From e5309f848a97749b3e262c4404ed95eeffaee381 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 11:24:07 -0700 Subject: [PATCH 01/11] Fixed documentation --- README.md | 29 +++++++++++++++++++++++++++-- docs/installation.md | 9 --------- 2 files changed, 27 insertions(+), 11 deletions(-) delete mode 100644 docs/installation.md diff --git a/README.md b/README.md index e89a78450..decdbf133 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,38 @@ The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 ## Table of Contents -* [Installation](docs/installation.md) -* [Building and running Sbom tool](docs/build-and-run.md) +* [Installation](#installation) +* [Run the tool]() +* [Building and running Sbom tool from source](docs/build-and-run.md) * [Telemetry](#Telemetry) * [Contributing](#Contributing) * [Security](#Security) * [Trademarks](#Trademarks) +## Installation + +### Windows, Mac and Linux executable. +Please check the [Releases](https://github.com/microsoft/sbom-tool/releases) page to go to the version of the tool you want to install. Then download the tool from the release assets for the required runtime. + +Please check the [arguments](docs/sbom-tool-arguments.md) that you can provide to the sbom tool. + +### Sbom tool C# Api +Please add and authenticate the Microsoft GitHub NuGet package [registry](https://github.com/orgs/microsoft/packages?repo_name=sbom-tool) to your nuget.config. Then install the `Microsoft.Sbom.Api` package to your project using these [instructions](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry#installing-a-package) + +## Run the tool to generate an SBOM + +Once you have installed the command line tool for your OS, run the tool using this command: + +``` +generate -b -bc -pn -pv -nsb +``` + +The drop path is the folder where all the files to be shipped are located. All these files will be hashed and added to the files section of the SBOM. The build components path is usually your source folder, we will scan this folder to search for project files like *.csproj or package.json to see what components were used to build the package. The package name and version represent the package the SBOM is describing. + +Each SBOM has a unique namespace that uniquely identifies the SBOM, we generate a unique identifier for the namespace field inside the SBOM, however we need a base URI that would be common for your entire organization. For example, a sample value for the `-nsb` parameter could be `https://companyName.com/teamName`, then the generator will create the namespace that would look like `https://companyName.com/teamName///`. Read more about the document namespace field [here](https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field). + +A more detailed list of available arguments can be found [here](sbom-tool-arguments.md) + ## Telemetry By default, telemetry will output to your output file path and will be a JSON blob. No data is submitted to Microsoft. diff --git a/docs/installation.md b/docs/installation.md deleted file mode 100644 index 458870cc4..000000000 --- a/docs/installation.md +++ /dev/null @@ -1,9 +0,0 @@ -# Installation - -## Windows, Mac and Linux executable. -Please check the [Releases](https://github.com/microsoft/sbom-tool/releases) page to go to the version of the tool you want to install. Then download the tool from the release assets for the required runtime. - -Please check the [arguments](sbom-tool-arguments.md) that you can provide to the sbom tool. - -## Sbom tool C# Api -Please add and authenticate the Microsoft GitHub NuGet package [registry](https://github.com/orgs/microsoft/packages?repo_name=sbom-tool) to your nuget.config. Then install the `Microsoft.Sbom.Api` package to your project using these [instructions](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry#installing-a-package) From 372a7feceb4351016e97c7fbbca901d69a4d51c1 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 11:44:17 -0700 Subject: [PATCH 02/11] Update release.yml --- .github/workflows/release.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7d9996da2..7af3bcc24 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,13 +45,24 @@ jobs: - name: Build CLI self-contained run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:DebugType=None -p:PublishTrimmed=true ./src/Microsoft.Sbom.Tool + - name: Generate SBOM for sbom-tool + run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ RESOLVED_VERSION }} -nsb https://sbom.microsoft + + - name: Publish SBOM + uses: shogo82148/actions-upload-release-asset@v1.6.2 + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./bin/_manifest/spdx/manifest.spdx.json + asset_name: manifest.spdx.json + - name: Publish CLI tool uses: shogo82148/actions-upload-release-asset@v1.6.2 with: upload_url: ${{ github.event.release.upload_url }} asset_path: ./bin/* asset_name: sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }} - + + - name: Build NuGet packages run: dotnet pack --no-restore -p:DebugType=None --include-symbols --no-build --configuration Release --output ./out From 753ac6bfdc1c1e1397186aaac36c44d576f20337 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 11:50:32 -0700 Subject: [PATCH 03/11] Update release.yml --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7af3bcc24..3512631d9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,7 @@ on: release: types: - published + workflow_dispatch: permissions: contents: write From cbf8d1fef8b2876a22a75c3efc09ff0098aa0709 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 11:53:48 -0700 Subject: [PATCH 04/11] Update release.yml --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3512631d9..9bf26e9d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,7 +47,7 @@ jobs: run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:DebugType=None -p:PublishTrimmed=true ./src/Microsoft.Sbom.Tool - name: Generate SBOM for sbom-tool - run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ RESOLVED_VERSION }} -nsb https://sbom.microsoft + run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ github.event.release.tag_name }} -nsb https://sbom.microsoft - name: Publish SBOM uses: shogo82148/actions-upload-release-asset@v1.6.2 From 41685bc890446909ffdde0cd6d7771dd1a20aa6b Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 14:34:15 -0700 Subject: [PATCH 05/11] Updated PR comments --- .github/workflows/release.yml | 21 ++++++++------------- README.md | 8 ++++++-- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9bf26e9d4..ce3fb7a41 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,23 +46,18 @@ jobs: - name: Build CLI self-contained run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:DebugType=None -p:PublishTrimmed=true ./src/Microsoft.Sbom.Tool + - name: Rename binary to readable name + run: mv ./bin/Microsoft.Sbom.Tool${{ matrix.rid == 'win-x64' && '.exe' || '' }} ./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }} + - name: Generate SBOM for sbom-tool run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ github.event.release.tag_name }} -nsb https://sbom.microsoft - - - name: Publish SBOM - uses: shogo82148/actions-upload-release-asset@v1.6.2 - with: - upload_url: ${{ github.event.release.upload_url }} - asset_path: ./bin/_manifest/spdx/manifest.spdx.json - asset_name: manifest.spdx.json - - name: Publish CLI tool - uses: shogo82148/actions-upload-release-asset@v1.6.2 + - name: Upload binaries and SBOM to release + uses: alexellis/upload-assets@0.2.2 + env: + GITHUB_TOKEN: ${{ github.token }} with: - upload_url: ${{ github.event.release.upload_url }} - asset_path: ./bin/* - asset_name: sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }} - + asset_paths: '["./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}", "./bin/_manifest/spdx_2.2/manifest.spdx.json"]' - name: Build NuGet packages run: dotnet pack --no-restore -p:DebugType=None --include-symbols --no-build --configuration Release --output ./out diff --git a/README.md b/README.md index decdbf133..c0b80fd44 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,9 @@ # Salus - SBOM Tool +[![Build](https://github.com/microsoft/sbom-tool/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/microsoft/sbom-tool/actions/workflows/build.yml) +![GitHub release (latest by date)](https://img.shields.io/github/downloads/microsoft/sbom-tool/latest/total) +![GitHub release (latest by date including pre-releases)](https://img.shields.io/github/v/release/microsoft/sbom-tool?include_prereleases) + ## Introduction The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. @@ -7,8 +11,8 @@ The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 ## Table of Contents * [Installation](#installation) -* [Run the tool]() -* [Building and running Sbom tool from source](docs/build-and-run.md) +* [Run the tool](#run-the-tool-to-generate-an-sbom) +* [Building the tool from source](docs/build-and-run.md) * [Telemetry](#Telemetry) * [Contributing](#Contributing) * [Security](#Security) From 3ca192e622b5b78c99bf46e76d5513636e8fb686 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 14:44:43 -0700 Subject: [PATCH 06/11] Fixed release --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ce3fb7a41..281467762 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,7 +57,7 @@ jobs: env: GITHUB_TOKEN: ${{ github.token }} with: - asset_paths: '["./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }}", "./bin/_manifest/spdx_2.2/manifest.spdx.json"]' + asset_paths: '["./bin/*"]' - name: Build NuGet packages run: dotnet pack --no-restore -p:DebugType=None --include-symbols --no-build --configuration Release --output ./out From e9aa6919b88233b32429846291c30325ecdffcf1 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 14:49:42 -0700 Subject: [PATCH 07/11] Fixed release --- .github/workflows/release.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 281467762..88b9be3a2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,11 +53,10 @@ jobs: run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ github.event.release.tag_name }} -nsb https://sbom.microsoft - name: Upload binaries and SBOM to release - uses: alexellis/upload-assets@0.2.2 - env: - GITHUB_TOKEN: ${{ github.token }} + uses: shogo82148/actions-upload-release-asset@v1.6.2 with: - asset_paths: '["./bin/*"]' + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./bin/* - name: Build NuGet packages run: dotnet pack --no-restore -p:DebugType=None --include-symbols --no-build --configuration Release --output ./out From 90b60c02e9be91e09b9f3de8b4628ab8db071579 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 14:56:22 -0700 Subject: [PATCH 08/11] Fixed release --- .github/workflows/release.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 88b9be3a2..993605388 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,17 +46,23 @@ jobs: - name: Build CLI self-contained run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:DebugType=None -p:PublishTrimmed=true ./src/Microsoft.Sbom.Tool - - name: Rename binary to readable name + - name: Rename binary to short name run: mv ./bin/Microsoft.Sbom.Tool${{ matrix.rid == 'win-x64' && '.exe' || '' }} ./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }} - name: Generate SBOM for sbom-tool run: dotnet run --project src/Microsoft.Sbom.Tool generate -- -b ./bin -bc ./src/ -pn sbom-tool -pv ${{ github.event.release.tag_name }} -nsb https://sbom.microsoft - - name: Upload binaries and SBOM to release + - name: Upload SBOM to release uses: shogo82148/actions-upload-release-asset@v1.6.2 with: upload_url: ${{ github.event.release.upload_url }} - asset_path: ./bin/* + asset_path: ./bin/_manifest/spdx_2.2/manifest.spdx.json + + - name: Upload binaries to release + uses: shogo82148/actions-upload-release-asset@v1.6.2 + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./bin/sbom-tool-${{ matrix.rid }}${{ matrix.rid == 'win-x64' && '.exe' || '' }} - name: Build NuGet packages run: dotnet pack --no-restore -p:DebugType=None --include-symbols --no-build --configuration Release --output ./out From f2ba7d70b463600b80ed8d3e23c8de7b046f5932 Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 15:02:28 -0700 Subject: [PATCH 09/11] Fixed release --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 993605388..01903ff51 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,6 +57,7 @@ jobs: with: upload_url: ${{ github.event.release.upload_url }} asset_path: ./bin/_manifest/spdx_2.2/manifest.spdx.json + assetName: ${{ matrix.rid }}-manifest.spdx.json - name: Upload binaries to release uses: shogo82148/actions-upload-release-asset@v1.6.2 From 1ab4633cd2b1b963677dd9382efa864495ea617e Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 15:06:55 -0700 Subject: [PATCH 10/11] Fixed readme --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c0b80fd44..d7b6b5d73 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 * [Installation](#installation) * [Run the tool](#run-the-tool-to-generate-an-sbom) -* [Building the tool from source](docs/build-and-run.md) * [Telemetry](#Telemetry) * [Contributing](#Contributing) * [Security](#Security) @@ -48,6 +47,8 @@ By default, telemetry will output to your output file path and will be a JSON bl ## Contributing +Please follow the steps [here](docs/build-and-run.md) to clone and build this repository from source. + This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. From 4d64ebb3b4826fd3fa285b1ea2a57dd0b2f1554f Mon Sep 17 00:00:00 2001 From: Aasim Malladi Date: Tue, 5 Jul 2022 15:08:24 -0700 Subject: [PATCH 11/11] fixed --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 01903ff51..541cd2c0c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,7 +57,7 @@ jobs: with: upload_url: ${{ github.event.release.upload_url }} asset_path: ./bin/_manifest/spdx_2.2/manifest.spdx.json - assetName: ${{ matrix.rid }}-manifest.spdx.json + asset_name: ${{ matrix.rid }}-manifest.spdx.json - name: Upload binaries to release uses: shogo82148/actions-upload-release-asset@v1.6.2