microsoft
feat: SBOM output format
This PR adds support for a new --ManifestFileFormat flag which accepts:
-
ComponentDetection -
CycloneDx -
SPDX
Currently ComponentDetection (default) and CycloneDx are implemented, with plans to implement SPDX once the proof-of-concept is accepted.
👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:
- The detector detects more or fewer components than before
- The detector generates different parent/child graph relationships than before
- The detector generates different
devDependenciesvalues than before
If none of the above scenarios apply, feel free to ignore this comment 🙂
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@coderpatros does the CycloneDx mapper contain enough information? Is there anything I am missing?
@JamieMagee I can't remember if I've mentioned this to you before. But we also have a CycloneDX.Spdx NuGet package. It has SPDX data models and a JSON serializer implemented. Doco is here https://cyclonedx.github.io/cyclonedx-dotnet-library/api/CycloneDX.Spdx.Models.v2_2.html
Build failures are related to https://github.com/dotnet/runtime/issues/61602
@JamieMagee I'm really interested by this PR. Now that you fully switched to .NET 6, rebasing this work on top of main should solve previous build failures related to Json/.NET Core 3.x. What do you think ? Thanks!
👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:
- The detector detects more or fewer components than before
- The detector generates different parent/child graph relationships than before
- The detector generates different
devDependenciesvalues than before
If none of the above scenarios apply, feel free to ignore this comment 🙂