[ci] Include build components in SBOM #8174
Conversation
Context: xamarin/yaml-templates#263 Improves the content of our SBOM by unzipping our artifacts into a components directory that will be passed to the SBOM task. This will ensure that metadata for all of the files in our packages will also be included in the SBOM.
|
Testing this with https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=8036618&view=results. In a future PR, we can try to add build dependencies to the SBOM as well via the referencing-other-sboms-inside-the-current-sbom docs. |
jonathanpeppers
left a comment
jonathanpeppers
left a comment
There was a problem hiding this comment.
Will this fix the SBOM check on VS insertions? Like this one:
https://devdiv.visualstudio.com/DevDiv/_workitems/edit/1848417/
|
@pjcollins: the "big picture" question: what should we be doing, vs. what we are doing? My (wrong?) understanding is that a Software Bill of Materials should include e.g.:
I thus infer that the SBOM should list every NuGet package that we build against and/or redistribute. This would include Compare to what we actually produce, even from your latest build, and I don't see any such NuGet inputs. (I'm checking in the wrong place?) For example, the Is my meta-understanding wrong? Should Newtonsoft & Irony be mentioned in the SBOM? Should they not be mentioned (insert reason why)? |
Unfortunately no. As far I as know there is arcade work planned to support this for all .NET workloads, though it has been pending for quite a while... We should check with the .NET SDK and/or .NET Eng teams on the status of this.
I forgot to convert this to draft earlier, as the SBOM task is still not behaving as I would expect. By my understanding our SBOM needs to contain metadata about the following: Build Outputs
Build Inputs
This PR aims to address inclusion of all Build Outputs information. We currently include packages in our SBOM, but not the contents of those packages. That's where this PR comes in. I plan on addressing the Build Inputs portion of the requirements in a future PR, hopefully by producing a different SBOM during the build job that can be referenced by the "Outputs" SBOM produced by this PR. @mjbond-msft @mrward do the requirements I've mentioned above match your expectations? Feel free to continue this conversation offline if that will be easier. |
pjcollins
changed the title
|
I haven't received a clear response on whether or not we need to include both shipping packages and the contents of the shipping packages in the SBOM, so I'll remove those changes for now. The PR will now produce "build components" SBOMs during the mac and linux builds, and download and reference them when creating the main sbom file. |
* main: [ci] Include build components in SBOM (dotnet#8174)
* main: [ci] Include build components in SBOM (dotnet#8174)
Context: https://github.com/xamarin/yaml-templates/pull/263
Updates the main SBOM file we produce to include build component info
from both the macOS and Linux builds. These two builds will now produce
build component SBOMs which are downloaded and referenced in our main
SBOM afer all building and signing is complete.