search

CycloneDX / cyclonedx-dotnet

Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
https://cyclonedx.org/
Apache License 2.0
183 stars 88 forks source link

Passing environment variables to dotnet-cyclonedx #659

Open cwa-dr opened 1 year ago

cwa-dr commented 1 year ago

In some of my .csproj files I use variables to support different deployments.

example:

dotnet-cylonedx cannot resolve $(SourceDir) and will log an error that the project file does not exist.

How can I provide this $(SourceDir) as environment variable to dotnet-cyclonedx?

william02210 commented 1 year ago

I have a similar question. I have a Visual Studio solution which may provide different version of components depending on whether it is built in a Debug or Release configuration. I am finding that CycloneDX is reporting all of the Debug dependencies and none of the release dependencies. How does one pass the build configuration to CycloneDX? Alternatively, if there was a way to have CycloneDX report all dependencies no matter their build configuration, I could post process the results.

Is this possible to do? If so, I am struggling to figure it out.

Below, I have included an example of a csproj in the solution to help clarify question.

Thank you in advance.

<Project Sdk="Some.Sdk">

  <PropertyGroup>
    <TargetFramework>net6.0</TargetFramework>
    <RuntimeIdentifiers>win-x64</RuntimeIdentifiers>
    <RootNamespace>some_namespace</RootNamespace>
    <Configurations>Debug;Release</Configurations>
    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
  </PropertyGroup>

  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
    <WarningsAsErrors />
  </PropertyGroup>

  <Choose>
    <When Condition="$(Configuration.Contains('Release'))">
      <ItemGroup>
        <PackageReference Include="Package1.Server" Version="$(Package1ServerVersion)" />
        <PackageReference Include="Package1.Tools" Version="$(Package1ToolsVersion)" />
      </ItemGroup>
    </When>
    <Otherwise>
      <ItemGroup>
        <PackageReference Include="Package1.Server.Debug" Version="$(Package1ServerVersion)" />
        <PackageReference Include="Package1.Tools.Debug" Version="$(Package1ToolsDebugVersion)" />
      </ItemGroup>
    </Otherwise>
  </Choose>

  <ItemGroup>
    ...Stuff...
  </ItemGroup>

  <ItemGroup>
    ...Stuff...
  </ItemGroup>

</Project>
william02210 commented 1 year ago

@cwa-dr I worked around my issues with having configuration dependent assets by building the solution as I normally would, then using the -dpr (Disable Package Restore) option with CycloneDX. With this option, CycloneDX is no longer responsible for all of the different options to restoring the assets/packages.

Being somewhat new to Nuget and how SBOMs are built, it took me stepping through the CycloneDX source to understand what it was doing and what the dpr option meant.

Maybe this will work for you and save you some time as well.

github-actions[bot] commented 10 months ago

This issue is stale because it has been open for 3 months with no activity.