sdk-container-builds
sdk-container-builds copied to clipboard
dotnet
SBOM?
The images produced by this tooling are normal container images in every sense, so you can use any SBOM generation tooling that could otherwise detect and report on .NET dependencies.
Here's an example using syft on a simple WebAPI container generated from this tooling. Note the dotnet dependencies at the top - these are only mostly correct because Syft doesn't pick the correct data out. We're looking at better SBOM generation across the .NET ecosystem, so this should get better over time.
syft packages sdk-container-demo:1.0.0
syft packages sdk-container-demo:1.0.0
NAME VERSION TYPE
DotNet.ReproducibleBuilds 1.1.1 dotnet
Microsoft.AspNetCore.App.Runtime.linux-x64 7.0.5 dotnet
Microsoft.Build.Tasks.Git 1.1.1 dotnet
Microsoft.NET.Build.Containers 7.0.400-dev dotnet
Microsoft.NETCore.App.Runtime.linux-x64 7.0.5 dotnet
Microsoft.SourceLink.AzureRepos.Git 1.1.1 dotnet
Microsoft.SourceLink.Bitbucket.Git 1.1.1 dotnet
Microsoft.SourceLink.Common 1.1.1 dotnet
Microsoft.SourceLink.GitHub 1.1.1 dotnet
Microsoft.SourceLink.GitLab 1.1.1 dotnet
adduser 3.118 deb
apt 2.2.4 deb
base-files 11.1+deb11u7 deb
base-passwd 3.5.51 deb
bash 5.1-2+deb11u1 deb
bsdutils 1:2.36.1-8+deb11u1 deb
ca-certificates 20210119 deb
coreutils 8.32-4+b1 deb
dash 0.5.11+git20200708+dd9ef66-5 deb
debconf 1.5.77 deb
debian-archive-keyring 2021.1.1+deb11u1 deb
debianutils 4.11.2 deb
diffutils 1:3.7-5 deb
dpkg 1.20.12 deb
e2fsprogs 1.46.2-2 deb
findutils 4.8.0-1 deb
gcc-10-base 10.2.1-6 deb
gcc-9-base 9.3.0-22 deb
gpgv 2.2.27-2+deb11u2 deb
grep 3.6-1+deb11u1 deb
gzip 1.10-4+deb11u1 deb
hostname 3.23 deb
init-system-helpers 1.60 deb
libacl1 2.2.53-10 deb
libapt-pkg6.0 2.2.4 deb
libattr1 1:2.4.48-6 deb
libaudit-common 1:3.0-2 deb
libaudit1 1:3.0-2 deb
libblkid1 2.36.1-8+deb11u1 deb
libbz2-1.0 1.0.8-4 deb
libc-bin 2.31-13+deb11u6 deb
libc6 2.31-13+deb11u6 deb
libcap-ng0 0.7.9-2.2+b1 deb
libcom-err2 1.46.2-2 deb
libcrypt1 1:4.4.18-4 deb
libdb5.3 5.3.28+dfsg1-0.8 deb
libdebconfclient0 0.260 deb
libext2fs2 1.46.2-2 deb
libffi7 3.3-6 deb
libgcc-s1 10.2.1-6 deb
libgcrypt20 1.8.7-6 deb
libgmp10 2:6.2.1+dfsg-1+deb11u1 deb
libgnutls30 3.7.1-5+deb11u3 deb
libgpg-error0 1.38-2 deb
libgssapi-krb5-2 1.18.3-6+deb11u3 deb
libhogweed6 3.7.3-1 deb
libicu67 67.1-7 deb
libidn2-0 2.3.0-5 deb
libk5crypto3 1.18.3-6+deb11u3 deb
libkeyutils1 1.6.1-2 deb
libkrb5-3 1.18.3-6+deb11u3 deb
libkrb5support0 1.18.3-6+deb11u3 deb
liblz4-1 1.9.3-2 deb
liblzma5 5.2.5-2.1~deb11u1 deb
libmount1 2.36.1-8+deb11u1 deb
libnettle8 3.7.3-1 deb
libnsl2 1.3.0-2 deb
libp11-kit0 0.23.22-1 deb
libpam-modules 1.4.0-9+deb11u1 deb
libpam-modules-bin 1.4.0-9+deb11u1 deb
libpam-runtime 1.4.0-9+deb11u1 deb
libpam0g 1.4.0-9+deb11u1 deb
libpcre2-8-0 10.36-2+deb11u1 deb
libpcre3 2:8.39-13 deb
libseccomp2 2.5.1-1+deb11u1 deb
libselinux1 3.1-3 deb
libsemanage-common 3.1-1 deb
libsemanage1 3.1-1+b2 deb
libsepol1 3.1-1 deb
libsmartcols1 2.36.1-8+deb11u1 deb
libss2 1.46.2-2 deb
libssl1.1 1.1.1n-0+deb11u4 deb
libstdc++6 10.2.1-6 deb
libsystemd0 247.3-7+deb11u2 deb
libtasn1-6 4.16.0-2+deb11u1 deb
libtinfo6 6.2+20201114-2+deb11u1 deb
libtirpc-common 1.3.1-1+deb11u1 deb
libtirpc3 1.3.1-1+deb11u1 deb
libudev1 247.3-7+deb11u2 deb
libunistring2 0.9.10-4 deb
libuuid1 2.36.1-8+deb11u1 deb
libxxhash0 0.8.0-2 deb
libzstd1 1.4.8+dfsg-2.1 deb
login 1:4.8.1-1 deb
logsave 1.46.2-2 deb
lsb-base 11.1.0 deb
mawk 1.3.4.20200120-2 deb
mount 2.36.1-8+deb11u1 deb
ncurses-base 6.2+20201114-2+deb11u1 deb
ncurses-bin 6.2+20201114-2+deb11u1 deb
openssl 1.1.1n-0+deb11u4 deb
passwd 1:4.8.1-1 deb
perl-base 5.32.1-4+deb11u2 deb
sed 4.7-1 deb
sysvinit-utils 2.96-7+deb11u1 deb
tar 1.34+dfsg-1 deb
tzdata 2021a-1+deb11u10 deb
util-linux 2.36.1-8+deb11u1 deb
zlib1g 1:1.2.11.dfsg-2+deb11u2 deb
There's an effort to bake in SBOM generation support into the .NET SDK, which is being tracked at https://github.com/NuGet/Home/issues/12497.
As that progresses, we definitely will figure out what needs to happen to produce SBOMs for generated container images as well.
Prior art here: https://docs.docker.com/engine/sbom/ (though this includes OS libraries, etc that we don't have direct knowledge of here).