Proposal: Set up automated SBOM (Software Bill of Materials) generation for CapX
It might be a good time to look into setting up automated Software Bill of Materials (SBOM) generation for CapX, especially as the project continues to grow. As I've been working on operational compliance for our deployment at DU, the question has come up of checks to dependencies etc for licencing and vulnerability issues. There's some things I'm able to say already (Dependabot; CodeQL) but if I can be more concrete in future that will only help the case.
Keeping tabs on direct and transitive NuGet dependencies (and their licenses/vulnerabilities) manually is tricky and, although documented in the .csproj/.sln, isn't that friendly. Having an automated, machine-readable inventory would give users an easy way to track supply chain security and clear up compliance questions without having to hand-audit things.
What this would look like:
A quick step into the GitHub Actions workflow to generate this on build or release.
- Format: CycloneDX (JSON) or SPDX: standard industry formats that vulnerability scanners can parse.
- Tooling: The CycloneDX .NET Tool or Microsoft.Sbom.Tool both work nicely with standard
.csproj setups. We'd just need to make sure it captures the full stack.
- Output: We can save the resulting file as a workflow artifact, or configure it to automatically attach to new GitHub releases.
You may have a pipeline that does this at UoM already, but if not I'd be interested in implementing it. It's hardly a UoM-specific question and having some understanding of how to implement this would help us at DU, and other sites too.
Why it’s worth doing:
- Lazy Vulnerability Tracking: a generated SBOM lets automated tools (including those used by DU's CIS Security team) scan CapX.
- License Clarity: Gives an automated map of any third-party code we’re bundling.
Let me know what you think!
Proposal: Set up automated SBOM (Software Bill of Materials) generation for CapX
It might be a good time to look into setting up automated Software Bill of Materials (SBOM) generation for CapX, especially as the project continues to grow. As I've been working on operational compliance for our deployment at DU, the question has come up of checks to dependencies etc for licencing and vulnerability issues. There's some things I'm able to say already (Dependabot; CodeQL) but if I can be more concrete in future that will only help the case.
Keeping tabs on direct and transitive NuGet dependencies (and their licenses/vulnerabilities) manually is tricky and, although documented in the
.csproj/.sln, isn't that friendly. Having an automated, machine-readable inventory would give users an easy way to track supply chain security and clear up compliance questions without having to hand-audit things.What this would look like:
A quick step into the GitHub Actions workflow to generate this on build or release.
.csprojsetups. We'd just need to make sure it captures the full stack.You may have a pipeline that does this at UoM already, but if not I'd be interested in implementing it. It's hardly a UoM-specific question and having some understanding of how to implement this would help us at DU, and other sites too.
Why it’s worth doing:
Let me know what you think!