microsoft / sbom-tool Goto Github PK

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.

License: MIT License

C# 99.95% Dockerfile 0.05%

sbom sbom-generator

sbom-tool's People

Contributors

Stargazers

Watchers

Forkers

maxhbr gitlawr fjsnogueira opedroso zdtsw danielschulz zvikar72 stjordanis cichon-mentz cmaclaughlin nrfta myaniu moorcheung isabella232 alialrubaye bureado akankushjnvku dut3062796s wxw12345 nanofabricfx mattkenefick yhtcug sumodgeorge phuocphamm gzhelezo narimantos calvinxu saisasanktej risecai jk1ng deividhs lromano72 maremare naveeguru biubiubiud sbs2001 tiandiheyi jhutchings1 caspergn pocket-d pamir cheahengteong fcitwip dwnatwick gt2847c timb-machine-mirrors rioil andy-clymer elinunez2 sebasgomez238 wenyi189 scanepa axelrod-1257 rbleattler jamiemagee wismann sandyring syncartert t0rchwo0d bettyweng sbom-tool-fork 00mjk cyberflamego fedebona app-creative guden ericlefu a2atsu stianvi hollow375 murata-atsu sokofromnz viet994 michaelsimons jinguang-dong rajkrishnamurthy tobey123 klw123 malcolmnixon kuntom ryanbrandenburg babywyrm layzhi xdwang940209 orange-777 softctrl tarun06 ralphhightower acumenix chenrui333 robertcrockett imatthewtanner lukaszkokot ahasunos sksundaram-learning antodr sfoslund micyunmsft cmnsservices sahardevv

sbom-tool's Issues

Add SBOM generation to PR build

'SPDX:2.2' is not supported by the SBOM tool

Encountered error while running ManifestTool generation workflow. Error: The SBOM format 'SPDX:2.2' is not supported by the SBOM tool.

Same error for Ubuntu 22.04 LTS and Debian 11

distribute the binaries as dotnet tool install sbom-tool

it would be pretty convenient to be able to install the binaries with dotnet tool install sbom-tool and run it as dotnet tool run sbom-tool.

this would let us declare all the project tool dependencies in the .config/dotnet-tool.json file and restore them all with dotnet tool restore.

Can't generate an SBOM for directories containing a space

I execute this command on Windows (doesn't matter if I use cmd or PowerShell):

C:\Temp\sbom-tool.exe generate -b "C:\src\core\Build\Service with spaces" -bc "C:\src\core\Solutions\service with spaces\src\" -pn "Foo bar services" -pv "1.0.0.0" -nsb "https://example.com"

The tool runs and creates a manifest, however no depedencies are found.

Program output:

[INFO] Log file: C:\Users\username\AppData\Local\Temp\GovCompDisc_Log_20220722135038.log
[INFO] Run correlation id: 77b85f03-caa7-47b4-bc71-94e9e4b003c1

[INFO] Attempting to load default detectors
[INFO] 19 detectors were found in Microsoft.ComponentDetection.Detectors

[WARN] Provided search path C:\Users\username\AppData\Local\Temp\.net\sbom-tool\lpvnvva1.mst\Plugins does not exist.


[INFO] Finding components...
[INFO] No instructions received to scan docker images.
[ERROR] Root directory doesn't exist: C:\src\core\Solutions\service

If I run the tool on a directory without spaces, everything works fine.

sbom-tool generate -ManifestDirPath _manifest creates nested directory

Executing sbom-tool generate -ManifestDirPath _manifest creates an unexpected _manifest nested sub-directory:

Just to clarify, although this is written in the documentation, I think its not the expected behaviour:

ManifestDirPath (-m)                      The path of the directory where the generated SBOM files will be
                                          placed. A folder named '_manifest' will be created at this location,       
                                          where all generated SBOMs will be placed. If this parameter is not
                                          specified, the files will be placed in {BuildDropPath}/_manifest
                                          directory.

If this is working as expected (I hope not, because creating an hardcoded directory is really odd when you can specify it in an argument), I think the last paragraph should be modified to be a bit more clear. Something like:

If this parameter is not specified, the directory will be create inside the {BuildDropPath} directory.

Does not detect Maven pom.xml file

I've only just started tinkering with the tool, so I may be missing something important.

The tool fails to find a pom.xml file in the directory that I specify as the BuildComponentPath, nor any of the other pom.xml files in nested directories. It does find two package-lock.json and one yarn.lock file nested in the build component path hierarchy.

Is some additional configuration required for Maven support? Am I missing something important?

Is the Rust/Cargo support ready for use?

Hi!

I would like to ask for help to understand how the sbom-tool works for Rust code. We in the Kubewarden team are evaluating to use sbom-tool to generate the SPDX file for the Rust component of the Kubewarden stack. But we are seeing some results that seems to be incomplete. When we run the sbom-tool in the Policy Server repository, the tool generate the SPDX file with all the files under the build directory. Which does not seem a problem, but it misses all the dependencies defined in the Cargo.toml file. In other words, the SPDX file does not have the relationships between the packages define in the cargo file. Is this expected ? Is the cargo/Rust support production ready?

This is an example of the command that I use to create the file:

$ sbom-tool generate -b ./target -bc . -pn kubewarden -pv 1.0.0 -nsb https://kubewarden.io -V Verbose -ps Kubewarden

Let's check some info in the SPDX file:

$ jq ".packages[] | .name" _manifest/spdx_2.2/manifest.spdx.json
"winapi-x86_64-pc-windows-gnu"
"instant"
"cfg-if"
"remove_dir_all"
"tempfile"
"winapi"
"bitflags"
"redox_syscall"
"fastrand"
"libc"
"winapi-i686-pc-windows-gnu"
"policy-server"

$ jq ".packages | length " _manifest/spdx_2.2/manifest.spdx.json
12

$ jq ".relationships | length " _manifest/spdx_2.2/manifest.spdx.json
12

$ jq -r ".relationships[] | .relatedSpdxElement" _manifest/spdx_2.2/manifest.spdx.json >> out; jq -r ".packages[] | .SPDXID" _manifest/spdx_2.2/manifest.spdx.json >> out

$cat out | sort -u
SPDXRef-Package-09E888C0DD94AE60E61C26BDCB42496CCE2C353B04EDC32010BAE39CD9C281D0
SPDXRef-Package-103DDECE1CB10C10E2689F436AB7787B75BC4D108C139C4A187F13A49F631E8A
SPDXRef-Package-189578355B371E85A4B08774D0CFD32BD36B61165FA6BBEDA3B80BE76024EA8D
SPDXRef-Package-23A31416C710E2C36870C6DA198442A1B9E87AA1DEE5C764218A5ADA6ACAB955
SPDXRef-Package-2C0BE3A4473BFBE36158A982CB7D03CB69186272843FCC7EED4A98767B0B0484
SPDXRef-Package-3A6F59C021FD50CA792745B5BA96467074206C03916D0BCFC926087D1D49F587
SPDXRef-Package-860B0BD399A74F569916FC6D2B12313E84843DAD430BC3A7AF88A11F42210381
SPDXRef-Package-8D53CF339C6C5356F4655FAB5ED74736CCEAA7FE34FFF98F2C6F3DF3F627A96E
SPDXRef-Package-9D986058A09E0CC43BCCF23FE973D1CEB4F7AFC28E67A6FA8D2453F4264AA058
SPDXRef-Package-CD84440B5868C5522882D227E2DA16FEF386CAF7BAE037A976DE512D23092501
SPDXRef-Package-EE5CCD784D9C04F2C86943E03620B4A4D9A902C21981F66C64F63115130F6439
SPDXRef-RootPackage

$ cat out | sort -u | wc -l
12

None of the dependencies defined in the Cargo.toml are defined in the SPDX file. Am I missing something?

Win64 release installer ends with no output and no 'generate' becomes available.

I'm using a Windows 11 machine. I've downloaded the installer executable from the Releases section and run it after going over the security dialogue.
The console applications close almost instantly and I can't find any 'generate' command.

Is there a docker image for the tool ?

[Feature Request] Generate HTML page along with SBOM json

It would be an excellent feature to add a flag, maybe -generate-webpage that would include an HTML page that is directly connected to the json file path at the same root.

Similar to how you can generate a webpage with MSIX's .appinstaller. As a simple example:

<html>
<head>
    <meta charset="utf-8"/>
    <title>SBOM</title>
    <link rel="stylesheet" href="https://kendo.cdn.telerik.com/2022.2.621/styles/kendo.default-v2.min.css"/>
    <script src="https://code.jquery.com/jquery-1.12.4.min.js"></script>
    <script src="https://kendo.cdn.telerik.com/2022.2.621/js/kendo.all.min.js"></script>
</head>

<body>

<div id="files-grid"></div>
<div id="packages-grid"></div>

<script>
  $(function() {
     var files = [];
     var packages = [];
    
// THIS LOADS THE JSON INTO AN EASY TO READ DATAGRID
    $.getJSON('/manifest.spdx.json', function(data) {
       $.each(data.files, function(i, f) {
           files.push(f);
       });

       $.each(data.packages, function(i, p) {
           packages.push(p);
       });
    });

    $("#files-grid").kendoGrid({
        height: "400px",
        columns: [
          { field: "SPDXID", title: "SPDX ID" },
          { field: "fileName", title: "File Name" }
        ],
        filterable: true,
        editable: false,
        dataSource: {
          data: files,
          schema: {
            model: {
              id: "SPDXID",
              fields: {
                SPDXID: { type: "string", editable: false },
                fileName: { type: "string", editable: false }
              }
            }
          }
        }
    });

    $("#packages-grid").kendoGrid({
        height: "400px",
        columns: [
          { field: "SPDXID", title: "SPDX ID" },
          { field: "name", title: "Package" },
          { field: "versionInfo", title: "Version" }
        ],
        filterable: true,
        editable: false,
        dataSource: {
          data: packages,
          schema: {
            model: {
              id: "SPDXID",
              fields: {
                SPDXID: { type: "string", editable: false },
                name: { type: "string", editable: false },
                versionInfo: { type: "string", editable: false }
              }
            }
          }
        }
    });
  });
</script>

</body>
</html>

Using private pypi repositories

Hello,

I'm currently trying to see how we can use the sbom tool for our different software development platforms that use .netcore as well as python heavily.

I was trying to use the tool with a python projects that pulls in modules from a private pypi repository. Unfortunately the tool does not seem to recognise neither the PIP_CONFIG_FILE nor the PIP_EXTRA_INDEX_URLS.

Is there a way to use private repositories as well? I did not find anything within the docs.

Thanks

Shared library MonoPosixHelpers not found on MacOS

I am using a Mac M1 and When I start sbom-tool, I've got an error message telling that shared library MonoPosixHelpers is not found.
MacOS version is 12.5.1

We have a requirement for the integration of a Vendor assessment questionnaire or Vendor management. Is there any option in sbom tool for this purpose?

Object reference not set to an instance of an object

When trying to run salus on a go project and after Scan Manifest file I get the mentioned error. I tried with one of my own and another open source project, both fail.

I attach the scan files for you, just in case you need them to give me a hint

Thanks for looking into this

ScanManifest_20220714111446.txt
ScanManifest_20220714110630.txt
.

consistent error of `1: Not: not found`

Trying to use this tooling (linux binary) in WSL.

I've curled the link from the releases page:

curl -Lo salus https://github.com/microsoft/sbom-tool/releases/download/v0.1.2/sbom-tool-linux-x64
chmod +x salus
mv salus /usr/local/bin

So far anything I attempt to run results in /usr/local/bin/salus: 1: Not: not found, even commands like salus -h. Specifying verbosity doesn't change the outcome.

Any pointers?

For now, I need to generate sbom of python or go project with this sbom-tool, how should I do?

Network reliability improvement needed

When attempting to generate sbom for a binary drop from a file server, I often have to make multiple attempts before I can successfully generate an sbom. This leads to building a lot of infrastructure in a lot of places to support what is perceived as a "flaky" tool. Additionally, we have to make different design decisions when we cannot reliably generate an SBOM from a (secured) network share and must instead ensure that all sbom generation is done against local binaries. This is particularly true on larger drops.

##[debug]Starting SBOM generation workflow.
##[debug]Using the FileListBasedFileToJsonProvider provider for the files workflow.
##[debug]Enumerating all files from listFile.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[error]Encountered an error while generating hash for file \\cpvsbuild\drops\drop\setup\boxs\amd64ret\kor\netfx\fulllp\netfx_fulllp.mzz: The network path was not found. : '\\cpvsbuild\drops\drop1\raw\09037.00\setup\boxs\amd64ret\kor\netfx\fulllp\netfx_fulllp.mzz'
##[error]Encountered an error while generating hash for file \\cpvsbuild\drops\drop\raw\09037.00\setup\boxs\amd64ret\ptb\netfx\fulllp\netfx_fulllp.mzz: The network path was not found. : '\\cpvsbuild\drops\drop\raw\09037.00\setup\boxs\amd64ret\ptb\netfx\fulllp\netfx_fulllp.mzz'

Adding wait / retries to file access calls would improve the reliability and ease adoption of this tool.

Mac OS sbom-tool build failure on NU1301

M1 Mac running Monterey (Mac OS 12.4).
Installed .NET. (https://docs.microsoft.com/en-us/dotnet/core/install/macos).
Set environment (DOTNET_ROOT).
Proved .NET installation works by creating 'hello world'. (https://docs.microsoft.com/en-us/dotnet/core/get-started)

Clone sbom-tool. cd into sbom-tool.
Attempt dotnet build. Fails on SDK mismatch, but helpfully tells me to update global.json.
Updated to global.json sdk version to 6.0.302 which is current .NET install for Mac.
Attempt dotnet build. Hit collection of NU1301 errors for a failed build.
A quick search of NU1301 (https://docs.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu1301) suggests I 'contact the source owner' or try 'removing source that might not be needed.'

As I don't know the source I'm not about to try removing source files.

Rest of the report is the build output:

$ dotnet build
Microsoft (R) Build Engine version 17.2.0+41abc5629 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.

  Determining projects to restore...
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Adapters/Microsoft.Sbom.Adapters.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Common/Microsoft.Sbom.Common.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Extensions/Microsoft.Sbom.Extensions.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Contracts/Microsoft.Sbom.Contracts.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Contracts/Microsoft.Sbom.Contracts.csproj (in 393 ms).
  The project /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Extensions/Microsoft.Sbom.Extensions.csproj (in 451 ms).
  The project /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj is using CentralPackageVersionManagement, a NuGet preview feature.
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj (in 451 ms).
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Adapters/Microsoft.Sbom.Adapters.csproj (in 470 ms).
  Restored /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Common/Microsoft.Sbom.Common.csproj (in 581 ms).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 46BD96B6-F24E-4F0B-89B2-1A7063459E16)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F689-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F75E-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230EAD-1C06-4EED-B0EC-B0905F5B19DD)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F742-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E91-1C06-4EED-B0EC-B0905F5B19DD)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E98-1C06-4EED-B0EC-B0905F5B19DD)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F739-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C61F733-970D-431E-9CB6-887C3CD827C8)).
  Retrying 'FindPackagesByIdAsync' for source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'.
  Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 1E230E8D-1C06-4EED-B0EC-B0905F5B19DD)).
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj (in 13.72 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj (in 13.72 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj (in 13.27 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj (in 13.31 sec).
  Failed to restore /Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj (in 13.72 sec).

Build FAILED.

/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.NETCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.netcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Api/Microsoft.Sbom.Api.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
/Users/stephenrwalli/junk/sbom-tool/test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj : error NU1301: Failed to retrieve information about 'Microsoft.AspNetCore.App.Ref' from remote source 'https://pkgs.dev.azure.com/mseng/c86767d8-af79-4303-a7e6-21da0ba435e2/_packaging/b1aa973f-8820-48d7-8679-af571fd952f0/nuget/v3/flat2/microsoft.aspnetcore.app.ref/index.json'. [/Users/stephenrwalli/junk/sbom-tool/Microsoft.Sbom.sln]
    0 Warning(s)
    10 Error(s)

Time Elapsed 00:00:15.46

CI pipelines hang indefinitely on `salus -h`

In two sample CI pipelines, one using Azure DevOps and one using GitHub Actions (both linux agents), I've so far found that salus -h hangs indefinitely until the task/step is canceled by the pipeline or a user (up to 60 min on AzDO, 20 min on GH - just hitting standard pipeline timeouts), but a properly parameter-supplied salus generate command can run fine.

Both systems have logging output of:

scripts/salus-install.sh: line 22:  1660 Killed                  salus -h

and report exit code 137.

While I've had unrelated (I think) issues running Salus locally, running salus -h in an Azure Cloud Shell session works fine and returns promptly, so the error is not solely with the command.

GitHub Action

Create a GitHub Action to install and/or run the SBOM tool.

This doesn't need to be overly complex, and I would look to examples like sigstore/cosign-installer which has achieved this with a Bash script (No TypeScript/JavaScript required!)

Remove and rename references to DropValidator

https://github.com/search?q=repo%3Amicrosoft%2Fsbom-tool%20DropValidator&type=code

Add SBOM generation to release workflows so packages produced include SBOMs

What is the nuget package for?

I'm feeling dumb, but it seems like the instructions say to install a nugget package without explaining what the package is for or how to use it.

Deletes the _manifest folder anyway

When I run the tool a second time, I get this error message:

$ ./sbom-tool-linux-x64 generate [...]
##[error]Encountered an error while generating the manifest.
##[error]Error details: Unable to create manifest directory at path ./_manifest. Error: The BuildDropRoot folder already contains a _manifest folder. Please delete this folder before running the generation or set the DeleteManifestDirIfPresent environment variable to 'true' to overwrite this folder.

The DeleteManifestDirIfPresent environment variable is not set, but it deletes the folder anyway.

I've tested it after setting DeleteManifestDirIfPresent as described and it works as expected.

Gendocs build hangs

Make any chnages in the IConfiguration.cs file, and that will trigger the gendocs build, however the build currently hangs without showing any error.

Running locally on Ubuntu, the build fails with this error, the package is already present in the feed:

/usr/share/dotnet/sdk/3.1.420/Sdks/Microsoft.NET.Sdk/targets/Microsoft.PackageDependencyResolution.targets(241,5): error NETSDK1064: Package Microsoft.CodeAnalysis.VersionCheckAnalyzer, version 3.3.0 was not found. It might have been deleted since NuGet restore. Otherwise, NuGet restore might have only partially completed, which might have been due to maximum path length restrictions.

Encountered an error while generating json for packageInfo : Value cannot be null. (Parameter 'packageInfo')

[INFO] Scan Manifest file: /tmp/ScanManifest_20220809093029.json
##[debug]Using the DirectoryTraversingFileToJsonProvider provider for the files workflow.
##[debug]Enumerating files under the root path xxx/frontend.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the CGScannedPackagesProvider provider for the packages workflow.
##[debug]Scanning for packages under the root path xxx/frontend/.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using cached CD scan result for the call with the same arguments
##[debug]Encountered an error while generating json for packageInfo : Value cannot be null. (Parameter 'packageInfo')

when I use the sbom tool to scan node related docker image, I encountered this problem. It seems to be a pares error. How should I fix it? BTW, the command is below:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .

Wrong supplier in RootPackage of SBOM

Hey there,

I uploaded the SBOM as a Gist. Please have a look here:
https://gist.github.com/Brend-Smits/90b62120de7abc989c2768c92a2a49c8#file-sbom-tool-installer-action-sbom-L10757-L10772

Error while running the generate command

Command 1 : sudo dotnet run -p sbom-tool/src/Microsoft.Sbom.Tool generate -b builddrop -bc my-npm-repo-folder -pn NPM -nsb "https://mycompany.com"

What I expect: generator should automatically pic the package name and package version from my folder/project/repo
What is happening: ##[error]Encountered an error while generating the manifest.
##[error]Error details: Unable to generate a package version based on provided parameters. Please provide the package version in the 'PackageVersion' parameter.

Command 2: sudo dotnet run -p sbom-tool/src/Microsoft.Sbom.Tool generate -b builddrop -bc my-npm-repo-folder -pn NpmWithRoots -pv 1.0 -nsb "https://mycompany.com"

Error message: Required argument missing for option: --verbosity

Can you please elaborate the usage of -pv and -pn ? It will be helpful if you give us an example.

Encountered error while running ManifestTool generation workflow.

ENV: Ubuntu-20.04
Encountered error while running ManifestTool generation workflow. Error: Unable to load shared library 'MonoPosixHelper' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libMonoPosixHelper: cannot open shared object file: No such file or directory

The same environment, when I used sbom-tool v0.1.13 to scan source code, it can generate sbom file correctly. But, it encountered the error above when I use sbom-tool v0.2.0. How to fix it? The command is as follows:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .

Add a default 6-minute timeout on CD

Add a timeout while calling the CD code so that we don't spend more than 6 minutes running their code and to prevent any hangs.

License information consistently results to NOASSERTION on different projects

Hi,

I'm in the process of testing whether sbom-tool could satisfy our requirements for auto-generating sboms during pipeline executions. I've tried on several internal projects and consistently find that the generated sbom yields NOASSERTION on license information.

Example requirements.txt file:

graphviz
PyYAML
Jinja2
Cerberus

Yields:

{
  "files": [],
  "packages": [
    {
      "name": "MarkupSafe",
      "SPDXID": "SPDXRef-Package-A3EF6C57C1136846E9D7C7A38506BE704CC0BB74D7E00D4E1CAB1750FF8DA78D",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseInfoFromFiles": [
        "NOASSERTION"
      ],
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "2.1.1",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:pypi/markupsafe%402.1.1"
        }
      ],
      "supplier": "NOASSERTION"
    },
    {
      "name": "Cerberus",
      "SPDXID": "SPDXRef-Package-321281AF12101511BB74C614AB9A7F87091E83CA804C4E0E31478B33D5C422FE",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseInfoFromFiles": [
        "NOASSERTION"
      ],
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "1.3.4",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:pypi/cerberus%401.3.4"
        }
      ],
      "supplier": "NOASSERTION"
    },
    {
      "name": "graphviz",
      "SPDXID": "SPDXRef-Package-08DDAAAC542BB734BA5B8613D10207BC5FBA8E3A7A15548EB9D52744ED03EA7C",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseInfoFromFiles": [
        "NOASSERTION"
      ],
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "0.20.1",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE_MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:pypi/graphviz%400.20.1"
        }
      ],
      "supplier": "NOASSERTION"
    },
...

I'm unsure whether I'm doing something incorrectly here. The sbom is generated by the following pipeline step:

...
- script: |
    curl -Lo $(Agent.TempDirectory)/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
    chmod +x $(Agent.TempDirectory)/sbom-tool
    $(Agent.TempDirectory)/sbom-tool generate -b $(Build.ArtifactStagingDirectory) -bc $(System.DefaultWorkingDirectory) -pn projectname -V Verbose -nsb https://some.url.here.noexist -pv $(versionNumber)
  displayName: Generate SBOM

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'drop'
    publishLocation: 'Container'

How can I generate SBOM for a docker image?

I want to generate SBOM for a docker image, but the command line requires multiple parameters according to this sample, which looks complicated. Is there a simple way to generate SBOM for a docker image like Docker Sbom?

Sign sbom-tool releases

Would be nice to be able to verify that releases of sbom-tool are build by CI by using e.g sigstore to sign binaries

Update to .NET 6.0

After Dec 3 2022 .NET 3.1 will no longer be supported or patched.

The referencecategory should be PACKAGE-MANAGER

Using the spdx online tool to verify the generated spdx file has a warning

The referencecategory should be PACKAGE-MANAGER instead of PACKAGE_MANAGER.

Add sample SBOM produced by the tool

Can't compile due to private NuGet feed

When doing a package restore, I see a lot of 401 responses from some package source that's in use.
Any idea what I should do to be able to compile this?

C:\Program Files\dotnet\sdk\3.1.421\NuGet.targets(128,5): error : Response status code does not indicate success: 401 (Unauthorized - TF400813: Resource not available for anonymous access. Client authentication required. (DevOps Activity ID: 9C792FB8-970D-431E-9CB6-887C3CD827C8)). [REDACTED\microsoft\sbom-tool\Microsoft.Sbom.sln]

Crash (Object reference not set to an instance of an object) while generating manifest

Using the v0.1.2 release binaries, this happens equally on macOS (12.4) and Debian x86 (10.10):

##[error]Encountered an error while generating the manifest.
##[error]Error details: Object reference not set to an instance of an object.

When I give the -m option, a .json file stays around which is incomplete.

It happens with all node / vue projects I tried and also on an Xcode project.

I can reproduce it on a freshly created directory where just "npm init" has been run:

bkr@home package-test % cat package.json
{
"name": "test",
"version": "1.0.0",
"description": "Some Test",
"main": "index.js",
"scripts": {
"test": "echo "Error: no test specified" && exit 1"
},
"author": "",
"license": "ISC"
}

bkr@home package-test % mkdir mani ; ~/Downloads/sbom-tool-osx-x64 generate -b $PWD -pn test -pv 1.0.0 -V Verbose -m mani
##[debug]Starting SBOM generation workflow.
##[debug]Using the CGScannedExternalDocumentReferenceFileProvider provider for the files workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the DirectoryTraversingFileToJsonProvider provider for the files workflow.
##[debug]Enumerating files under the root path /home/bkr/package-test.
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Using the CGScannedPackagesProvider provider for the packages workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Wrote 0 package elements in the SBOM.
##[debug]Found value for header PackageName in internal metadata.
##[debug]Found value for header PackageVersion in internal metadata.
##[debug]Using the CGExternalDocumentReferenceProvider provider for the external documents workflow.
##[debug]Using the CGExternalDocumentReferenceProvider provider for the external documents workflow.
##[debug]Scanning for packages under the root path .
##[debug]Splitting the workflow into 8 threads.
##[debug]Running the generation workflow ...
##[debug]Wrote 1 relationship elements in the SBOM.
##[debug]Building the header object.
##[debug]Found value for header SBOMToolName in internal metadata.
##[debug]Found value for header SBOMToolVersion in internal metadata.
##[debug]Found value for header PackageName in internal metadata.
##[debug]Found value for header PackageVersion in internal metadata.
##[error]Encountered an error while generating the manifest.
##[error]Error details: Object reference not set to an instance of an object.
##[information]Finished execution of the Generate workflow SBOMTelemetry {Result=Failure, Errors=ErrorContainer1 {Count=0, Errors=[]}, Parameters=Configuration {BuildDropPath=ConfigurationSetting1 {Value="/home/bkr/package-test", Source=CommandLine, IsDefaultSource=False}, BuildComponentPath=null, BuildListFile=null, ManifestPath=null, ManifestDirPath=ConfigurationSetting1 {Value="mani/_manifest", Source=CommandLine, IsDefaultSource=False}, OutputPath=null, Parallelism=ConfigurationSetting1 {Value=8, Source=Default, IsDefaultSource=True}, Verbosity=ConfigurationSetting1 {Value=Verbose, Source=CommandLine, IsDefaultSource=False}, ConfigFilePath=null, ManifestInfo=ConfigurationSetting1 {Value=null, Source=Default, IsDefaultSource=True}, HashAlgorithm=ConfigurationSetting1 {Value=AlgorithmName {Name="SHA256"}, Source=Default, IsDefaultSource=True}, RootPathFilter=null, CatalogFilePath=null, ValidateSignature=ConfigurationSetting1 {Value=False, Source=Default, IsDefaultSource=True}, IgnoreMissing=ConfigurationSetting1 {Value=False, Source=Default, IsDefaultSource=True}, ManifestToolAction=Generate, PackageName=ConfigurationSetting1 {Value="test", Source=CommandLine, IsDefaultSource=False}, PackageVersion=ConfigurationSetting1 {Value="1.0.0", Source=CommandLine, IsDefaultSource=False}, FilesList=null, PackagesList=null, TelemetryFilePath=null, DockerImagesToScan=null, ExternalDocumentReferenceListFile=null, AdditionalComponentDetectorArgs=null, NamespaceUriUniquePart=null, NamespaceUriBase=null, GenerationTimestamp=null, FollowSymlinks=ConfigurationSetting1 {Value=True, Source=Default, IsDefaultSource=True}}, SBOMFormatsUsed=[SBOMFile {SbomFormatName=ManifestInfo {Name="SPDX", Version="2.2"}, SbomFilePath="mani/_manifest/spdx_2.2/manifest.spdx.json", FileSizeInBytes=1445}], Timings=[Timing {EventName="Metadata build time for SPDX:2.2 format", TimeSpan="00:00:00.0034268"}, Timing {EventName="Relationships generation time", TimeSpan="00:00:00.0138172"}, Timing {EventName="External document reference generation time", TimeSpan="00:00:00.0063242"}, Timing {EventName="Packages generation time", TimeSpan="00:00:00.0175062"}, Timing {EventName="Files generation time", TimeSpan="00:00:00.1520830"}, Timing {EventName="Total generation time", TimeSpan="00:00:00.2799799"}], Switches={}, Exceptions={["System.NullReferenceException"]="Object reference not set to an instance of an object."}}

bkr@home package-test % cat mani/_manifest/spdx_2.2/manifest.spdx.json
{
"files": [
{
"fileName": "./package.json",
"SPDXID": "SPDXRef-File--package.json-65B7CCBBCE5B9E193BA5FA98FDCDB66375B702F3",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "2e1036c9cd8992fb4e5c98e0a11e75bd5d16b396fafb84629c2e1fdad048c072"
},
{
"algorithm": "SHA1",
"checksumValue": "65b7ccbbce5b9e193ba5fa98fdcdb66375b702f3"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}
],
"packages": [
{
"name": "test",
"SPDXID": "SPDXRef-RootPackage",
"downloadLocation": "NOASSERTION",
"packageVerificationCode": {
"packageVerificationCodeValue": "beb0b63fa2f5923950df28ab8bfc17eef01af2a2"
},
"filesAnalyzed": true,
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "1.0.0",
"supplier": "Organization: Microsoft",
"hasFiles": [
"SPDXRef-File--package.json-65B7CCBBCE5B9E193BA5FA98FDCDB66375B702F3"
]
}
],
"externalDocumentRefs": [],
"relationships": [
{
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-RootPackage",
"spdxElementId": "SPDXRef-DOCUMENT"
}
]%

bkr@home package-test % jq . mani/_manifest/spdx_2.2/manifest.spdx.json
parse error: Unfinished JSON term at EOF at line 52, column 3

Dev/stage/prod dependencies

Is there a way to filter out dependencies? In my case I want to include only production dependencies and opt out dev/stage dependencies. Is that a possible option? I believe by default Microsoft SBOM generator will capture all dependencies and generate BOM.

Salus name conflicts with existing tool

The name "Salus" is already an established security tool, which among other things generates CycloneDX SBOMs from dependency manifests. Salus is a project from Coinbase, and has been listed on the CycloneDX Tool Center for quite some time now.

https://github.com/coinbase/salus

Microsoft Salus creates confusion in the market and should be renamed.

Documentation error and SBOM format error

Mark Russinovich (Azure CTO) tried the tool and found a minor doc bug where “sbom-tool” is missing in this sample command line:

He also faced the following error when trying to run the guidance:

Update how to execute the tool in the read me documentation

Missing license of RootPackage in SBOM

Hey there,

I am working on generating an SBOM for a GitHub Action that sets up this SBOM-Tool in a convenient way (see: https://github.com/philips-software/sbom-tool-installer-action). After generating the SBOM, I noticed that the license field of the RootPackage is set to NOASSERTION. This might be intended as this feature might not be implemented yet. However, I would really appreciate at least a parameter to set the LICENSE of the RootPackage. In the case of the installer-action, the license is actually set properly within GitHub and the package.json

I uploaded the SBOM as a Gist. Please have a look here:
https://gist.github.com/Brend-Smits/90b62120de7abc989c2768c92a2a49c8#file-sbom-tool-installer-action-sbom-L10757-L10772

Does sbom-tool support the project which contains poetry.lock?

As I found sbom-tool using component-detection to scan for components and dependencies, which support both requirements.txt and poetry.lock. But when I scanned the project with poetry.lock, it didn't work, regardless of scanning image or source code. It can generate sbom file correctly when I change poetry.lock to requirement.txt. What's the problem? The commands is as follows:

For source code:
salus Generate -b ./test -bc ./test -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .
For docker image:
salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .

-V flag ignored?

Hiya,
I'm running the tool with -V Error and still getting output tagged [INFO].
My guess is that you're missing an [ArgShortcut("V")] attribute from CommonArgs.cs?

Actions/Pipelines YAML examples

SBOM for C/C++ (Cmake)

sbom-tool is able to generate sbom for C/C++ projects if it is using cmake

Generated SBOM includes Git data and ephemeral build artifacts

The generated SBOM includes information from the .git folder. Likewise, it would be good to have it ignore the contents of NPM node_modules directories and Maven /target/ directories.

AFAICT, there's no option to exclude these directories from the results.

One option would be to have the tool honour the ignore list specified in .gitignore files.

Note that a .gitignore file itself is a maintained artifact that IMHO should be included in the SBOM.

`No usable version of libssl was found` on Linux

On Linux I get the following error message.

OS: Fedora 36
ARch: x86_64

winsbom generate -b .
No usable version of libssl was found
Aborted (core dumped)

ScanLinuxAsync logged InvalidOperationException: cannot hijack chunked or content length stream

[INFO] ScanLinuxAsync logged InvalidOperationException: cannot hijack chunked or content length stream
[WARN] Scanning of image sha256:xxxxxxxxxxxxx failed with exception: cannot hijack chunked or content length stream

I encountered the problem above when I scan docker images. How to fix this?