Skip to content

Proposal: Set up automated SBOM (Software Bill of Materials) generation for CapX #1393

Description

@sjmf

Proposal: Set up automated SBOM (Software Bill of Materials) generation for CapX

It might be a good time to look into setting up automated Software Bill of Materials (SBOM) generation for CapX, especially as the project continues to grow. As I've been working on operational compliance for our deployment at DU, the question has come up of checks to dependencies etc for licencing and vulnerability issues. There's some things I'm able to say already (Dependabot; CodeQL) but if I can be more concrete in future that will only help the case.

Keeping tabs on direct and transitive NuGet dependencies (and their licenses/vulnerabilities) manually is tricky and, although documented in the .csproj/.sln, isn't that friendly. Having an automated, machine-readable inventory would give users an easy way to track supply chain security and clear up compliance questions without having to hand-audit things.

What this would look like:

A quick step into the GitHub Actions workflow to generate this on build or release.

  • Format: CycloneDX (JSON) or SPDX: standard industry formats that vulnerability scanners can parse.
  • Tooling: The CycloneDX .NET Tool or Microsoft.Sbom.Tool both work nicely with standard .csproj setups. We'd just need to make sure it captures the full stack.
  • Output: We can save the resulting file as a workflow artifact, or configure it to automatically attach to new GitHub releases.

You may have a pipeline that does this at UoM already, but if not I'd be interested in implementing it. It's hardly a UoM-specific question and having some understanding of how to implement this would help us at DU, and other sites too.

Why it’s worth doing:

  • Lazy Vulnerability Tracking: a generated SBOM lets automated tools (including those used by DU's CIS Security team) scan CapX.
  • License Clarity: Gives an automated map of any third-party code we’re bundling.

Let me know what you think!

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filedocumentation 📖Improvements or additions to documentationfoundations 🧰Relates to infrastructure or framework

    Fields

    No fields configured for User Story.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions