Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SBOM for NuGet packages #267

Closed
sophiewigmore opened this issue Dec 16, 2021 · 2 comments
Closed

Generate SBOM for NuGet packages #267

sophiewigmore opened this issue Dec 16, 2021 · 2 comments
Labels
enhancement A new feature or request status/blocked This issue has been triaged and resolving it is blocked on some other issue

Comments

@sophiewigmore
Copy link
Member

sophiewigmore commented Dec 16, 2021
edited
Loading

To implement Paketo RFC0038, this buildpack will need to generate an SBOM for the packages that get installed via dotnet publish and store it in a CNB lifecycle-accessible file as outlined in the RFC.

Blocked

This issue is blocked on having some mechanism to actually generate an SBOM for a .NET Core app. Currently, we use the Syft library in packit in order to generate SBOMs for other buildpack language families, such as Node.js.

This issue is blocked on paketo-buildpacks/dotnet-core#712

anchore/syft#373 exists, which may be the most straightforward and logical place to approach solving this issue, so we can then consume the release and generate the BOM in a similar fashion to our other buildpacks. A reasonable starting place could be to consider how Syft could gather package info from the *.deps.json file after the publish step, or the obj/project.assets.json file.
@sophiewigmore sophiewigmore added enhancement A new feature or request sbom labels Dec 16, 2021
@sophiewigmore sophiewigmore added the status/blocked This issue has been triaged and resolving it is blocked on some other issue label Dec 16, 2021
@sophiewigmore sophiewigmore mentioned this issue Dec 16, 2021
Closed
7 tasks
@github-actions github-actions bot removed the sbom label Feb 16, 2022
@fg-j fg-j self-assigned this Mar 31, 2022
@fg-j fg-j moved this to ❓Not scoped in Paketo Workstreams Mar 31, 2022
@fg-j fg-j removed their assignment Apr 4, 2022
@thitch97
Copy link
Contributor

Relevant PR: anchore/syft#951

@fg-j fg-j removed the status/blocked This issue has been triaged and resolving it is blocked on some other issue label May 10, 2022
@sophiewigmore sophiewigmore mentioned this issue May 16, 2022
Closed
@sophiewigmore sophiewigmore moved this from ❓Not scoped to 📝 Todo in Paketo Workstreams May 16, 2022
@sophiewigmore sophiewigmore moved this from 📝 Todo to ❓Not scoped in Paketo Workstreams May 16, 2022
@sophiewigmore sophiewigmore added the status/blocked This issue has been triaged and resolving it is blocked on some other issue label May 16, 2022
@sophiewigmore sophiewigmore moved this from ❓Not scoped to 📝 Todo in Paketo Workstreams Jun 6, 2022
@ForestEckhardt
Copy link
Contributor

This works makes more sense to happen in the dotnet-execute buildpack as it sees all types of users provided projects such as FDDs and FDEs as well as SCDs not just source builds. I have opened an issue in the dotnet-execute repository to track this work.

paketo-buildpacks/dotnet-execute#317

Repository owner moved this from 📝 Todo to ✅ Done in Paketo Workstreams Jun 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement A new feature or request status/blocked This issue has been triaged and resolving it is blocked on some other issue
Projects
Paketo Workstreams
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thitch97 @ForestEckhardt @sophiewigmore @fg-j