DEV Community

Atahan C.
Atahan C.

Posted on

Creating SBOM with sbom-tool and CycloneDX on Azure DevOps

#azure #azuredevops #azurepipelines

SBOM
What is SBOM?

[A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and  proprietary software components. It is the software analogue to the traditional manufacturing Bill of Materials (BOM), which is used as part of supply chain management.

An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities. Buyers and other stakeholders can use an SBOM to perform vulnerability or license analysis, which can be used to evaluate and manage risk in a product.

While many companies use a spreadsheet for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.](https://en.wikipedia.org/wiki/Software_supply_chain)

[Why do organizations need a Software Bill of Materials?

High-profile security breaches like Codecov, Kaseya, and most recently Apache Log4j - all supply chain attacks -  prompted President Biden to issue a cybersecurity executive order (EO) detailing guidelines for how federal departments, agencies, and contractors doing business with the government must secure their software. Among the recommendations was a requirement for SBOMs, to ensure the safety and integrity of software applications used by the federal government.](https://www.blackduck.com/blog/software-bill-of-materials-bom.html)

We covered so far what is Software Bill of Materials and what is used for. Let's add SBOM creation to our existing Azure DevOps Pipeline. I will start creating SBOM json with Microsoft's SBOM Tool.

Adding SBOM generation to an Azure Devops Pipeline with SBOM Tool

SBOM tool has a documentation for adding SBOM generation to an Azure DevOps Pipeline. I followed this documentation. And I changed my pool to vmImage to ubuntu-latest and add following 2 tasks under the steps of my WinamptoSpotify.yml.

pool:
  vmImage: ubuntu-latest
- task: UseDotNet@2      
inputs:
  packageType: 'sdk'
  version: '8.x'
- script: |
    dotnet build 
    $(System.DefaultWorkingDirectory)/WinamptoSpotifyWeb/
    WinampToSpotifyWeb.csproj --output 
    $(Build.ArtifactStagingDirectory)
  displayName: 'Build the project'
 - script: |
     curl -Lo $(Agent.TempDirectory)/sbom-tool 
     https://github.com/microsoft/sbom- 
     tool/releases/latest/download/sbom-tool-linux-x64
     chmod +x $(Agent.TempDirectory)/sbom-tool
     $(Agent.TempDirectory)/sbom-tool generate -b 
     $(Build.ArtifactStagingDirectory) -bc 
     $(System.DefaultWorkingDirectory)/WinamptoSpotifyWeb/ -pn Test - 
     pv 1.0.0 -ps MyCompany -nsb https://sbom.mycompany.com -V 
     Verbose
 displayName: Generate SBOM with sbom-tool

  - task: PublishBuildArtifacts@1
    inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'drop'
    publishLocation: 'Container'
Enter fullscreen mode Exit fullscreen mode

We can see SBOM report is created under Artifacts -> drop -> _manifest -> spdx_2.2 -> manifest.spdx.json.

Imanifest.spdx.json

I discovered a website by Rancher SBOM Viewer that visualize json format SBOM reports.

Rancher SBOM Viewer

After downloading json to my computer. I upload json file to Rancher SBOM Viewer. Output is below. Shows all package references with version and license.

Rancher SBOM Viewer Output

Adding SBOM generation to an Azure Devops Pipeline with CycloneDX module for .Net

The CycloneDX module for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.

Usage

CycloneDX for .NET is distributed via NuGet and Docker Hub.

Installing via NuGet

dotnet tool install --global CycloneDX
Enter fullscreen mode Exit fullscreen mode

The following code will recursively scan the directory structure for packages.config and create a BOM:

dotnet CycloneDX /path/to/project -o /output/path
Enter fullscreen mode Exit fullscreen mode

The following will recursively scan the directory structure for packages.config and create a BOM:

dotnet CycloneDX /path/to/project -o /output/path
Enter fullscreen mode Exit fullscreen mode

Based on these instructions I added following 2 tasks to my WinamptoSpotify.yml.

- task: CmdLine@2
  displayName: 'Install CycloneDX dotnet tool'
  inputs:
      script: 'dotnet tool install --global CycloneDX -g'

- script: |
      dotnet CycloneDX  
$(System.DefaultWorkingDirectory)/WinamptoSpotifyWeb/
WinampToSpotifyWeb.csproj --json --output 
$(Build.ArtifactStagingDirectory)
  displayName: Generate SBOM with CycloneDX
Enter fullscreen mode Exit fullscreen mode

Default format for dotnet CycloneDX was XML but you can change it to json with "--json" argument in dotnet CycloneDX code.

Artifacts -> drop -> bom.json

bom.json

Rancher SBOM Viewer output of bom.json is below:

Rancher SBOM Viewer output of bom.json
References:
https://en.wikipedia.org/wiki/Software_supply_chain
[2]
https://en.wikipedia.org/wiki/Software_supply_chain
[3]
https://en.wikipedia.org/wiki/Software_supply_chain
[4]
https://www.blackduck.com/blog/software-bill-of-materials-bom.html
[5]
https://github.com/CycloneDX/cyclonedx-dotnet

Top comments (0)

Read next

digitalminds profile image

🚀 Beyond Serverless Basics: Cloudflare Workers, Deno Deploy & WASM Solutions

Digital Minds -

shrsv profile image

Understanding Adam Smith's View on Stock and Profit

Shrijith Venkatramana -

hxnain619 profile image

Web Architecture: Monorepos, Micro-frontends, and Vite

Husnain Tariq -

scarlet profile image

[BR] Arquiteturas híbridas - entrelaçando monólitos, microsserviços e serviços distribuídos

Scarlet Rose -