '22 19:09 curnsey

Any thoughts or update on this ?

ArjenKorevaar avatar Apr 13 '23 11:04 ArjenKorevaar

I wouldn't mind spending some time trying to add the client-side libraries from libman.json files to the BOM, but would like to know if this idea is supported by the maintainers first.

ArjenKorevaar avatar Apr 19 '23 13:04 ArjenKorevaar

Cyclone dotnet tool uses immediate build output (obj folder) to identify nuget packages and transitive dependencies.

Please check cyclonedx-npm tool.

Bertk avatar May 12 '23 04:05 Bertk

Cyclone dotnet tool uses immediate build output (obj folder) to identify nuget packages and transitive dependencies.

CycloneDX dotnet tool should create SBoMs from dotnet projects. Imho that should include Libman as well.

Please check cyclonedx-npm tool.

Afaik the CycloneDX tool for NPM does not scan Libman packages.

ArjenKorevaar avatar May 12 '23 05:05 ArjenKorevaar

Sorry, I did not recognize the libman detail and we use npm for angular client.

I guess there is no CycloneDX support for libman tool.

Microsoft published a SBOM tool as well. I am not sure whether this supports libman.

Bertk avatar May 12 '23 06:05 Bertk

I guess there is no CycloneDX support for libman tool.

... hence this issue to request support for Libman to be added :)

ArjenKorevaar avatar May 12 '23 06:05 ArjenKorevaar

Contributions are welcome :wink:

Please update the issue title which suggests a bug and add the information „Libman support (enhancement)“

Bertk avatar May 12 '23 07:05 Bertk

Contributions are welcome 😉

No offense, but I would like to hear that from the owner(s) to make sure I'm not wasting my time. Support for Libman must fit the owners idea of the purpose and scope of this tool and accept to maintaining it.

@coderpatros ?

ArjenKorevaar avatar Jul 07 '23 10:07 ArjenKorevaar

@ArjenKorevaar Libman is part of the ASP.NET ecosystem, so I think it makes sense to have support for it here. A PR for this functionality would be great.

coderpatros avatar Jul 12 '23 03:07 coderpatros

This issue is stale because it has been open for 3 months with no activity.

github-actions[bot] avatar Dec 31 '23 01:12 github-actions[bot]