Skip to content

Generate SBOM for nuget packages #1752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Generate SBOM for nuget packages #1752

wants to merge 2 commits into from
+20 −1

Conversation

Bertk
Copy link
Collaborator

@Bertk Bertk commented Apr 22, 2025

Add SBOM files for coverlet nuget packages e.g.

image

@Bertk Bertk mentioned this pull request Apr 27, 2025
Open
SimonCropp
SimonCropp reviewed May 12, 2025
View reviewed changes
@Bertk Bertk requested review from SimonCropp and removed request for SimonCropp June 3, 2025 11:30
SimonCropp
SimonCropp reviewed Jun 3, 2025
View reviewed changes
src/coverlet.collector/coverlet.collector.csproj
@@ -40,6 +42,10 @@
<ItemGroup>
<PackageReference Include="Microsoft.TestPlatform.ObjectModel" />
<PackageReference Include="NuGet.Frameworks" />
<PackageReference Include="Microsoft.Sbom.Targets">
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i prefer the more compact version of this. 1 line compared to 4

<PackageReference Include="Microsoft.Sbom.Targets" PrivateAssets="all" />

@Bertk Bertk requested a review from Copilot June 6, 2025 08:35
Copilot
Copilot AI reviewed Jun 6, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for generating SBOM files for NuGet packages across multiple projects by enabling SBOM generation during CI builds and adding the required package references.

  • Added the property driven by the TF_BUILD environment variable in three csproj files.
  • Included a PackageReference to Microsoft.Sbom.Targets with appropriate PrivateAssets and IncludeAssets settings in the csproj files.
  • Updated Directory.Packages.props to pin the Microsoft.Sbom.Targets package version.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj Added GenerateSBOM property and Microsoft.Sbom.Targets package reference for SBOM generation.
src/coverlet.console/coverlet.console.csproj Enabled SBOM generation and added Microsoft.Sbom.Targets package reference.
src/coverlet.collector/coverlet.collector.csproj Introduced the GenerateSBOM flag and added Microsoft.Sbom.Targets package reference.
Directory.Packages.props Added package version for Microsoft.Sbom.Targets.
Comments suppressed due to low confidence (7)

src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:22

  • [nitpick] Consider enhancing this comment with details on the expected value of TF_BUILD and the conditions under which SBOM generation occurs to support future maintainability.
<!-- create SBOM for CI build-->

src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:46

  • Verify that the configured PrivateAssets and IncludeAssets for Microsoft.Sbom.Targets conform with the project’s dependency management policies.
<PackageReference Include="Microsoft.Sbom.Targets">

src/coverlet.console/coverlet.console.csproj:9

  • [nitpick] Consider adding a brief note about TF_BUILD in this comment to clarify when SBOM generation is enabled during CI builds.
<!-- create SBOM for CI build-->

src/coverlet.console/coverlet.console.csproj:30

  • Ensure that the dependency settings (PrivateAssets and IncludeAssets) for Microsoft.Sbom.Targets are consistent with other projects and meet the overall design requirements.
<PackageReference Include="Microsoft.Sbom.Targets">

src/coverlet.collector/coverlet.collector.csproj:21

  • [nitpick] Expand this comment to specify what TF_BUILD represents and the scenario under which SBOM generation will be triggered.
<!-- create SBOM for CI build-->

src/coverlet.collector/coverlet.collector.csproj:45

  • Review the asset inclusion/exclusion settings for Microsoft.Sbom.Targets to ensure they are optimal and consistent with related projects.
<PackageReference Include="Microsoft.Sbom.Targets">

Directory.Packages.props:32

  • Consider using a centralized version variable for Microsoft.Sbom.Targets to maintain consistency across projects, if applicable.
<PackageVersion Include="Microsoft.Sbom.Targets" Version="3.1.0" />

@Bertk Bertk marked this pull request as ready for review June 6, 2025 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SimonCropp SimonCropp SimonCropp left review comments

Copilot code review Copilot Copilot left review comments

@daveMueller daveMueller Awaiting requested review from daveMueller

@MarcoRossignoli MarcoRossignoli Awaiting requested review from MarcoRossignoli

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Bertk @SimonCropp