-
Notifications
You must be signed in to change notification settings - Fork 389
Generate SBOM for nuget packages #1752
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
@@ -40,6 +42,10 @@ | |||
<ItemGroup> | |||
<PackageReference Include="Microsoft.TestPlatform.ObjectModel" /> | |||
<PackageReference Include="NuGet.Frameworks" /> | |||
<PackageReference Include="Microsoft.Sbom.Targets"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i prefer the more compact version of this. 1 line compared to 4
<PackageReference Include="Microsoft.Sbom.Targets" PrivateAssets="all" />
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR adds support for generating SBOM files for NuGet packages across multiple projects by enabling SBOM generation during CI builds and adding the required package references.
- Added the property driven by the TF_BUILD environment variable in three csproj files.
- Included a PackageReference to Microsoft.Sbom.Targets with appropriate PrivateAssets and IncludeAssets settings in the csproj files.
- Updated Directory.Packages.props to pin the Microsoft.Sbom.Targets package version.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
File | Description |
---|---|
src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj | Added GenerateSBOM property and Microsoft.Sbom.Targets package reference for SBOM generation. |
src/coverlet.console/coverlet.console.csproj | Enabled SBOM generation and added Microsoft.Sbom.Targets package reference. |
src/coverlet.collector/coverlet.collector.csproj | Introduced the GenerateSBOM flag and added Microsoft.Sbom.Targets package reference. |
Directory.Packages.props | Added package version for Microsoft.Sbom.Targets. |
Comments suppressed due to low confidence (7)
src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:22
- [nitpick] Consider enhancing this comment with details on the expected value of TF_BUILD and the conditions under which SBOM generation occurs to support future maintainability.
<!-- create SBOM for CI build-->
src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:46
- Verify that the configured PrivateAssets and IncludeAssets for Microsoft.Sbom.Targets conform with the project’s dependency management policies.
<PackageReference Include="Microsoft.Sbom.Targets">
src/coverlet.console/coverlet.console.csproj:9
- [nitpick] Consider adding a brief note about TF_BUILD in this comment to clarify when SBOM generation is enabled during CI builds.
<!-- create SBOM for CI build-->
src/coverlet.console/coverlet.console.csproj:30
- Ensure that the dependency settings (PrivateAssets and IncludeAssets) for Microsoft.Sbom.Targets are consistent with other projects and meet the overall design requirements.
<PackageReference Include="Microsoft.Sbom.Targets">
src/coverlet.collector/coverlet.collector.csproj:21
- [nitpick] Expand this comment to specify what TF_BUILD represents and the scenario under which SBOM generation will be triggered.
<!-- create SBOM for CI build-->
src/coverlet.collector/coverlet.collector.csproj:45
- Review the asset inclusion/exclusion settings for Microsoft.Sbom.Targets to ensure they are optimal and consistent with related projects.
<PackageReference Include="Microsoft.Sbom.Targets">
Directory.Packages.props:32
- Consider using a centralized version variable for Microsoft.Sbom.Targets to maintain consistency across projects, if applicable.
<PackageVersion Include="Microsoft.Sbom.Targets" Version="3.1.0" />
Add SBOM files for coverlet nuget packages e.g.