Validate SBOM for .NET Repos using Arcade main

[epananth]

• If your repo is using Arcade from the ‘.NET Eng – latest’ channel and using Arcade’s ([jobs.yml]) template to build, you should just need the latest arcade update to get SBOM generation automatically added to your pipelines.
• If your repo is not using Arcade’s templates, or not using Arcade at all, you will need to manually add the SBOM generation task manually to every build job that creates or modifies assets. You can follow the steps outlined here to use a helper template that we’re providing through Arcade.

• Action required by 2/25/2022- SBOM validation for repos using Arcade main: We need to make sure all repositories are generating SBOMs as part of their official builds, and that those SBOMs meet certain initial requirements. Follow the steps outlined here to validate the generated SBOMs, and update status below when you have completed the work. Note that if two people are editing the issue, one of the changes might get lost, so double check that your information is recorded appropriately.

• For repositories that produce assets released via the .NET release pipeline or if your repo name is in the list here, your builds are automatically retained.
• For repositories that have their own release process, you can follow the steps outlined here

Status	Description
✔️	Results verified. Good to go!
❌	Did not work

Repository	Owner	Status	Does this need sbom?	Notes
Nuget.BuildTasks	@MiYanni			Spl case, gets arcade update and inserts only to VS
ASP.Net Classic nuget packages	@StephenMolloy			New case, has not been updated in a few years (added 3/8 to this list)
aspnet-AspNetWebHooks	@dougbu	❌	N/A	we haven't built this in ages
aspnet-AspNetWebStack	@dougbu	❌		we do not have a pipeline to build this; currently builds on TeamCity
AzureSignalR-samples	@Y-Sindo	❌	N/A	No pipeline
aspnet-Benchmarks	@sebastienros	❌	N/A	No pipeline
aspnet-SignalR-Client-Cpp	@BrennanConroy	❌	N/A	Ships as code
dotnet-project-system	@MiYanni	✔️	Spl case, inserts to VS
dotnet-project-system-tools	@MiYanni	✔️		Update done, need to verify
microsoft-dotnet-framework-docker	@mthalman	❌	N/A	N/A - only produces Windows Docker images, SBOM only supports Linux Docker images
microsoft-go	@dagood	❌		Not part of .NET
microsoft-go-images	@dagood	❌		Not part of .NET
microsoft-go-infra	@dagood	❌	N/A	No pipeline: source is the asset. Not part of .NET
microsoft-go-infra-images	@dagood	❌		Not part of .NET
dotnet-diagnostictests	@hoyosjs	❌		Test only repo does not require SBOM generation
SignalR-SignalR	@BrennanConroy	✔️		Working on arcade udpate
dotnet-insertions-client	@bekir-ozturk
dotnet-roslyn-tools	@JoeRobich	✔️		dotnet/roslyn-tools#1171
dotnet-source-indexer	@alexperovich	❌	N/A	Is a website
dotnet-arcade-extensions	@riarenas	✔️
dotnet-aspnetcore	@dougbu			https://github.com/microsoft/dropvalidator/issues/397
dotnet-crank	@sebastienros	✔️	Uses arcade release/6.0	Created on 2/21
dotnet-deployment-tools	@NikolaMilosavljevic	✔️		working on it
dotnet-diagnostics-internal-components	@hoyosjs			Look for successful build
dotnet-efcore	@dougbu	✔️		has manifests for jobs that never publish and list everything in the artifacts/ folder
dotnet-emsdk	@lewing/@akoeplinger	✔️
dotnet-fsharp	@brettfo/@KevinRansom	✔️		Needs arcade update
dotnet-interactive	@colombod	✔️		Needs arcade update
dotnet-interactive-window	@tmat	✔️
dotnet-iot	@joperezr	❌	N/A	Spl repo uses arcade but is not microsoft owned
dotnet-llvm-project	@akoeplinger			(https://github.com/microsoft/dropvalidator/issues/368)
dotnet-machinelearning-assets	@ericstj	✔️		arcade update is flowing?
dotnet-machinelearning	@ericstj	✔️
dotnet-maui	@antonfirsov			arcade update is flowing?
dotnet-microsoft.maui.graphics	@mjbond-msft			arcade update is flowing?
dotnet-msbuild	@rainersigwald	✔️		Needs arcade update
dotnet-optimization	@DrewScoggins			Need work
dotnet-razor-compiler	@dougbu	✔️
dotnet-razor-tooling	@NTaylorMullen	✔️		Needs arcade update
dotnet-roslyn	@JoeRobich	✔️		Still needs update to reference SBOM from VS Component manifests
dotnet-roslyn-debug	@tmat			arcade update is flowing?
dotnet-roslyn-sdk	@JoeRobich	✔️		dotnet/roslyn-sdk#970
dotnet-sdk	@marcpopMSFT	✔️
dotnet-source-build	@MichaelSimons	❌	N/A	No source/build in main
dotnet-source-build-reference-packages	@MichaelSimons	❌	N/A	Does not produce shippable packages
dotnet-source-build-utilities	@MichaelSimons	❌	N/A	Internal non-shipping source-build tooling
dotnet-sourcelink	@tmat	✔️
dotnet-spark	@suhsteve			Needs arcade update
dotnet-symuploader	@hoyosjs			Not sure
dotnet-templating	@vlada-shubina	✔️		Needs arcade update
dotnet-test-templates	@Haplois	✔️		Needs arcade update
dotnet-try-convert	@jmarolf	✔️		last update was in oct 21st
dotnet-upgrade-assistant	@sunandabalu	✔️		arcade update taken on 2/16
dotnet-wcf	@HongGit	✔️		Needs arcade update
dotnet-windowsdesktop	@dreddy-work	✔️		Needs update
dotnet-winforms-designer	@Shyam-Gupta	✔️		Verified that SBOM is getting generated correctly
dotnet-winforms		✔️
dotnet-winforms-datavisualization	@RussKie			last update was in dec 31st
dotnet-wpf-int	@singhashish-wpf			Needs arcade update
Microsoft-clrmd	@leculver			Needs arcade update
dotnet-docker-tools	@mthalman		N/A	N/A - Doesn't produce anything shipped to customers
microsoft-vstest	@Evangelink
Nuget.Client	@zivkan	✔️
vs-code-coverage
dotnet-arcade	@epananth	✔️
dotnet-arcade-services	@epananth	✔️
dotnet-arcade-validation	@epananth	✔️
aspnet-AspLabs	@dougbu	✔️		has manifests for jobs that never publish and list everything in the artifacts/ folder
aspnet-AspNetKatana	@Tratcher			Repo does not use Arcade; builds on TeamCity and will move to Azdo in future, they are working on this and will add sbom in future
dotnet-ef6	@dougbu	✔️		hasn't released in ages and may never again /cc @ajcvickers; oddly configured, does not create a MergedManifest.xml
dotnet-runtime-assets	@lewing	✔️
dotnet-command-line-api	@vlada-shubina	✔️
dotnet-diagnostics	@hoyosjs	✔️
dotnet-dotnet-monitor	@jander-msft	✔️
dotnet-helix-machines	@epananth	✔️
dotnet-helix-service	@epananth	✔️
dotnet-hotreload-utils	@akoeplinger	✔️
dotnet-HttpRepl	@tlmii	✔️
dotnet-icu	@lewing	✔️
dotnet-installer	@marcpopMSFT	✔️
dotnet-linker	@sbomer	✔️
dotnet-metadata-tools	@tmat	✔️
dotnet-msquic	@wfurt	✔️
dotnet-performance	@wfurt	✔️
dotnet-release	@epananth	✔️
dotnet-roslyn-analyzers	@JoeRobich	✔️
dotnet-runtime	@agocke	✔️		https://github.com/microsoft/dropvalidator/issues/397
dotnet-Scaffolding	@deepchoudhery	✔️
dotnet-source-build-externals	@MichaelSimons	✔️
dotnet-symreader	@tmat	✔️
dotnet-symreader-converter	@tmat	✔️
dotnet-symreader-portable	@tmat	✔️
dotnet-symstore	@hoyosjs	✔️
dotnet-tye	@philliphoff	✔️
dotnet-winforms-designer	@dreddy-work	✔️
dotnet-wpf	@singhashish-wpf	✔️
dotnet-xharness	@epananth	✔️
dotnet-xliff-tasks	@epananth	✔️
microsoft-reverse-proxy	@MihaZupan	✔️
dotnet-cli-lab	@joeloff	✔️		Internal build with changes succeeded, waiting to merge PR

[dougbu]

I would appreciate more context here

1. How urgent are the "Needs arcade update" items❔ ASP.NET-related repos tend to take Arcade updates ~weekly.
2. What is the point of creating an SBOM in a repo like aspnet/AspLabs which ships one package on a very irregular basis❔ We're moving that source from AspLabs to aspnetcore in any case.
3. I don't know much about aspnet-AspNetKatana @Tratcher is this yours❔
4. aspnet-AspNetWebStack is a special case. We have an internal repo for security fixes but no AzDO pipeline. Plan is to migrate builds from TeamCity to AzDO before the end of the year. Not sure how we'd create an SBOM using the current infrastructure. Suggestions❔
5. @ajcvickers should you own dotnet-ef6❔ Or is it time to declare we'll never do another EF6 release and kill that repo and associated pipelines❔

[mmitche]

I would appreciate more context here

1. How urgent are the "Needs arcade update" items❔ ASP.NET-related repos tend to take Arcade updates ~weekly.
2. What is the point of creating an SBOM in a repo like aspnet/AspLabs which ships one package on a very irregular basis❔ We're moving that source from AspLabs to aspnetcore in any case.
3. I don't know much about aspnet-AspNetKatana @Tratcher is this yours❔
4. aspnet-AspNetWebStack is a special case. We have an internal repo for security fixes but no AzDO pipeline. Plan is to migrate builds from TeamCity to AzDO before the end of the year. Not sure how we'd create an SBOM using the current infrastructure. Suggestions❔
5. @ajcvickers should you own dotnet-ef6❔ Or is it time to declare we'll never do another EF6 release and kill that repo and associated pipelines❔

1. We'd like to have SBOMs generated in main by end of next week. You probably already got the update in main though (it got checked in froday
2. Microsoft wants SBOMs for all of its supply chain, even for repos that are only providing artifacts for other repos. Since asplabs ships to customers, it should have an SBOM
3. ...
4. This one can be skipped then.
5. Up to you folks there.

[dougbu]

Since asplabs ships to customers, it should have an SBOM

Agree that's the current state. It however shouldn't ship anything in the future, given the move to dotnet/aspnetcore. Right @dotnet/aspnet-build @JamesNK❔

[JamesNK]

The gRPC source is moving from asplabs to aspnetcore. It won't ship from there anymore.

However, I think it is valuable to have a place where our product team can have experiments that can be published to NuGet to get feedback.

[dougbu]

However, I think it is valuable to have a place where our product team can have experiments that can be published to NuGet to get feedback.

That makes it a very weird case from an SBOM perspective because the pipeline build more than we'd ever release.

[mmitche]

However, I think it is valuable to have a place where our product team can have experiments that can be published to NuGet to get feedback.

That makes it a very weird case from an SBOM perspective because the pipeline build more than we'd ever release.

You could argue that about any of the .NET core repos. There will be thousands of SDK builds that never get released. The SBOM generation itself is pretty cheap, so I don't see a huge issue here

[lewing]

I have even less context here, what is needed beyond an arcade update?

[epananth]

@lewing : If your repo is using Aracade's (job.yml/jobs.yml) template to build, SBOM generation is already in place for this scenario. So once you get an arcade update (https://github.com/dotnet/arcade/blob/main/Documentation/SBOMGenerationGuidance.md#repositories-using-arcades-jobsyml-templates)

You should be able to review SBOM (please take a look here on how to verify)(https://github.com/dotnet/arcade/blob/main/Documentation/SBOMGenerationGuidance.md#reviewing-generated-sboms-for-correctness)

In case you are NOT using (jobs.yml or job.yml) in your repo to build, you will need to follow these steps (https://github.com/dotnet/arcade/blob/main/Documentation/SBOMGenerationGuidance.md#repositories-not-using-arcades-jobsyml-templates) to generate SBOM in your repo

I also sent an email regarding this, Please let me know if this helps.

[Y-Sindo]

Regarding to repo AzureSignalR-samples, we use it as a place for samples only and there is no pipeline for the repo.

[MihaZupan]

Package name and version: After the packages section, the last entry should mention the correct name and version for the software that the SBOM is about. The name property should read as ".NET 7.0.0" for main branches, and ".NET 6.0.0" for .NET 6 release branches.

Is the name expected to be .NET 7.0.0 even for projects that don't ship as part of .NET (microsoft/reverse-proxy)?

[mthalman]

I updated the notes for microsoft-dotnet-framework-docker and dotnet-docker-tools that SBOM generation is not applicable to them.

[sebastienros]

dotnet/crank has "Has latest arcade update but still does not have sbom generated" comment.
My response to this is it's using arcade release/6.0 apparently, and I saw the changes with SBOM just got pushed there. So I believe dotnet/crank will get it when there is a new release of that branch?

aspnet/benchmark doesn't have a pipeline. We are not shipping anything from this repository, it's just a set of benchmarks applications and scripts.

[Tratcher]

3. I don't know much about aspnet-AspNetKatana @Tratcher is this yours❔

Yes, that's mine. That repo doesn't use Arcade yet. We might consider switching to Arcade when we move it from TeamCity to Azdo.

[vlada-shubina]

I checked dotnet/templating and SBOM is generated in internal build from main branch.
The file is very big but I checked that key outputs are present.

[epananth]

Regarding to repo AzureSignalR-samples, we use it as a place for samples only and there is no pipeline for the repo.

I will update the list. thanks for confirming

[dagood]

dotnet-diagnostictests

I don't know this repo, so I've changed the owner from myself to ❓

[epananth]

Package name and version: After the packages section, the last entry should mention the correct name and version for the software that the SBOM is about. The name property should read as ".NET 7.0.0" for main branches, and ".NET 6.0.0" for .NET 6 release branches.

Is the name expected to be .NET 7.0.0 even for projects that don't ship as part of .NET (microsoft/reverse-proxy)?

For now all the repos using arcade main to use package name as .NET 7.0.0

Package name and version: After the packages section, the last entry should mention the correct name and version for the software that the SBOM is about. The name property should read as ".NET 7.0.0" for main branches, and ".NET 6.0.0" for .NET 6 release branches.

Is the name expected to be .NET 7.0.0 even for projects that don't ship as part of .NET (microsoft/reverse-proxy)?

Yes, we want everyone who uses arcade main to use .NET 7.0.0 as package name

[BrennanConroy]

How do we handle repos that
a. Don't use .NET at all
b. Don't ship a physical package
Specifically talking about aspnet-SignalR-Client-Cpp which is fully C++ and ships as code (i.e. you compile it yourself).

[epananth]

dotnet/crank has "Has latest arcade update but still does not have sbom generated" comment. My response to this is it's using arcade release/6.0 apparently, and I saw the changes with SBOM just got pushed there. So I believe dotnet/crank will get it when there is a new release of that branch?

aspnet/benchmark doesn't have a pipeline. We are not shipping anything from this repository, it's just a set of benchmarks applications and scripts.

dotnet-crank- Yes we have PR (#8479) merged for release/6.0, you should get an update soon.

Thanks for confirming

[MichaelSimons]

@epananth - I am having some troubles with dotnet-source-build-reference-packages and am wondering if you can help out. I got the repo updated on the latest arcade version but the build is still not running the SBOM generation leg - https://dev.azure.com/dnceng/internal/_build/results?buildId=1619144&view=logs&s=6884a131-87da-5381-61f3-d7acc3b91d76&j=2f0d093c-1064-5c86-fc5b-b7b1eca8e66a. The build is utilizing the Arcade job template as illustrated here

[epananth]

@BrennanConroy

How do we handle repos that a. Don't use .NET at all b. Don't ship a physical package Specifically talking about aspnet-SignalR-Client-Cpp which is fully C++ and ships as code (i.e. you compile it yourself).

I will have to get back to you on this one.

[epananth]

@epananth - I am having some troubles with dotnet-source-build-reference-packages and am wondering if you can help out. I got the repo updated on the latest arcade version but the build is still not running the SBOM generation leg - https://dev.azure.com/dnceng/internal/_build/results?buildId=1619144&view=logs&s=6884a131-87da-5381-61f3-d7acc3b91d76&j=2f0d093c-1064-5c86-fc5b-b7b1eca8e66a. The build is utilizing the Arcade job template as illustrated here

Taking a look

[epananth]

We don't need to produce sboms for dotnet-source-build-reference-packages. Going to update the list.

[MiYanni]

@epananth dotnet-project-system doesn't use Arcade.

[epananth]

@MiYanni Updated dotnet-project-system, what about dotnet-project-system-tools?

[MiYanni]

@epananth dotnet-project-system-tools currently uses Arcade. We've merged the Arcade update to do SBOM generation. I'll review it for correctness as I finish implementing SBOM manually for dotnet-project-system.

[mmitche]

This is a good approach. The tooling will improve over time, and likely will eventually become per-package (this is my educated guess) rather than "gather everything up and mash it into one file". Get something minimal working now, and we'll iterate later.

[jander-msft]

I cannot edit this issue, so here are the results I'd like to report:

• Repository: dotnet-dotnet-monitor
• Ownership: please change to @jander-msft
• Status: Verified

I'd also like to report that the Linux Musl (Alpine) x64 build leg fails to generate an SBOM and creates an empty artifact. However, we do not ship files out of this build leg. See https://dev.azure.com/dnceng/internal/_build/results?buildId=1625839&view=logs&j=ce9b67a1-188c-57b1-9fb6-8fdc7e08cad8&t=bfa3c9d4-d8b2-5ecb-1e13-ed53d43bfaa5 for the example failure.

[epananth]

I cannot edit this issue, so here are the results I'd like to report:

• Repository: dotnet-dotnet-monitor
• Ownership: please change to @jander-msft
• Status: Verified

I'd also like to report that the Linux Musl (Alpine) x64 build leg fails to generate an SBOM and creates an empty artifact. However, we do not ship files out of this build leg. See https://dev.azure.com/dnceng/internal/_build/results?buildId=1625839&view=logs&j=ce9b67a1-188c-57b1-9fb6-8fdc7e08cad8&t=bfa3c9d4-d8b2-5ecb-1e13-ed53d43bfaa5 for the example failure.

Updated the issue. Thanks for validating @jander-msft . For follow up on linux-musl, I created https://github.com/microsoft/dropvalidator/issues/397. Waiting to hear from SBOM folks.

[epananth]

@epananth thanks for your responses.

We have an issue opened for Sbom folks (microsoft/dropvalidator#368) Once that is fixed that should go away.

I don't believe that issue really covers the problems doing SBOM generation on Linux MUSL x64 machines. Is there another issue to track for that❔

@dougbu For AspLabs you should be able to update the version here ->

arcade/eng/common/templates/job/job.yml

Line 36 in f713662

PackageVersion: 7.0.0

Also update on the linux musl leg, I tried to run the build with updated verbosity, that did not work. We are waiting on SBOM folks for that.

[RussKie]

@epananth @dreddy-work please feel to merge, if these look correct.

• Generate SBOM manifest winforms#6759 -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1631751&view=results
• Generate SBOM manifest windowsdesktop#2651 -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1631811&view=results

Release/6.0 branches (neither public nor internal) for both repos don't appear to have generate-sbom.yml. Is this something coming?

[epananth]

@RussKie Thank you!
We already have backported this to arcade release/6.0 #8479, you should have an arcade update for your repo for that..

[joeloff]

@mmitche I talked to to @epananth The SDK SBOM is 1.4 million lines. It crashed VS, VSCode. I finally managed to open it in Notepad++, but reducing size of the files should be a priority next if possible.

[RussKie]

In dotnet/winforms it's a measly 114K lines... There are lot of entries for non-prod artifacts (e.g., tests), which could probably be ignored.

[zivkan]

NuGet's PR is merged now, and new builds will generate the sbom file & build artifact. Our next insertion will be next week.

[RussKie]

dotnet/winforms#6759 is merged.
dotnet/windowsdesktop#2651 is failing to generate SBOM on "Prepare for publish" leg. See https://dev.azure.com/dnceng/internal/_build/results?buildId=1633615&view=logs&j=5ab303af-16db-5f58-82d4-945dcabe3bb5&t=24962100-60d4-5768-b736-1d1c025ebd15. I'd appreciate guidance.

[epananth]

@RussKie looking into this

[MiYanni]

@epananth The dotnet-project-system has now been verified to have SBOM. The insertion PR hasn't merged yet, but the SBOM check has passed.
https://devdiv.visualstudio.com/DevDiv/_git/VS/pullrequest/385416

[epananth]

@epananth The dotnet-project-system has now been verified to have SBOM. The insertion PR hasn't merged yet, but the SBOM check has passed. https://devdiv.visualstudio.com/DevDiv/_git/VS/pullrequest/385416

Thanks @MiYanni. I updated the list

[hoyosjs]

Forgot to update - dotnet-symuploader is good. I am not sure who deals with internal-components atm

[epananth]

Forgot to update - dotnet-symuploader is good. I am not sure who deals with internal-components atm

Thanks @hoyosjs

[epananth]

Calling this done and closing the issue.

[Tratcher]

Completed for aspnetkatana.
https://dev.azure.com/dnceng/internal/_build/results?buildId=1700756&view=logs&j=0bc77094-9fcd-5c38-f6e4-27d2ae131589&t=f5edc144-6ff8-5609-0882-2ee7397b69c1

[StephenMolloy]

ASP.Net Classic nuget package pipelines have been updated.