Skip to content

Latest commit

 

History

History
167 lines (130 loc) · 8.47 KB

creating-csharp-sbom.md

File metadata and controls

167 lines (130 loc) · 8.47 KB
Raw

Creation of SBOMs From C Sharp Projects

Introduction

This tutorial illustrates how to produce an SBOM from C# projects using the CycloneDX-Dotnet CLI.

Requirements

  • .NET framework.

  • NuGet

Installation

Run the command:

dotnet tool install --global CycloneDX

Note: You may need to add the ./dotnet/tools directory to your PATH. e.g. export PATH="$PATH:/location/of/.dotnet/tools"

Verify installation with the command:

dotnet CycloneDX

You should get the response:

A .NET Core global tool which creates CycloneDX Software Bill-of-Materials (SBOM) from .NET projects.

Usage: dotnet cyclonedx [options] <path>

Arguments:
  path                                                                   The path to a .sln, .csproj, .fsproj, .vbproj, or packages.config file or the path to a directory which
                                                                         will be recursively analyzed for packages.config files

Options:
  -v|--version                                                           Output the tool version and exit
  -tfm|--framework <FRAMEWORK>                                           The target framework to use. If not defined, all will be aggregated.
  -rt|--runtime <RUNTIME>                                                The runtime to use. If not defined, all will be aggregated.
  -o|--out <OUTPUT_DIRECTORY>                                            The directory to write the BOM
  -f|--filename <OUTPUT_FILENAME>                                        Optionally provide a filename for the BOM (default: bom.xml or bom.json)
  -j|--json                                                              Produce a JSON BOM instead of XML
  -d|--exclude-dev                                                       Exclude development dependencies from the BOM (see
                                                                         https://github.com/NuGet/Home/wiki/DevelopmentDependency-support-for-PackageReference)
  -t|--exclude-test-projects                                             Exclude test projects from the BOM
  -u|--url <BASE_URL>                                                    Alternative NuGet repository URL to https://<yoururl>/nuget/<yourrepository>/v3/index.json
  -us|--baseUrlUsername <BASE_URL_USER_NAME>                             Alternative NuGet repository username
  -usp|--baseUrlUserPassword <BASE_URL_USER_PASSWORD>                    Alternative NuGet repository username password/apikey
  -uspct|--isBaseUrlPasswordClearText                                    Alternative NuGet repository password is cleartext
  -r|--recursive                                                         To be used with a single project file, it will recursively scan project references of the supplied project
                                                                         file
  -ns|--no-serial-number                                                 Optionally omit the serial number from the resulting BOM
  -gu|--github-username <GITHUB_USERNAME>                                Optionally provide a GitHub username for license resolution. If set you also need to provide a GitHub
                                                                         personal access token
  -gt|--github-token <GITHUB_TOKEN>                                      Optionally provide a GitHub personal access token for license resolution. If set you also need to provide
                                                                         a GitHub username
  -gbt|--github-bearer-token <GITHUB_BEARER_TOKEN>                       Optionally provide a GitHub bearer token for license resolution. This is useful in GitHub actions
  -dgl|--disable-github-licenses                                         Optionally disable GitHub license resolution
  -dpr|--disable-package-restore                                         Optionally disable package restore
  -dhc|--disable-hash-computation                                        Optionally disable hash computation for packages
  -dct|--dotnet-command-timeout <DOTNET_COMMAND_TIMEOUT>                 dotnet command timeout in milliseconds (primarily used for long dotnet restore operations)
                                                                         Default value is: 300000.
  -biop|--base-intermediate-output-path <BASE_INTERMEDIATE_OUTPUT_PATH>  Optionally provide a folder for customized build environment. Required if folder 'obj' is relocated.
  -imp|--import-metadata-path <IMPORT_METADATA_PATH>                     Optionally provide a metadata template which has project specific details.
  -sn|--set-name <SET_NAME>                                              Override the autogenerated BOM metadata component name.
  -sv|--set-version <SET_VERSION>                                        Override the default BOM metadata component version (defaults to 0.0.0).
  -st|--set-type <SET_TYPE>                                              Override the default BOM metadata component type (defaults to application).
                                                                         Allowed values are: Null, Application, Framework, Library, OperationSystem, Device, File, Container,
                                                                         Firmware.
                                                                         Default value is: Null.
  -?|-h|--help                                                           Show help information.

A path is required

Usage

Run the following command:

dotnet CycloneDX <path-to-manifest-file> -o <path-to-output-folder>

  • The manifest file can be of the formats: .sln, .csproj, .fsproj, .vbproj, packages.config.

The resultant output will be a folder in the path that you specified, containing your SBOM, default xml format. JSON files can be obtained by adding the -j flag.

Notes

  • Only .sln, .csproj, .fsproj, .vbproj, and packages.config manifest files are supported by this tool.

  • CycloneDX-Dotnet is only supported by NET 6.0 and .NET 7.0. It may produce errors with creating SBOMs from modules for other versions.

  • When the appropriate manifest file is not given, or left blank, the resulting SBOM will have no dependency data, and will expose information about the user's computer e.g. hostname, project name and location.

  • Depending on the manifest file used (noted above), different, or less fully featured, dependency information may be saved to the SBOM generated, which may have implications for vulnerability analysis.

SBOM

<title>Pretty JSON Display</title> <style> #json-container { height: 400px; /* Set a fixed height */ overflow-y: auto; /* Enable vertical scrolling */ border: 2px solid #ccc; /* Optional: add a border for visibility */ padding: 10px; } #xml-container { height: 400px; /* Set a fixed height */ overflow-y: auto; /* Enable vertical scrolling */ border: 2px solid #ccc; /* Optional: add a border for visibility */ padding: 10px; } pre { margin: 0; white-space: pre-wrap; word-wrap: break-word; } </style>

cyclonedx-dotnet 


    

    
    
    <script>
        function display_json(url, elementid){
        fetch(url)
            .then(response => response.json())
            .then(data => {
                document.getElementById(elementid).textContent = JSON.stringify(data, null, 2);
            })
            .catch(error => console.error('Error fetching JSON:', error));
        }
        function display_xml(url, elementid){
        fetch(url)
            .then(response => response.text())
            .then(data => {
                document.getElementById(elementid).textContent = data;
            })
            .catch(error => console.error('Error fetching XML:', error));
        }
    display_json('./bom.json', 'json-display');
    // display_xml('./bom.xml', 'xml-display');
    </script>



References


CycloneDX. (2023). CycloneDX-Dotnet. https://github.com/CycloneDX/cyclonedx-dotnet