The SBOM tool is a cross-platform, C#-based tool compiled using the Microsoft .NET 8 cross-platform, open-source developer platform. Follow the instructions provided which will guide the user in building the sbom tool from the source file.
- Download and install Dotnet SDK version 8.0.100 or later.
- Clone this GitHub repo (see steps to clone repo here).
- A text editor or integrated development environment (IDE) such as Visual Studio Code or Visual Studio.
Users can find source files in the following folder locations:
- All the source code for the tool:
srcfolder - Tests:
testfolder - The core engine (generates SBOMs):
Microsoft.Sbom.Apiproject
The sbom tool code is designed to be as extensible as possible. All the interfaces for extending the SBOM tool are located in the Microsoft.Sbom.Extensions project. Once such extension is the IManifestGenerator interface, which the SBOM tool uses to serialize a SBOM to a specific format. The Microsoft.Sbom.Parsers.Spdx22SbomParser project implements this interface, allowing the SBOM tool to serialize a SBOM in accordance with the prescribed SPDX version 2.2 standard format. The extensions project has additional interfaces designed to extend the SBOM tool.
The Microsoft.Sbom.Common project contains the base of common code, constants, etc. that all the projects can call.
The Microsoft.Sbom.Contracts project defines the interfaces that the tool uses to call the SBOM tool using a C# API. The ISBOMGenerator class defines two methods that the tool uses to directly call the SBOM tool from C# code. The Microsoft.Sbom.Tool project defines a command line interface (CLI) interface to talk to the SBOM tool.
After opening the Visual Studio 2022 application, open the Microsoft.Sbom.sln file in the root of the repository. Users can either press Ctrl + Shift + B or select Build from the menu in order to build the application.
- Set the Microsoft.Sbom.Tool project as the startup project (rightclick-> Set as Startup Project)
- Set Run arguments for the Microsoft.Sbom.Tool project (rightclick->properties->Debug)
Minimum:generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <company name> -nsb <namespace uri base> - Going forward, users can press 'F5' after making changes. This action will build the changes and start the process in debug mode (stopping at breakpoints).
A good new-user tutorial for Visual Studio is available at this.
In the user's shell of choice, ensure that the Dotnet SDK is installed and available on the PATH for the shell. Navigate to the root of the repository, then execute the following command for building the repository:
dotnet build
Users can run the sbom tool using this command which contains the minimum required set of paramaters:
dotnet run --project src/Microsoft.Sbom.Tool generate -b <drop path> -bc <build components path> -pn <package name> -pv <package version> -ps <company name> -nsb <namespace uri base>
The sbom-tool targets both .NET 6 and .NET 8 therefore it is possible to produce binaries for both. We have seen issues when attempting to run the tool using the .NET 6 binaries (#223) so for these scenarios we recommend targeting .NET 8. You can do this by following these steps:
The following command will produce a dll that can be executed on ARM based devices running OSX and can be modified to suit your needs:
dotnet publish src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj --configuration Release --output bin --runtime osx-arm64 -p:TargetFramework=net8.0 -p:SelfContained=true -p:OFFICIAL_BUILD=true -p:MinVerVersionOverride=1.8.0 -p:PublishSingleFile=true -p:IncludeNativeLibrariesForSelfExtract=true -p:IncludeAllContentForSelfExtract=true -p:DebugType=None -p:DebugSymbols=false
After running this command you can execute the tool like this:
./bin/Microsoft.Sbom.Tool generate -b ~/tmp/sbom-tool/ -bc ~/tmp/sbom-tool/ -pn TestProject -pv 1.2.3 -ps Microsoft
Because of our multi-targeting, a target framework must be specified when using the dotnet publish command:
Either
dotnet publish -f net8.0
Or
dotnet publish -f net6.0
After accessing GitHub Codespaces, select the Code button from the repository homepage, then select Open with Codespaces. That's it! Users will then have a full developer environment that supports debugging, testing, auto complete, jump to definitions, and everything that one would expect.
Follow applicable steps or procedures for starting up the applicable Linux distribution.
Clone this repo.
Build the docker image.
git clone https://github.com/microsoft/sbom-tool
cd sbom-tool
docker build . -t ms_sbom_toolUse docker bind mounts when using the tool to scan the desired target directories.