microsoft / sbom-tool Goto Github PK

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.

License: MIT License

C# 99.95% Dockerfile 0.05%

sbom sbom-generator

sbom-tool's Introduction

SBOM Tool

Introduction

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. The tool uses the Component Detection libraries to detect components and the ClearlyDefined API to populate license information for these components.

Download and Installation
Run the tool
Integrating SBOM tool to your CI/CD pipelines
Telemetry
Contributing
Security
Trademarks

Download and Installation

Executables for Windows, Linux, macOS

We distribute executables and SBOM files of the tool in GitHub Releases page. You can go and download binaries manually or use commands below to get the latest version of the tool for your platform.

Please check the CLI Reference document for additional help regarding the CLI tool.

Package managers

WinGet

winget install Microsoft.SbomTool

Homebrew

brew install sbom-tool

Manual download

Windows (PowerShell)

Invoke-WebRequest -Uri "https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-win-x64.exe" -OutFile "sbom-tool.exe"

Linux (curl)

curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
chmod +x sbom-tool

macOS (curl)

curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-osx-x64
chmod +x sbom-tool

Building SBOM tool as docker image

Clone this repo and build the docker image.

git clone https://github.com/microsoft/sbom-tool
cd sbom-tool
docker build . -t ms_sbom_tool

You can then use the tool normally, by mounting the directories to be scanned using docker bind mounts.

SBOM .NET Tool

The sbom-tool can also be installed as a .NET tool using the following command:

dotnet tool install --global Microsoft.Sbom.DotNetTool

SBOM API NuGet package

Please add and authenticate the Microsoft GitHub NuGet package registry to your nuget.config. Then install the Microsoft.Sbom.Api package to your project using these instructions

Please check the API Reference document for addditional help regarding the SBOM tool C# Api.

Run the tool

SBOM Generation

Once you have installed the command line tool for your OS, run the tool using this command:

sbom-tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <package supplier> -nsb <namespace uri base>

The drop path is the folder where all the files to be shipped are located. All these files will be hashed and added to the files section of the SBOM. The build components path is usually your source folder, tool will scan this folder to search for project files like *.csproj or package.json to see what components were used to build the package. Tool uses component-detection to scan for components and dependencies, visit its Github page to get more information about supported components. The package name and version represent the package the SBOM is describing.

Each SBOM has a unique namespace that uniquely identifies the SBOM, we generate a unique identifier for the namespace field inside the SBOM, however we need a base URI that would be common for your entire organization. For example, a sample value for the -nsb parameter could be https://companyName.com/teamName, then the generator will create the namespace that would look like https://companyName.com/teamName/<packageName>/<packageVersion>/<new-guid>. Read more about the document namespace field here.

A more detailed list of available CLI arguments for the tool can be found here

SBOM Validation

With an SBOM file in hand, use the tool to validate the output file with the command:

sbom-tool validate -b <drop path> -o <output path> -mi SPDX:2.2

This sample command provides the minimum mandatory arguments required to validate an SBOM: -b should be the path same path used to generate the SBOM file. In this scenario, the tool will default to searching for an SBOM at the <drop path>\_manifest\spdx_2.2\manifest.spdx.json path. -o is the output path where the tool should write the results to. -mi is the ManifestInfo, which provides the user's desired name and version of the manifest format.

Currently only SPDX2.2 is supported.

Integrating SBOM tool to your CI/CD pipelines.

You can follow these guides to integrate the SBOM tool into your CI/CD pipelines

Telemetry

By default, telemetry will output to your output file path and will be a JSON blob. No data is submitted to Microsoft.

Contributing

Please follow the steps here to clone and build this repository from source.

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Security

Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include Microsoft, Azure, DotNet, AspNet, Xamarin, and our GitHub organizations.

If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's definition of a security vulnerability, please report it to us as described in the Security.md.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

sbom-tool's People

Contributors

Stargazers

Watchers

Forkers

maxhbr gitlawr fjsnogueira opedroso zdtsw danielschulz zvikar72 stjordanis cichon-mentz cmaclaughlin nrfta myaniu moorcheung isabella232 alialrubaye bureado akankushjnvku dut3062796s wxw12345 nanofabricfx mattkenefick yhtcug sumodgeorge phuocphamm gzhelezo narimantos calvinxu saisasanktej risecai jk1ng deividhs lromano72 maremare naveeguru biubiubiud sbs2001 tiandiheyi jhutchings1 caspergn pocket-d pamir cheahengteong fcitwip dwnatwick gt2847c timb-machine-mirrors rioil andy-clymer elinunez2 sebasgomez238 wenyi189 scanepa axelrod-1257 rbleattler jamiemagee wismann sandyring syncartert t0rchwo0d bettyweng sbom-tool-fork 00mjk cyberflamego fedebona app-creative guden ericlefu a2atsu stianvi hollow375 murata-atsu sokofromnz viet994 michaelsimons jinguang-dong rajkrishnamurthy tobey123 klw123 malcolmnixon kuntom ryanbrandenburg babywyrm layzhi xdwang940209 orange-777 softctrl tarun06 ralphhightower acumenix chenrui333 robertcrockett imatthewtanner lukaszkokot ahasunos sksundaram-learning antodr sfoslund micyunmsft cmnsservices sahardevv

sbom-tool's Issues

Shared library MonoPosixHelpers not found on MacOS

I am using a Mac M1 and When I start sbom-tool, I've got an error message telling that shared library MonoPosixHelpers is not found.
MacOS version is 12.5.1

Mac OS sbom-tool build failure on NU1301

M1 Mac running Monterey (Mac OS 12.4).
Installed .NET. (https://docs.microsoft.com/en-us/dotnet/core/install/macos).
Set environment (DOTNET_ROOT).
Proved .NET installation works by creating 'hello world'. (https://docs.microsoft.com/en-us/dotnet/core/get-started)

Clone sbom-tool. cd into sbom-tool.
Attempt dotnet build. Fails on SDK mismatch, but helpfully tells me to update global.json.
Updated to global.json sdk version to 6.0.302 which is current .NET install for Mac.
Attempt dotnet build. Hit collection of NU1301 errors for a failed build.
A quick search of NU1301 (https://docs.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1301) suggests I 'contact the source owner' or try 'removing source that might not be needed.'

As I don't know the source I'm not about to try removing source files.

Rest of the report is the build output:

$ dotnet build
Microsoft (R) Build Engine version 17.2.0+41abc5629 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

  Determining projects to restore...
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Adapters/Microsoft.Sbom.Adapters.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Common/Microsoft.Sbom.Common.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Extensions/Microsoft.Sbom.Extensions.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Contracts/Microsoft.Sbom.Contracts.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Contracts/Microsoft.Sbom.Contracts.csproj (in 393 ms).
  The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Extensions/Microsoft.Sbom.Extensions.csproj (in 451 ms).
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj (in 451 ms).
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Adapters/Microsoft.Sbom.Adapters.csproj (in 470 ms).
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Common/Microsoft.Sbom.Common.csproj (in 581 ms).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 46BD96B6-F24E-4F0B-89B2-1A7063459E16)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F689-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F75E-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230EAD-1C06-4EED-B0EC-B0905F5B19DD)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F742-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E91-1C06-4EED-B0EC-B0905F5B19DD)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E98-1C06-4EED-B0EC-B0905F5B19DD)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F739-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F733-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E8D-1C06-4EED-B0EC-B0905F5B19DD)).
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj (in 13.72 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj (in 13.72 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj (in 13.27 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj (in 13.31 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj (in 13.72 sec).

Build FAILED.

/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
    0 Warning(s)
    10 Error(s)

Time Elapsed 00:00:15.46

consistent error of `1: Not: not found`

Trying to use this tooling (linux binary) in WSL.

I've curled the link from the releases page:

curl -Lo salus https://github.com/microsoft/sbom-tool/releases/download/v0.1.2/sbom-tool-linux-x64
chmod +x salus
mv salus /usr/local/bin

So far anything I attempt to run results in /usr/local/bin/salus: 1: Not: not found, even commands like salus -h. Specifying verbosity doesn't change the outcome.

Any pointers?

`No usable version of libssl was found` on Linux

On Linux I get the following error message.

OS: Fedora 36
ARch: x86_64

winsbom generate -b .
No usable version of libssl was found
Aborted (core dumped)

For now, I need to generate sbom of python or go project with this sbom-tool, how should I do?

Add SBOM generation to release workflows so packages produced include SBOMs

Win64 release installer ends with no output and no 'generate' becomes available.

I'm using a Windows 11 machine. I've downloaded the installer executable from the Releases section and run it after going over the security dialogue.
The console applications close almost instantly and I can't find any 'generate' command.

Deletes the _manifest folder anyway

When I run the tool a second time, I get this error message:

$ ./sbom-tool-linux-x64 generate [...]
##[error]Encountered an error while generating the manifest.
##[error]Error details: Unable to create manifest directory at path ./_manifest. Error: The BuildDropRoot folder already contains a _manifest folder. Please delete this folder before running the generation or set the DeleteManifestDirIfPresent environment variable to 'true' to overwrite this folder.

The DeleteManifestDirIfPresent environment variable is not set, but it deletes the folder anyway.

I've tested it after setting DeleteManifestDirIfPresent as described and it works as expected.

-V flag ignored?

Hiya,
I'm running the tool with -V Error and still getting output tagged [INFO].
My guess is that you're missing an [ArgShortcut("V")] attribute from CommonArgs.cs?

Missing license of RootPackage in SBOM

Hey there,

I am working on generating an SBOM for a GitHub Action that sets up this SBOM-Tool in a convenient way (see: https://github.com/philips-software/sbom-tool-installer-action). After generating the SBOM, I noticed that the license field of the RootPackage is set to NOASSERTION. This might be intended as this feature might not be implemented yet. However, I would really appreciate at least a parameter to set the LICENSE of the RootPackage. In the case of the installer-action, the license is actually set properly within GitHub and the package.json

I uploaded the SBOM as a Gist. Please have a look here:
https://gist.github.com/Brend-Smits/90b62120de7abc989c2768c92a2a49c8#file-sbom-tool-installer-action-sbom-L10757-L10772

Wrong supplier in RootPackage of SBOM

Hey there,

I uploaded the SBOM as a Gist. Please have a look here:
https://gist.github.com/Brend-Smits/90b62120de7abc989c2768c92a2a49c8#file-sbom-tool-installer-action-sbom-L10757-L10772

Is there a docker image for the tool ?

The referencecategory should be PACKAGE-MANAGER

Using the spdx online tool to verify the generated spdx file has a warning

The referencecategory should be PACKAGE-MANAGER instead of PACKAGE_MANAGER.

Using private pypi repositories

Hello,

I'm currently trying to see how we can use the sbom tool for our different software development platforms that use .netcore as well as python heavily.

I was trying to use the tool with a python projects that pulls in modules from a private pypi repository. Unfortunately the tool does not seem to recognise neither the PIP_CONFIG_FILE nor the PIP_EXTRA_INDEX_URLS.

Is there a way to use private repositories as well? I did not find anything within the docs.

Thanks

Network reliability improvement needed

When attempting to generate sbom for a binary drop from a file server, I often have to make multiple attempts before I can successfully generate an sbom. This leads to building a lot of infrastructure in a lot of places to support what is perceived as a "flaky" tool. Additionally, we have to make different design decisions when we cannot reliably generate an SBOM from a (secured) network share and must instead ensure that all sbom generation is done against local binaries. This is particularly true on larger drops.

##[debug]Starting SBOM generation workflow.
##[debug]Using the FileListBasedFileToJsonProvider provider for the files workflow.
##[debug]Enumerating all files from listFile.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[error]Encountered an error while generating hash for file \\cpvsbuild\drops\drop\setup\boxs\amd64ret\kor\netfx\fulllp\netfx_fulllp.mzz: The network path was not found. : '\\cpvsbuild\drops\drop1\raw\09037.00\setup\boxs\amd64ret\kor\netfx\fulllp\netfx_fulllp.mzz'
##[error]Encountered an error while generating hash for file \\cpvsbuild\drops\drop\raw\09037.00\setup\boxs\amd64ret\ptb\netfx\fulllp\netfx_fulllp.mzz: The network path was not found. : '\\cpvsbuild\drops\drop\raw\09037.00\setup\boxs\amd64ret\ptb\netfx\fulllp\netfx_fulllp.mzz'

Adding wait / retries to file access calls would improve the reliability and ease adoption of this tool.

Actions/Pipelines YAML examples

Update how to execute the tool in the read me documentation

Object reference not set to an instance of an object

When trying to run salus on a go project and after Scan Manifest file I get the mentioned error. I tried with one of my own and another open source project, both fail.

I attach the scan files for you, just in case you need them to give me a hint

Thanks for looking into this

ScanManifest_20220714111446.txt
ScanManifest_20220714110630.txt
.

Does sbom-tool support the project which contains poetry.lock?

As I found sbom-tool using component-detection to scan for components and dependencies, which support both requirements.txt and poetry.lock. But when I scanned the project with poetry.lock, it didn't work, regardless of scanning image or source code. It can generate sbom file correctly when I change poetry.lock to requirement.txt. What's the problem? The commands is as follows:

For source code:
salus Generate -b ./test -bc ./test -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .
For docker image:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .

Update to .NET 6.0

After Dec 3 2022 .NET 3.1 will no longer be supported or patched.

License information consistently results to NOASSERTION on different projects

Hi,

I'm in the process of testing whether sbom-tool could satisfy our requirements for auto-generating sboms during pipeline executions. I've tried on several internal projects and consistently find that the generated sbom yields NOASSERTION on license information.

Example requirements.txt file:

graphviz
PyYAML
Jinja2
Cerberus

Yields:

{
  "files": [],
  "packages": [
    {
      "name": "MarkupSafe",
      "SPDXID": "SPDXRef-Package-A3EF6C57C1136846E9D7C7A38506BE704CC0BB74D7E00D4E1CAB1750FF8DA78D",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseInfoFromFiles": [
        "NOASSERTION"
      ],
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "2.1.1",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:pypi/markupsafe%402.1.1"
        }
      ],
      "supplier": "NOASSERTION"
    },
    {
      "name": "Cerberus",
      "SPDXID": "SPDXRef-Package-321281AF12101511BB74C614AB9A7F87091E83CA804C4E0E31478B33D5C422FE",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseInfoFromFiles": [
        "NOASSERTION"
      ],
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "1.3.4",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:pypi/cerberus%401.3.4"
        }
      ],
      "supplier": "NOASSERTION"
    },
    {
      "name": "graphviz",
      "SPDXID": "SPDXRef-Package-08DDAAAC542BB734BA5B8613D10207BC5FBA8E3A7A15548EB9D52744ED03EA7C",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseInfoFromFiles": [
        "NOASSERTION"
      ],
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "0.20.1",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:pypi/graphviz%400.20.1"
        }
      ],
      "supplier": "NOASSERTION"
    },
...

I'm unsure whether I'm doing something incorrectly here. The sbom is generated by the following pipeline step:

...
- script: |
    curl -Lo $(Agent.TempDirectory)/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
    chmod +x $(Agent.TempDirectory)/sbom-tool
    $(Agent.TempDirectory)/sbom-tool generate -b $(Build.ArtifactStagingDirectory) -bc $(System.DefaultWorkingDirectory) -pn projectname -V Verbose -nsb https://some.url.here.noexist -pv $(versionNumber)
  displayName: Generate SBOM

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'drop'
    publishLocation: 'Container'

sbom-tool generate -ManifestDirPath _manifest creates nested directory

Executing sbom-tool generate -ManifestDirPath _manifest creates an unexpected _manifest nested sub-directory:

Just to clarify, although this is written in the documentation, I think its not the expected behaviour:

ManifestDirPath (-m)                      The path of the directory where the generated SBOM files will be
                                          placed. A folder named '_manifest' will be created at this location,       
                                          where all generated SBOMs will be placed. If this parameter is not
                                          specified, the files will be placed in {BuildDropPath}/_manifest
                                          directory.

If this is working as expected (I hope not, because creating an hardcoded directory is really odd when you can specify it in an argument), I think the last paragraph should be modified to be a bit more clear. Something like:

If this parameter is not specified, the directory will be create inside the {BuildDropPath} directory.

Can't generate an SBOM for directories containing a space

I execute this command on Windows (doesn't matter if I use cmd or PowerShell):

C:\Temp\sbom-tool.exe generate -b "C:\src\core\Build\Service with spaces" -bc "C:\src\core\Solutions\service with spaces\src\" -pn "Foo bar services" -pv "1.0.0.0" -nsb "https://example.com"

The tool runs and creates a manifest, however no depedencies are found.

Program output:

[INFO] Log file: C:\Users\username\AppData\Local\Temp\GovCompDisc_Log_20220722135038.log
[INFO] Run correlation id: 77b85f03-caa7-47b4-bc71-94e9e4b003c1

[INFO] Attempting to load default detectors
[INFO] 19 detectors were found in Microsoft.ComponentDetection.Detectors

[WARN] Provided search path C:\Users\username\AppData\Local\Temp\.net\sbom-tool\lpvnvva1.mst\Plugins does not exist.


[INFO] Finding components...
[INFO] No instructions received to scan docker images.
[ERROR] Root directory doesn't exist: C:\src\core\Solutions\service

If I run the tool on a directory without spaces, everything works fine.

Add sample SBOM produced by the tool

SBOM for C/C++ (Cmake)

sbom-tool is able to generate sbom for C/C++ projects if it is using cmake

CI pipelines hang indefinitely on `salus -h`

In two sample CI pipelines, one using Azure DevOps and one using GitHub Actions (both linux agents), I've so far found that salus -h hangs indefinitely until the task/step is canceled by the pipeline or a user (up to 60 min on AzDO, 20 min on GH - just hitting standard pipeline timeouts), but a properly parameter-supplied salus generate command can run fine.

Both systems have logging output of:

scripts/salus-install.sh: line 22:  1660 Killed                  salus -h

and report exit code 137.

While I've had unrelated (I think) issues running Salus locally, running salus -h in an Azure Cloud Shell session works fine and returns promptly, so the error is not solely with the command.

Salus name conflicts with existing tool

The name "Salus" is already an established security tool, which among other things generates CycloneDX SBOMs from dependency manifests. Salus is a project from Coinbase, and has been listed on the CycloneDX Tool Center for quite some time now.

https://github.com/coinbase/salus

Microsoft Salus creates confusion in the market and should be renamed.

Generated SBOM includes Git data and ephemeral build artifacts

The generated SBOM includes information from the .git folder. Likewise, it would be good to have it ignore the contents of NPM node_modules directories and Maven /target/ directories.

AFAICT, there's no option to exclude these directories from the results.

One option would be to have the tool honour the ignore list specified in .gitignore files.

Note that a .gitignore file itself is a maintained artifact that IMHO should be included in the SBOM.

[Feature Request] Generate HTML page along with SBOM json

It would be an excellent feature to add a flag, maybe -generate-webpage that would include an HTML page that is directly connected to the json file path at the same root.

Similar to how you can generate a webpage with MSIX's .appinstaller. As a simple example:

<html>
<head>
    <meta charset="utf-8"/>
    <title>SBOM</title>
    <link rel="stylesheet" href="https://kendo.cdn.telerik.com/2022.2.621/styles/kendo.default-v2.min.css"/>
    <script src="https://code.jquery.com/jquery-1.12.4.min.js"></script>
    <script src="https://kendo.cdn.telerik.com/2022.2.621/js/kendo.all.min.js"></script>
</head>

<body>

<div id="files-grid"></div>
<div id="packages-grid"></div>

<script>
  $(function() {
     var files = [];
     var packages = [];
    
// THIS LOADS THE JSON INTO AN EASY TO READ DATAGRID
    $.getJSON('/manifest.spdx.json', function(data) {
       $.each(data.files, function(i, f) {
           files.push(f);
       });

       $.each(data.packages, function(i, p) {
           packages.push(p);
       });
    });

    $("#files-grid").kendoGrid({
        height: "400px",
        columns: [
          { field: "SPDXID", title: "SPDX ID" },
          { field: "fileName", title: "File Name" }
        ],
        filterable: true,
        editable: false,
        dataSource: {
          data: files,
          schema: {
            model: {
              id: "SPDXID",
              fields: {
                SPDXID: { type: "string", editable: false },
                fileName: { type: "string", editable: false }
              }
            }
          }
        }
    });

    $("#packages-grid").kendoGrid({
        height: "400px",
        columns: [
          { field: "SPDXID", title: "SPDX ID" },
          { field: "name", title: "Package" },
          { field: "versionInfo", title: "Version" }
        ],
        filterable: true,
        editable: false,
        dataSource: {
          data: packages,
          schema: {
            model: {
              id: "SPDXID",
              fields: {
                SPDXID: { type: "string", editable: false },
                name: { type: "string", editable: false },
                versionInfo: { type: "string", editable: false }
              }
            }
          }
        }
    });
  });
</script>

</body>
</html>

Sign sbom-tool releases

Would be nice to be able to verify that releases of sbom-tool are build by CI by using e.g sigstore to sign binaries

GitHub Action

Create a GitHub Action to install and/or run the SBOM tool.

This doesn't need to be overly complex, and I would look to examples like sigstore/cosign-installer which has achieved this with a Bash script (No TypeScript/JavaScript required!)

Is the Rust/Cargo support ready for use?

Hi!

I would like to ask for help to understand how the sbom-tool works for Rust code. We in the Kubewarden team are evaluating to use sbom-tool to generate the SPDX file for the Rust component of the Kubewarden stack. But we are seeing some results that seems to be incomplete. When we run the sbom-tool in the Policy Server repository, the tool generate the SPDX file with all the files under the build directory. Which does not seem a problem, but it misses all the dependencies defined in the Cargo.toml file. In other words, the SPDX file does not have the relationships between the packages define in the cargo file. Is this expected ? Is the cargo/Rust support production ready?

This is an example of the command that I use to create the file:

$ sbom-tool generate -b ./target -bc . -pn kubewarden -pv 1.0.0 -nsb https://kubewarden.io -V Verbose -ps Kubewarden

Let's check some info in the SPDX file:

$ jq ".packages[] | .name" _manifest/spdx_2.2/manifest.spdx.json
"winapi-x86_64-pc-windows-gnu"
"instant"
"cfg-if"
"remove_dir_all"
"tempfile"
"winapi"
"bitflags"
"redox_syscall"
"fastrand"
"libc"
"winapi-i686-pc-windows-gnu"
"policy-server"

$ jq ".packages | length " _manifest/spdx_2.2/manifest.spdx.json
12

$ jq ".relationships | length " _manifest/spdx_2.2/manifest.spdx.json
12

$ jq -r ".relationships[] | .relatedSpdxElement" _manifest/spdx_2.2/manifest.spdx.json >> out; jq -r ".packages[] | .SPDXID" _manifest/spdx_2.2/manifest.spdx.json >> out

$cat out | sort -u
SPDXRef-Package-09E888C0DD94AE60E61C26BDCB42496CCE2C353B04EDC32010BAE39CD9C281D0
SPDXRef-Package-103DDECE1CB10C10E2689F436AB7787B75BC4D108C139C4A187F13A49F631E8A
SPDXRef-Package-189578355B371E85A4B08774D0CFD32BD36B61165FA6BBEDA3B80BE76024EA8D
SPDXRef-Package-23A31416C710E2C36870C6DA198442A1B9E87AA1DEE5C764218A5ADA6ACAB955
SPDXRef-Package-2C0BE3A4473BFBE36158A982CB7D03CB69186272843FCC7EED4A98767B0B0484
SPDXRef-Package-3A6F59C021FD50CA792745B5BA96467074206C03916D0BCFC926087D1D49F587
SPDXRef-Package-860B0BD399A74F569916FC6D2B12313E84843DAD430BC3A7AF88A11F42210381
SPDXRef-Package-8D53CF339C6C5356F4655FAB5ED74736CCEAA7FE34FFF98F2C6F3DF3F627A96E
SPDXRef-Package-9D986058A09E0CC43BCCF23FE973D1CEB4F7AFC28E67A6FA8D2453F4264AA058
SPDXRef-Package-CD84440B5868C5522882D227E2DA16FEF386CAF7BAE037A976DE512D23092501
SPDXRef-Package-EE5CCD784D9C04F2C86943E03620B4A4D9A902C21981F66C64F63115130F6439
SPDXRef-RootPackage

$ cat out | sort -u | wc -l
12

None of the dependencies defined in the Cargo.toml are defined in the SPDX file. Am I missing something?

What is the nuget package for?

I'm feeling dumb, but it seems like the instructions say to install a nugget package without explaining what the package is for or how to use it.

Error while running the generate command

Command 1 : sudo dotnet run -p sbom-tool/src/Microsoft.Sbom.Tool generate -b builddrop -bc my-npm-repo-folder -pn NPM -nsb "https://mycompany.com"

What I expect: generator should automatically pic the package name and package version from my folder/project/repo
What is happening: ##[error]Encountered an error while generating the manifest.
##[error]Error details: Unable to generate a package version based on provided parameters. Please provide the package version in the 'PackageVersion' parameter.

Command 2: sudo dotnet run -p sbom-tool/src/Microsoft.Sbom.Tool generate -b builddrop -bc my-npm-repo-folder -pn NpmWithRoots -pv 1.0 -nsb "https://mycompany.com"

Error message: Required argument missing for option: --verbosity

Can you please elaborate the usage of -pv and -pn ? It will be helpful if you give us an example.

Documentation error and SBOM format error

Mark Russinovich (Azure CTO) tried the tool and found a minor doc bug where “sbom-tool” is missing in this sample command line:

He also faced the following error when trying to run the guidance:

Add SBOM generation to PR build

Remove and rename references to DropValidator

https://github.com/search?q=repo%3Amicrosoft%2Fsbom-tool%20DropValidator&type=code

Dev/stage/prod dependencies

Is there a way to filter out dependencies? In my case I want to include only production dependencies and opt out dev/stage dependencies. Is that a possible option? I believe by default Microsoft SBOM generator will capture all dependencies and generate BOM.

Crash (Object reference not set to an instance of an object) while generating manifest

Using the v0.1.2 release binaries, this happens equally on macOS (12.4) and Debian x86 (10.10):

##[error]Encountered an error while generating the manifest.
##[error]Error details: Object reference not set to an instance of an object.

When I give the -m option, a .json file stays around which is incomplete.

It happens with all node / vue projects I tried and also on an Xcode project.

I can reproduce it on a freshly created directory where just "npm init" has been run:

bkr@home package-test % cat package.json
{
"name": "test",
"version": "1.0.0",
"description": "Some Test",
"main": "index.js",
"scripts": {
"test": "echo "Error: no test specified" && exit 1"
},
"author": "",
"license": "ISC"
}

bkr@home package-test % mkdir mani ; ~/Downloads/sbom-tool-osx-x64 generate -b $PWD -pn test -pv 1.0.0 -V Verbose -m mani
##[debug]Starting SBOM generation workflow.
##[debug]Using the CGScannedExternalDocumentReferenceFileProvider provider for the files workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the DirectoryTraversingFileToJsonProvider provider for the files workflow.
##[debug]Enumerating files under the root path /home/bkr/package-test.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the CGScannedPackagesProvider provider for the packages workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Wrote 0 package elements in the SBOM.
##[debug]Found value for header PackageName in internal metadata.
##[debug]Found value for header PackageVersion in internal metadata.
##[debug]Using the CGExternalDocumentReferenceProvider provider for the external documents workflow.
##[debug]Using the CGExternalDocumentReferenceProvider provider for the external documents workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Wrote 1 relationship elements in the SBOM.
##[debug]Building the header object.
##[debug]Found value for header SBOMToolName in internal metadata.
##[debug]Found value for header SBOMToolVersion in internal metadata.
##[debug]Found value for header PackageName in internal metadata.
##[debug]Found value for header PackageVersion in internal metadata.
##[error]Encountered an error while generating the manifest.
##[error]Error details: Object reference not set to an instance of an object.
##[information]Finished execution of the Generate workflow SBOMTelemetry {Result=Failure, Errors=ErrorContainer1 {Count=0, Errors=[]}, Parameters=Configuration {BuildDropPath=ConfigurationSetting1 {Value="/home/bkr/package-test", Source=CommandLine, IsDefaultSource=False}, BuildComponentPath=null, BuildListFile=null, ManifestPath=null, ManifestDirPath=ConfigurationSetting1 {Value="mani/_manifest", Source=CommandLine, IsDefaultSource=False}, OutputPath=null, Parallelism=ConfigurationSetting1 {Value=8, Source=Default, IsDefaultSource=True}, Verbosity=ConfigurationSetting1 {Value=Verbose, Source=CommandLine, IsDefaultSource=False}, ConfigFilePath=null, ManifestInfo=ConfigurationSetting1 {Value=null, Source=Default, IsDefaultSource=True}, HashAlgorithm=ConfigurationSetting1 {Value=AlgorithmName {Name="SHA256"}, Source=Default, IsDefaultSource=True}, RootPathFilter=null, CatalogFilePath=null, ValidateSignature=ConfigurationSetting1 {Value=False, Source=Default, IsDefaultSource=True}, IgnoreMissing=ConfigurationSetting1 {Value=False, Source=Default, IsDefaultSource=True}, ManifestToolAction=Generate, PackageName=ConfigurationSetting1 {Value="test", Source=CommandLine, IsDefaultSource=False}, PackageVersion=ConfigurationSetting1 {Value="1.0.0", Source=CommandLine, IsDefaultSource=False}, FilesList=null, PackagesList=null, TelemetryFilePath=null, DockerImagesToScan=null, ExternalDocumentReferenceListFile=null, AdditionalComponentDetectorArgs=null, NamespaceUriUniquePart=null, NamespaceUriBase=null, GenerationTimestamp=null, FollowSymlinks=ConfigurationSetting1 {Value=True, Source=Default, IsDefaultSource=True}}, SBOMFormatsUsed=[SBOMFile {SbomFormatName=ManifestInfo {Name="SPDX", Version="2.2"}, SbomFilePath="mani/_manifest/spdx_2.2/manifest.spdx.json", FileSizeInBytes=1445}], Timings=[Timing {EventName="Metadata build time for SPDX:2.2 format", TimeSpan="00:00:00.0034268"}, Timing {EventName="Relationships generation time", TimeSpan="00:00:00.0138172"}, Timing {EventName="External document reference generation time", TimeSpan="00:00:00.0063242"}, Timing {EventName="Packages generation time", TimeSpan="00:00:00.0175062"}, Timing {EventName="Files generation time", TimeSpan="00:00:00.1520830"}, Timing {EventName="Total generation time", TimeSpan="00:00:00.2799799"}], Switches={}, Exceptions={["System.NullReferenceException"]="Object reference not set to an instance of an object."}}

bkr@home package-test % cat mani/_manifest/spdx_2.2/manifest.spdx.json
{
"files": [
{
"fileName": "./package.json",
"SPDXID": "SPDXRef-File--package.json-65B7CCBBCE5B9E193BA5FA98FDCDB66375B702F3",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "2e1036c9cd8992fb4e5c98e0a11e75bd5d16b396fafb84629c2e1fdad048c072"
},
{
"algorithm": "SHA1",
"checksumValue": "65b7ccbbce5b9e193ba5fa98fdcdb66375b702f3"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}
],
"packages": [
{
"name": "test",
"SPDXID": "SPDXRef-RootPackage",
"downloadLocation": "NOASSERTION",
"packageVerificationCode": {
"packageVerificationCodeValue": "beb0b63fa2f5923950df28ab8bfc17eef01af2a2"
},
"filesAnalyzed": true,
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "1.0.0",
"supplier": "Organization: Microsoft",
"hasFiles": [
"SPDXRef-File--package.json-65B7CCBBCE5B9E193BA5FA98FDCDB66375B702F3"
]
}
],
"externalDocumentRefs": [],
"relationships": [
{
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-RootPackage",
"spdxElementId": "SPDXRef-DOCUMENT"
}
]%

bkr@home package-test % jq . mani/_manifest/spdx_2.2/manifest.spdx.json
parse error: Unfinished JSON term at EOF at line 52, column 3

How can I generate SBOM for a docker image?

I want to generate SBOM for a docker image, but the command line requires multiple parameters according to this sample, which looks complicated. Is there a simple way to generate SBOM for a docker image like Docker Sbom?

Can't compile due to private NuGet feed

When doing a package restore, I see a lot of 401 responses from some package source that's in use.
Any idea what I should do to be able to compile this?

C:\Program Files\dotnet\sdk\3.1.421\NuGet.targets(128,5): error : Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C792FB8-970D-431E-9CB6-887C3CD827C8)). [REDACTED\microsoft\sbom-tool\Microsoft.Sbom.sln]

Gendocs build hangs

Make any chnages in the IConfiguration.cs file, and that will trigger the gendocs build, however the build currently hangs without showing any error.

Running locally on Ubuntu, the build fails with this error, the package is already present in the feed:

/usr/share/dotnet/sdk/3.1.420/Sdks/Microsoft.NET.Sdk/targets/Microsoft.PackageDependencyResolution.targets(241,5): error NETSDK1064: Package Microsoft.CodeAnalysis.VersionCheckAnalyzer, version 3.3.0 was not found. It might have been deleted since NuGet restore. Otherwise, NuGet restore might have only partially completed, which might have been due to maximum path length restrictions.

Encountered an error while generating json for packageInfo : Value cannot be null. (Parameter 'packageInfo')

[INFO] Scan Manifest file: /tmp/ScanManifest_20220809093029.json
##[debug]Using the DirectoryTraversingFileToJsonProvider provider for the files workflow.
##[debug]Enumerating files under the root path xxx/frontend.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the CGScannedPackagesProvider provider for the packages workflow.
##[debug]Scanning for packages under the root path xxx/frontend/.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using cached CD scan result for the call with the same arguments
##[debug]Encountered an error while generating json for packageInfo : Value cannot be null. (Parameter 'packageInfo')

when I use the sbom tool to scan node related docker image, I encountered this problem. It seems to be a pares error. How should I fix it? BTW, the command is below:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .

Does not detect Maven pom.xml file

I've only just started tinkering with the tool, so I may be missing something important.

The tool fails to find a pom.xml file in the directory that I specify as the BuildComponentPath, nor any of the other pom.xml files in nested directories. It does find two package-lock.json and one yarn.lock file nested in the build component path hierarchy.

Is some additional configuration required for Maven support? Am I missing something important?

distribute the binaries as dotnet tool install sbom-tool

it would be pretty convenient to be able to install the binaries with dotnet tool install sbom-tool and run it as dotnet tool run sbom-tool.

this would let us declare all the project tool dependencies in the .config/dotnet-tool.json file and restore them all with dotnet tool restore.

Encountered error while running ManifestTool generation workflow.

ENV: Ubuntu-20.04
Encountered error while running ManifestTool generation workflow. Error: Unable to load shared library 'MonoPosixHelper' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libMonoPosixHelper: cannot open shared object file: No such file or directory

The same environment, when I used sbom-tool v0.1.13 to scan source code, it can generate sbom file correctly. But, it encountered the error above when I use sbom-tool v0.2.0. How to fix it? The command is as follows:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .

We have a requirement for the integration of a Vendor assessment questionnaire or Vendor management. Is there any option in sbom tool for this purpose?