Add SBOM generation steps (#671)

jimmylewis · web-flow · commit 6d0d659a9ce9 · 2022-02-23T16:08:50.000-08:00
diff --git a/azure-pipelines/azure-pipeline.microbuild.after.yml b/azure-pipelines/azure-pipeline.microbuild.after.yml
@@ -1,4 +1,8 @@
 steps:
+- task: ManifestGeneratorTask@0
+  displayName: 'Generate SBOM For VSIX Insertion'
+  inputs:
+    BuildDropPath: '$(Build.SourcesDirectory)\bin\Microsoft.Web.LibraryManager.Vsix\Release'
 - task: MSBuild@1
   displayName: Build VS Installer Manifest
   inputs:
@@ -14,11 +18,12 @@ steps:
     solution: build/CreateInsertionMetadata.proj
     msbuildArguments: /r
 
-- task: CopyFiles@1
+- task: CopyFiles@2
   inputs:
     contents: |
       bin/**/*.vsman
       bin/**/*.vsix
+      bin/sbom/*.json
       bin/InsertionParameters.txt
     targetFolder: $(Build.ArtifactStagingDirectory)/insertion
     flattenFolders: true
diff --git a/azure-pipelines/azure-pipeline.microbuild.before.yml b/azure-pipelines/azure-pipeline.microbuild.before.yml
@@ -6,5 +6,5 @@ steps:
     zipSources: false
   displayName: Install MicroBuild Signing Plugin
 
-- task: MicroBuildSwixPlugin@3
+- task: MicroBuildSwixPlugin@4
   displayName: Install MicroBuild Swix Plugin
diff --git a/azure-pipelines/official.yml b/azure-pipelines/official.yml
@@ -8,6 +8,7 @@ variables:
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
   BuildConfiguration: Release
   BuildPlatform: Any CPU
+  Packaging.EnableSBOMSigning: true
 
 jobs:
   - job: Windows
diff --git a/setup/Microsoft.Web.LibraryManager.vsmanproj b/setup/Microsoft.Web.LibraryManager.vsmanproj
@@ -11,14 +11,19 @@
     <ProductFamilyVersion>2016</ProductFamilyVersion>
     <ComputeRelativeUrls>true</ComputeRelativeUrls>
     <OutputPath>$(BaseOutputPath)\setup</OutputPath>
+
+    <SBOMSourceDirectory>$(ManifestOutputPath)\_manifest\spdx_2.2</SBOMSourceDirectory>
+    <SBOMDestinationDirectory>$(RepoRoot)\bin\sbom</SBOMDestinationDirectory>
   </PropertyGroup>
 
   <ItemGroup>
-    <MergeManifest Include="$(ManifestOutputPath)\*.json">
+    <MergeManifest Include="$(ManifestOutputPath)\*.json"
+                   SBOMFileLocation="$(SBOMSourceDirectory)\manifest.spdx.json"
+                   SBOMFileDestPath="$(SBOMDestinationDirectory)">
       <RelativeUrl>/</RelativeUrl>
     </MergeManifest>
   </ItemGroup>
 
-  <Import Project="$(MicroBuildPluginDirectory)\MicroBuild.Plugins.SwixBuild.*\build\MicroBuild.Plugins.SwixBuild.targets"/>
+  <Import Project="$(MicroBuildPluginDirectory)\Microsoft.VisualStudioEng.MicroBuild.Plugins.SwixBuild.*\build\Microsoft.VisualStudioEng.MicroBuild.Plugins.SwixBuild.targets"/>
 
 </Project>
