Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Software Bill of Materials task in Release build #6718

Merged
merged 5 commits into from
Feb 15, 2022
Merged

Enable Software Bill of Materials task in Release build #6718

merged 5 commits into from
Feb 15, 2022

Conversation

kmahone
Copy link
Member

@kmahone kmahone commented Feb 14, 2022

This adds the SBOM generation task to our Release builds.

This task generates an spdx manifest file that lists all the dependencies of the built code to enable a Software Bill of Materials for the product.

See also: https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/

@ghost ghost added the needs-triage Issue needs to be triaged by the area owners label Feb 14, 2022
@kmahone
Copy link
Member Author

kmahone commented Feb 14, 2022

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

StephenLPeters
StephenLPeters reviewed Feb 15, 2022
View reviewed changes
build/MUX-Release.yml
jobs:
- job: ComponentDetection
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is removing this related to SBOM?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I'm just fixing it in passing. I meant to add a note about that.

Running ComponentDetection in its own Job is not the correct usage. It needs to run in the same Job as the build so that it can detect all the nuget packages that got restored. Running it in its own Job means that it doesn't really do anything.

This was not a huge deal, since this task gets automatically injected into the Pipeline in the correct place via policy anyway. But adding it explicitly seems better practice than relying on an auto-inject policy.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that I moved ComponentGovernanceComponentDetection from here to MUX-BuildDevProject-Steps.yml.

@kmahone kmahone merged commit 3bb293f into main Feb 15, 2022
@kmahone kmahone deleted the user/kmahone/sbom branch February 15, 2022 19:58
@StephenLPeters StephenLPeters added area-DevInternal Internal build infrastructure, code cleanup, engineering efficiency team-Controls Issue for the Controls team and removed needs-triage Issue needs to be triaged by the area owners labels Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@StephenLPeters StephenLPeters StephenLPeters approved these changes

Assignees
No one assigned
Labels
area-DevInternal Internal build infrastructure, code cleanup, engineering efficiency team-Controls Issue for the Controls team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kmahone @StephenLPeters