-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate SBOM for .NET Repos using Arcade main #8477
Comments
I would appreciate more context here
|
|
Agree that's the current state. It however shouldn't ship anything in the future, given the move to dotnet/aspnetcore. Right @dotnet/aspnet-build @JamesNK❔ |
The gRPC source is moving from asplabs to aspnetcore. It won't ship from there anymore. However, I think it is valuable to have a place where our product team can have experiments that can be published to NuGet to get feedback. |
That makes it a very weird case from an SBOM perspective because the pipeline build more than we'd ever release. |
You could argue that about any of the .NET core repos. There will be thousands of SDK builds that never get released. The SBOM generation itself is pretty cheap, so I don't see a huge issue here |
I have even less context here, what is needed beyond an arcade update? |
@lewing : If your repo is using Aracade's (job.yml/jobs.yml) template to build, SBOM generation is already in place for this scenario. So once you get an arcade update (https://github.com/dotnet/arcade/blob/main/Documentation/SBOMGenerationGuidance.md#repositories-using-arcades-jobsyml-templates) You should be able to review SBOM (please take a look here on how to verify)(https://github.com/dotnet/arcade/blob/main/Documentation/SBOMGenerationGuidance.md#reviewing-generated-sboms-for-correctness) In case you are NOT using (jobs.yml or job.yml) in your repo to build, you will need to follow these steps (https://github.com/dotnet/arcade/blob/main/Documentation/SBOMGenerationGuidance.md#repositories-not-using-arcades-jobsyml-templates) to generate SBOM in your repo I also sent an email regarding this, Please let me know if this helps. |
Regarding to repo AzureSignalR-samples, we use it as a place for samples only and there is no pipeline for the repo. |
Is the name expected to be |
I updated the notes for microsoft-dotnet-framework-docker and dotnet-docker-tools that SBOM generation is not applicable to them. |
dotnet/crank has "Has latest arcade update but still does not have sbom generated" comment. aspnet/benchmark doesn't have a pipeline. We are not shipping anything from this repository, it's just a set of benchmarks applications and scripts. |
Yes, that's mine. That repo doesn't use Arcade yet. We might consider switching to Arcade when we move it from TeamCity to Azdo. |
I checked dotnet/templating and SBOM is generated in internal build from main branch. |
I will update the list. thanks for confirming |
I don't know this repo, so I've changed the owner from myself to ❓ |
For now all the repos using arcade main to use package name as .NET 7.0.0
Yes, we want everyone who uses arcade main to use .NET 7.0.0 as package name |
How do we handle repos that |
dotnet-crank- Yes we have PR (#8479) merged for release/6.0, you should get an update soon. Thanks for confirming |
@epananth - I am having some troubles with dotnet-source-build-reference-packages and am wondering if you can help out. I got the repo updated on the latest arcade version but the build is still not running the SBOM generation leg - https://dev.azure.com/dnceng/internal/_build/results?buildId=1619144&view=logs&s=6884a131-87da-5381-61f3-d7acc3b91d76&j=2f0d093c-1064-5c86-fc5b-b7b1eca8e66a. The build is utilizing the Arcade job template as illustrated here |
I will have to get back to you on this one. |
Taking a look |
We don't need to produce sboms for dotnet-source-build-reference-packages. Going to update the list. |
@epananth |
@MiYanni Updated dotnet-project-system, what about dotnet-project-system-tools? |
@epananth |
This is a good approach. The tooling will improve over time, and likely will eventually become per-package (this is my educated guess) rather than "gather everything up and mash it into one file". Get something minimal working now, and we'll iterate later. |
I cannot edit this issue, so here are the results I'd like to report:
I'd also like to report that the Linux Musl (Alpine) x64 build leg fails to generate an SBOM and creates an empty artifact. However, we do not ship files out of this build leg. See https://dev.azure.com/dnceng/internal/_build/results?buildId=1625839&view=logs&j=ce9b67a1-188c-57b1-9fb6-8fdc7e08cad8&t=bfa3c9d4-d8b2-5ecb-1e13-ed53d43bfaa5 for the example failure. |
Updated the issue. Thanks for validating @jander-msft . For follow up on linux-musl, I created https://github.com/microsoft/dropvalidator/issues/397. Waiting to hear from SBOM folks. |
@dougbu For AspLabs you should be able to update the version here -> arcade/eng/common/templates/job/job.yml Line 36 in f713662
Also update on the linux musl leg, I tried to run the build with updated verbosity, that did not work. We are waiting on SBOM folks for that. |
Relates to dotnet/arcade#8477
Relates to dotnet/arcade#8477
Relates to dotnet/arcade#8477
Relates to dotnet/arcade#8477
Relates to dotnet/arcade#8477
Relates to dotnet/arcade#8477
Relates to dotnet/arcade#8477
@epananth @dreddy-work please feel to merge, if these look correct.
Release/6.0 branches (neither public nor internal) for both repos don't appear to have generate-sbom.yml. Is this something coming? |
In dotnet/winforms it's a measly 114K lines... There are lot of entries for non-prod artifacts (e.g., tests), which could probably be ignored. |
NuGet's PR is merged now, and new builds will generate the sbom file & build artifact. Our next insertion will be next week. |
dotnet/winforms#6759 is merged. |
@RussKie looking into this |
@epananth The |
Thanks @MiYanni. I updated the list |
Forgot to update - dotnet-symuploader is good. I am not sure who deals with internal-components atm |
Thanks @hoyosjs |
Calling this done and closing the issue. |
ASP.Net Classic nuget package pipelines have been updated. |
• If your repo is using Arcade from the ‘.NET Eng – latest’ channel and using Arcade’s ([jobs.yml]) template to build, you should just need the latest arcade update to get SBOM generation automatically added to your pipelines.
• If your repo is not using Arcade’s templates, or not using Arcade at all, you will need to manually add the SBOM generation task manually to every build job that creates or modifies assets. You can follow the steps outlined here to use a helper template that we’re providing through Arcade.
• Action required by 2/25/2022- SBOM validation for repos using Arcade main: We need to make sure all repositories are generating SBOMs as part of their official builds, and that those SBOMs meet certain initial requirements. Follow the steps outlined here to validate the generated SBOMs, and update status below when you have completed the work. Note that if two people are editing the issue, one of the changes might get lost, so double check that your information is recorded appropriately.
• For repositories that produce assets released via the .NET release pipeline or if your repo name is in the list here, your builds are automatically retained.
• For repositories that have their own release process, you can follow the steps outlined here
The text was updated successfully, but these errors were encountered: