Creating a software bill of materials (SBOM) for an open-source NuGet package : Andrew Lock
by: Andrew Lock
blow post content copied from Andrew Lock | .NET Escapades
click here to view original post
In this post I discuss several tools you can use to create a software bill of materials (SBOM) for an application or a NuGet package. I demonstrate GitHub's built-in "Export SBOM" button, Microsoft's open source sbom-tool, the anchore/sbom-action GitHub Action, and finally the CycloneDX module for .NET.
What is a software bill of materials (SBOM)?
In standard manufacturing, a bill of materials is a list of all the raw-materials, components, and parts needed to manufacture the end product. A Software Bill of Materials (SBOM) is essentially the same thing, but for software. It describes the various packages and dependencies that go into creating a software artifact such as an application or a package.
SBOMs are useful both for people building software and for people consuming or operating the software. An SBOM gives visibility into what components your software contains, including any components with known vulnerabilities, as well as any potential compliance or licensing issues or supply chain risks.
There are a variety of SBOM formats to choose from, but two of the most popular appear to be System Package Data Exchange (SPDX) and CycloneDX. Both of these formats have a JSON document option, are specified as standards (ISO/IEC 5692:2021 for SPDX, ECMA-424 for CycloneDX), and can be generated using a wide variety of open source tools.
I was interested in how easy it would be to generate an SBOM for one of my open source .NET NuGet packages. I tried a few of the available tools to see how easy they would be to use and to see what the generated SBOM looks like. In the following sections I show how to get started with the following tools
It's also worth noting that you can download an SBOM directly from a GitHub repository by going to Insights > Dependency Graph, and clicking Export SBOM:
Clicking this button downloads an SPDX JSON document, that looks something like this following:
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "com.github.andrewlock/NetEscapades.AspNetCore.SecurityHeaders",
"documentNamespace": "https://spdx.org/spdxdocs/protobom/b5635148-e0ef-45c0-9239-27f06626da6d",
"creationInfo": {
"creators": [
"Tool: protobom-v0.0.0-20250312193824-234c4fa31871+dirty",
"Tool: GitHub.com-Dependency-Graph"
],
"created": "2025-03-12T20:29:21Z"
},
"packages": [
{
"name": "Nuke.Common",
"SPDXID": "SPDXRef-nuget-Nuke.Common-8.1.0-7b26ed",
"versionInfo": "8.1.0",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/[email protected]"
}
]
},
{
"name": "StyleCop.Analyzers",
"SPDXID": "SPDXRef-nuget-StyleCop.Analyzers-1.2.0-beta.556-d87ce5",
"versionInfo": "1.2.0-beta.556",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "MIT",
"copyrightText": "Copyright (c) .NET Foundation and Contributors, Copyright (c) 2015 Dennis Fischer, Copyright (c) 2017 Marcos Lopez C., Copyright (c) Tunnel Vision Laboratories, LLC, Copyright 2014 Giovanni Bassi and Elemar Jr, Copyright 2015 Tunnel Vision Laboratories, LLC StyleCop DotNetAnalyzers Roslyn Diagnostic Analyzer",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/[email protected]"
}
]
},
{
"name": "xunit",
"SPDXID": "SPDXRef-nuget-xunit-2.4.2-41e328",
"versionInfo": "2.4.2",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "Apache-2.0",
"copyrightText": "(c) 2008 VeriSign, Inc., Copyright (c) .NET Foundation",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/[email protected]"
}
]
}
]
}
This is only a tiny fraction of the output, but it shows a couple of important points:
- The SPDX format includes a relatively large amount of data, including copyright text and other details.
- The GitHub Dependency Graph SBOM includes all the packages used in your project, including test projects, sample projects, and any GitHub actions.
That latter point may or may not be what you want to include in your SBOM. The test package dependencies aren't ever used or shipped as a dependency of the final artifact, but they are a dependency of your project as a whole.
Personally I wouldn't expect to see them in an SBOM for a project, but then I've not needed to provide an SBOM for any regulatory purposes in practice, so I'm not sure what the expectation is here.
Assuming that you want something more automated, read on to see how the other tools I tried faired.
Microsoft's SBOM tool
Some of the first information I found when looking for a .NET SBOM tool was this blog post from 2022, announcing that Microsoft was open-sourcing its SBOM tool. You can find their sbom tool on GitHub. As described in the readme:
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. The tool uses the Component Detection libraries to detect components and the ClearlyDefined API to populate license information for these components.
Microsoft's tool is clearly going to be appealing to .NET developers, especially as it's available as a .NET tool! They also include explicit instructions for running the tool as a GitHub action, as part of your CI process.
I tried out the tool locally on my NetEscapades.AspNetCore.SecurityHeaders project. First I installed the tool:
dotnet tool install --global Microsoft.Sbom.DotNetTool
You can invoke the tool using the following command: sbom-tool
Tool 'microsoft.sbom.dotnettool' (version '3.1.0') was successfully installed.
If you run sbom-tool without any options, you'll see that there's a huge number of arguments:
The Sbom tool generates a SBOM for any build artifact.
Usage - Microsoft.Sbom.DotNetTool <action> -options
GlobalOption Description
Help (-?, -h) Prints this help message
Actions
Validate -options - Validate a build artifact using the manifest. Optionally also verify the signing certificate of the manifest.
Option Description
BuildDropPath (-b) Specifies the root folder of the drop directory containing the final build artifacts
(binaries and executables) for which the SBOM file will be validated. This is the
directory where the completed build output is stored.
ManifestDirPath (-m) The path of the directory where the manifest will be validated. If this parameter is not
specified, the manifest will be validated in {BuildDropPath}/_manifest directory.
OutputPath (-o) The path where the output json should be written. ex: Path/output.json
CatalogFilePath (-C) This parameter is deprecated and will not be used, we will automatically detect the catalog
file using our standard directory structure. The path of signed catalog file that is used
to verify the signature of the manifest json file.
ValidateSignature (-s) If set, will validate the manifest using the signed catalog file.
IgnoreMissing (-im) If set, will not fail validation on the files presented in Manifest but missing on the disk.
...
Again, I've only shown a tiny sample here, rest assured there's a lot of options😅 Nevertheless I iterated until I managed to convince the tool to give me some output. After building my packages, I ran the tool using the following arguments (explained in more detail below):
sbom-tool generate \
-b ./artifacts/packages \
-bc ./src/ \
-pn NetEscapades.AspNetCore.SecurityHeaders \
-pv 1.0.0-preview.03 \
-ps "Andrew Lock" \
-pm
-bisBuildDropPath, the folder containing the final artifacts-bcisBuildComponentPath, the path to the source code used to build the artifacts-pnisPackageName, the name of the package-pvisPackageVersion, the version of the package-psisPackageSupplier, the "supplier" of the package-pmisEnablePackageMetadataParsing, to enable parsing license info from the package's metadata file
After the tool executes you can find a manifest.spdx.json file nested inside the "BuildDropPath" in a _manifests folder. The SBOM looks something like the following:
{
"files": [
{
"fileName": "./NetEscapades.AspNetCore.SecurityHeaders.1.0.0-preview.4.nupkg",
"SPDXID": "SPDXRef-File--NetEscapades.AspNetCore.SecurityHeaders.1.0.0-preview.4.nupkg-183E8FC1DE641A7C6B5F12E173F991B2BF4C0FBD",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "62f76bc55d87ec52197158ab4aeb51516d8512b8932adfb0d85079097688613c"
},
{
"algorithm": "SHA1",
"checksumValue": "183e8fc1de641a7c6b5f12e173f991b2bf4c0fbd"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}
],
"packages": [
{
"name": "NetEscapades.AspNetCore.SecurityHeaders",
"SPDXID": "SPDXRef-RootPackage",
"downloadLocation": "NOASSERTION",
"packageVerificationCode": {
"packageVerificationCodeValue": "5f36e353c6795a2cc8cf62be25e3c881a761bbfa"
},
"filesAnalyzed": true,
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"versionInfo": "1.0.0-preview.03",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:swid/Andrew%20Lock/spdx.org/[email protected]?tag_id=fb838669-25eb-40a1-9a69-e64384a3cb92"
}
],
"supplier": "Organization: Andrew Lock",
"hasFiles": [
"SPDXRef-File--NetEscapades.AspNetCore.SecurityHeaders.1.0.0-preview.4.nupkg-183E8FC1DE641A7C6B5F12E173F991B2BF4C0FBD"
]
}
],
"externalDocumentRefs": [],
"relationships": [
{
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-RootPackage",
"spdxElementId": "SPDXRef-DOCUMENT"
}
],
"spdxVersion": "SPDX-2.2",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "NetEscapades.AspNetCore.SecurityHeaders 1.0.0-preview.03",
"documentNamespace": "https://spdx.org/spdxdocs/sbom-tool-3.1.0-167ddfaf-46b9-41f4-a692-0a452316281d/NetEscapades.AspNetCore.SecurityHeaders/1.0.0-preview.03/ovnbeOkRwkaknluUVlc_Iw",
"creationInfo": {
"created": "2025-03-12T20:59:05Z",
"creators": [
"Organization: Andrew Lock",
"Tool: Microsoft.SBOMTool-3.1.0"
]
},
"documentDescribes": [
"SPDXRef-RootPackage"
]
}
It's worth noting that the NetEscapades.AspNetCore.SecurityHeaders package I'm testing here doesn't actually have any dependencies, so it probably wasn't the best choice for demonstration 😅 But also, with that in mind, you can see that the SPDX format is pretty verbose.
Overall the tool wasn't too hard to use, but I can't really comment as to it's effectiveness. The one thing I would note is that it didn't seem to detect the development dependencies (e.g. StyleCop) used by the project. Whether or not these should be included in the SBOM doesn't seem to be entirely clear, but as far as I can tell, the sbom-tool is meant to include them, so it's a bit surprising to not find them.
Overall I found the sbom-tool relatively easy to use, but it feels like it's more designed for applications than for components, such as the "drop directory" nomenclature and behaviour. For example, my project produces multiple NuGet packages, but I couldn't see how to easily generate separate SBOMs for them when the .nupkg files are all output to the same directory. The sbom-tool seems to require moving each of the built packages into a separate folder if you want a separate SBOM for each package.
GitHub action anchore/sbom-action using Syft
The next tool I tested was a GitHub action called anchore/sbom-action that uses Syft to create an SBOM.
The basic use instructions for the action are very simple - simply point the tool at a path, and specify where you want the resulting spdx file to be generated:
- uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
with:
path: ./artifacts/bin/NetEscapades.AspNetCore.SecurityHeaders
output-file: ./artifacts/sboms/netescapades-aspnetcore-securityheaders.spdx.json
upload-artifact: false
The eagle-eyed among you may notice that the path here is pointing to the bin folder instead of the packages folder. That's because Syft appears to rely on parsing the deps.json file to identify dependencies. It's possible Syft can work with the .nupkg files directly, but I didn't explore that.
Note that we're pinning to a specific commit hash in the action. This is important to avoid supply-chain attacks, such as the recent attack on the
tj-actions/changed-filesaction.
The resulting SPDX file is even more verbose than the sbom-tool version. I've included the whole file below for completeness, but it really is a bit much
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "./artifacts/bin/NetEscapades.AspNetCore.SecurityHeaders",
"documentNamespace": "https://anchore.com/syft/dir/artifacts/bin/NetEscapades.AspNetCore.SecurityHeaders-961b3ac4-c862-4b30-bc40-8d46eb6873eb",
"creationInfo": {
"licenseListVersion": "3.25",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-1.19.0"
],
"created": "2025-02-22T18:48:52Z"
},
"packages": [
{
"name": "NetEscapades.AspNetCore.SecurityHeaders",
"SPDXID": "SPDXRef-Package-dotnet-NetEscapades.AspNetCore.SecurityHeaders-90ec83c3e4e1e537",
"versionInfo": "1.0.0-preview.3",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from dotnet project assets file: \\release_netcoreapp3.1\\NetEscapades.AspNetCore.SecurityHeaders.deps.json",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:NetEscapades.AspNetCore.SecurityHeaders:NetEscapades.AspNetCore.SecurityHeaders:1.0.0-preview.3:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/[email protected]"
}
]
},
{
"name": "NetEscapades.AspNetCore.SecurityHeaders",
"SPDXID": "SPDXRef-Package-dotnet-NetEscapades.AspNetCore.SecurityHeaders-7a9d7a39e1fc2567",
"versionInfo": "1.0.0-preview.3+b661fe12f950034461acfce714f03673a8a43b24",
"supplier": "Organization: Andrew Lock",
"originator": "Organization: Andrew Lock",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from dotnet project assets file: \\release_netcoreapp3.1\\NetEscapades.AspNetCore.SecurityHeaders.dll",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:NetEscapades.AspNetCore.SecurityHeaders:NetEscapades.AspNetCore.SecurityHeaders:1.0.0-preview.3\\+b661fe12f950034461acfce714f03673a8a43b24:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/[email protected]%2Bb661fe12f950034461acfce714f03673a8a43b24"
}
]
},
{
"name": "StyleCop.Analyzers",
"SPDXID": "SPDXRef-Package-dotnet-StyleCop.Analyzers-7af1945e1aa913b8",
"versionInfo": "1.2.0-beta.556",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from dotnet project assets file: \\release_netcoreapp3.1\\NetEscapades.AspNetCore.SecurityHeaders.deps.json",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:StyleCop.Analyzers:StyleCop.Analyzers:1.2.0-beta.556:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/[email protected]"
}
]
},
{
"name": "StyleCop.Analyzers.Unstable",
"SPDXID": "SPDXRef-Package-dotnet-StyleCop.Analyzers.Unstable-93261229c8bc8710",
"versionInfo": "1.2.0.556",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from dotnet project assets file: \\release_netcoreapp3.1\\NetEscapades.AspNetCore.SecurityHeaders.deps.json",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:StyleCop.Analyzers.Unstable:StyleCop.Analyzers.Unstable:1.2.0.556:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:nuget/[email protected]"
}
]
},
{
"name": "./artifacts/bin/NetEscapades.AspNetCore.SecurityHeaders",
"SPDXID": "SPDXRef-DocumentRoot-Directory-.-artifacts-bin-NetEscapades.AspNetCore.SecurityHeaders",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"primaryPackagePurpose": "FILE"
}
],
"files": [
{
"fileName": "\\release_netcoreapp3.1\\NetEscapades.AspNetCore.SecurityHeaders.deps.json",
"SPDXID": "SPDXRef-File--release-netcoreapp3.1-NetEscapades.AspNetCore.SecurityHeaders.deps.json-80967c7804fdaff3",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
},
{
"fileName": "\\release_netcoreapp3.1\\NetEscapades.AspNetCore.SecurityHeaders.dll",
"SPDXID": "SPDXRef-File--release-netcoreapp3.1-NetEscapades.AspNetCore.SecurityHeaders.dll-7b8c831fe1558d56",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-Package-dotnet-StyleCop.Analyzers-7af1945e1aa913b8",
"relatedSpdxElement": "SPDXRef-Package-dotnet-NetEscapades.AspNetCore.SecurityHeaders-90ec83c3e4e1e537",
"relationshipType": "DEPENDENCY_OF"
},
{
"spdxElementId": "SPDXRef-Package-dotnet-StyleCop.Analyzers.Unstable-93261229c8bc8710",
"relatedSpdxElement": "SPDXRef-Package-dotnet-StyleCop.Analyzers-7af1945e1aa913b8",
"relationshipType": "DEPENDENCY_OF"
},
{
"spdxElementId": "SPDXRef-Package-dotnet-NetEscapades.AspNetCore.SecurityHeaders-7a9d7a39e1fc2567",
"relatedSpdxElement": "SPDXRef-File--release-netcoreapp3.1-NetEscapades.AspNetCore.SecurityHeaders.dll-7b8c831fe1558d56",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-Package-dotnet-StyleCop.Analyzers-7af1945e1aa913b8",
"relatedSpdxElement": "SPDXRef-File--release-netcoreapp3.1-NetEscapades.AspNetCore.SecurityHeaders.deps.json-80967c7804fdaff3",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-Package-dotnet-NetEscapades.AspNetCore.SecurityHeaders-90ec83c3e4e1e537",
"relatedSpdxElement": "SPDXRef-File--release-netcoreapp3.1-NetEscapades.AspNetCore.SecurityHeaders.deps.json-80967c7804fdaff3",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-Package-dotnet-StyleCop.Analyzers.Unstable-93261229c8bc8710",
"relatedSpdxElement": "SPDXRef-File--release-netcoreapp3.1-NetEscapades.AspNetCore.SecurityHeaders.deps.json-80967c7804fdaff3",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-Directory-.-artifacts-bin-NetEscapades.AspNetCore.SecurityHeaders",
"relatedSpdxElement": "SPDXRef-Package-dotnet-NetEscapades.AspNetCore.SecurityHeaders-90ec83c3e4e1e537",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-Directory-.-artifacts-bin-NetEscapades.AspNetCore.SecurityHeaders",
"relatedSpdxElement": "SPDXRef-Package-dotnet-NetEscapades.AspNetCore.SecurityHeaders-7a9d7a39e1fc2567",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-Directory-.-artifacts-bin-NetEscapades.AspNetCore.SecurityHeaders",
"relatedSpdxElement": "SPDXRef-Package-dotnet-StyleCop.Analyzers-7af1945e1aa913b8",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-Directory-.-artifacts-bin-NetEscapades.AspNetCore.SecurityHeaders",
"relatedSpdxElement": "SPDXRef-Package-dotnet-StyleCop.Analyzers.Unstable-93261229c8bc8710",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-DocumentRoot-Directory-.-artifacts-bin-NetEscapades.AspNetCore.SecurityHeaders",
"relationshipType": "DESCRIBES"
}
]
}
So top marks for this tool for simplicity, but I don't know, the verbosity bugged me 😅
CycloneDX module for .NET
That brings us to the final tool I tried, the CycloneDX module for .NET. This is the only tool I tried that uses the CycloneDX format instead of the older SPDX format, and I have to say, I thought it was pretty nice and easy.
Just like Microsoft's sbom-tool, the CycloneDX module is available as a .NET global tool, which makes it easy for .NET devs to use. Install the tool using:
dotnet tool install --global CycloneDX
You can then execute the tool by providing a path to a .csproj file, along with any additional arguments. As before, there are a lot of possible options here, but I've listed the values I used along with their explanations
dotnet-CycloneDX .\src\NetEscapades.AspNetCore.SecurityHeaders\NetEscapades.AspNetCore.SecurityHeaders.csproj \ # Path to the project to analyzer
--json \ # Produce a JSON doc instead of XML
--recursive \ # Recursively scan the projects referenced by the project
--set-name NetEscapades.AspNetCore.SecurityHeaders \ # Override the SBOM component name explicitly
--set-version 1.0.0-preview.03 \ # Override the default SBOM component version
--base-intermediate-output-path .\artifacts\ \ # Required if you're using .NET 8's artifiacts output layout
--output .\artifacts\sboms \ # Where should the SBOM file be written
--filename netescapades-aspnetcore-securityheaders.bom.json \ # The name of the SBOM file
--set-type library # What type of project is this e.g. Application/Container/Framework
Running the command above produces a document like the one shown below. Again, I've included the whole document for completeness:
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:c2560456-af20-49f6-b2a9-2e4ea7306e9e",
"version": 1,
"metadata": {
"timestamp": "2025-02-22T20:09:50Z",
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "5.0.1.0"
}
],
"component": {
"type": "library",
"bom-ref": "[email protected]",
"name": "NetEscapades.AspNetCore.SecurityHeaders",
"version": "1.0.0-preview.3"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"authors": [
{
"name": "Sam Harwell et. al."
}
],
"name": "StyleCop.Analyzers",
"version": "1.2.0-beta.556",
"description": "An implementation of StyleCop\u0027s rules using Roslyn analyzers and code fixes",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "08163F6061EBC26EA9B8069A82E9F575D656A50F1D9299EDA874F4107731EB2E02B512F201F1C34C6983D92BAECD6EE5E992AA6B61C78AE9490A7FDDBDD51882"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "Copyright 2015 Tunnel Vision Laboratories, LLC",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://github.com/DotNetAnalyzers/StyleCopAnalyzers",
"type": "website"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"authors": [
{
"name": "Sam Harwell et. al."
}
],
"name": "StyleCop.Analyzers.Unstable",
"version": "1.2.0.556",
"description": "An implementation of StyleCop\u0027s rules using Roslyn analyzers and code fixes",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "0E9FBAE713D2D30690BB331E7308A619894EE26C13798855EC0A2529B32468D67FBCF2BC1F02AA0F3AE7E6851D2B595684EF415245AA8119B9B1B7D58C30916B"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "Copyright 2015 Tunnel Vision Laboratories, LLC",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://github.com/DotNetAnalyzers/StyleCopAnalyzers",
"type": "website"
}
]
}
],
"dependencies": [
{
"ref": "[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]"
]
}
]
}
Just comparing the CycloneDX output document to the previous SPDX document, the CycloneDX one seems much easier to understand, with fewer extraneous details. In practice, I doubt that will matter much, as these documents are meant to be parsed and processed by a machine rather than by humans. But I don't know, I guess I'm partial to a well formatted JSON document, as this is the approach I settled on in the end 😀.
Summary
In this post I gave a brief introduction to SBOMs, including what they are, why they're useful, and a couple of standard formats used to define an SBOM. I then showed multiple ways to generate an SBOM for a .NET NuGet package. I showed GitHub's built-in "Export SBOM" button, Microsoft's open source sbom-tool, the anchore/sbom-action GitHub Action that uses Syft, and finally the CycloneDX module for .NET. For each approach I showed how to use the tool to generate an SBOM for a NuGet package project, and what the output file looks like.
March 25, 2025 at 02:30PM
Click here for more details...
=============================
The original post is available in Andrew Lock | .NET Escapades by Andrew Lock
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment