-
Notifications
You must be signed in to change notification settings - Fork 677
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable Software Bill of Materials task in Release build #6718
Conversation
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
jobs: | ||
- job: ComponentDetection |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is removing this related to SBOM?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I'm just fixing it in passing. I meant to add a note about that.
Running ComponentDetection in its own Job is not the correct usage. It needs to run in the same Job as the build so that it can detect all the nuget packages that got restored. Running it in its own Job means that it doesn't really do anything.
This was not a huge deal, since this task gets automatically injected into the Pipeline in the correct place via policy anyway. But adding it explicitly seems better practice than relying on an auto-inject policy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that I moved ComponentGovernanceComponentDetection from here to MUX-BuildDevProject-Steps.yml.
This adds the SBOM generation task to our Release builds.
This task generates an spdx manifest file that lists all the dependencies of the built code to enable a Software Bill of Materials for the product.
See also: https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/