search

CycloneDX / cyclonedx-dotnet

Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
https://cyclonedx.org/
Apache License 2.0
183 stars 89 forks source link

Reimplement the tool as a DLL with a frontend console app? #740

Closed JayAtFujifilm closed 10 months ago

JayAtFujifilm commented 1 year ago

To make the CycloneDX DotNet tool more flexible, it could be refactored in a DLL with an optional console app front end. That way it could be used directly in a .Net application without having to launch an external process. This is turn would facilitate easier error-handling (as exceptions would be passed to the calling logic) and logging.

Bertk commented 1 year ago

Sorry, I do not understand your request. I use the tool in a build pipeline and we generate SBOM only after a PR is merged. Please add more information how you want to use cyclonedx SBOM tool.

image
wazzamatazz commented 1 year ago

I think @JayAtFujifilm is suggesting that the CycloneDX logic could be placed in a class library and then referenced and used by other libraries or applications, including the CycloneDX .NET tool.

The closest analogy I can think of is that NuGet provides libraries such as NuGet.Protocol and NuGet.ProjectModel that allow applications (including CycloneDX) to interact with the NuGet ecosystem but it is also possible to just download and use nuget.exe.

Bertk commented 1 year ago

There is a cylonedx.core Nuget package which has CycloneDX bill-of-material documents support.

The dotnet tool uses CLI and has methods to manage c# project, solution and build immediate files. This is specific for the cyclonedx-dotnet tool.

By the way, there is nuget package Buildalyzer which can be used to access build details (uses design-time build).

JayAtFujifilm commented 1 year ago

Hi,

Thank you for considering this request, and for the suggestions.

The application for which we want to build an SBOM consists of many different DotNet solutions and NodeJS solutions stored under a single root folder.

We have built an SCA tool that recurses through our source code, examining every folder. When it finds a folder with a .Net project, we then invoke the CycloneDX DotNet tool to build an SBOM for that project, and then use the CycloneDX CLI tool to merge the SBOM with a parent SBOM. In this way we recursively build a single SBOM for the entire application.

When we use the CycloneDX DotNet tool, we must invoke it as another process, since it is a command-line tool. This makes it difficult to integrate debugging and logging with the main SCA tool. If instead the CycloneDX DotNet tool were available as a DLL, we could simply link to it, and debug directly into when needed, and log easily, which would make it much simpler to use.

So in this scenario, the bulk of the CycloneDX Dotnet tool would be in the library, with a small console app frontend for invoking it directly when needed.

Again, I really appreciate your considering these ideas.

Best regards,

Jay Rogers Fujifilm Healthcare Systems USA

From: Bert @.> Sent: Friday, August 18, 2023 9:13 AM To: CycloneDX/cyclonedx-dotnet @.> Cc: James Rogers @.>; Mention @.> Subject: Re: [CycloneDX/cyclonedx-dotnet] Reimplement the tool as a DLL with a frontend console app? (Issue #740)

There is a cylonedx.core Nuget packagehttps://www.nuget.org/packages/CycloneDX.Core which has CycloneDX bill-of-material documents support.

The dotnet tool uses CLI and has methods to manage c# project, solution and build immediate files. This is specific for the cyclonedx-dotnet tool.

By the way, there is nuget package Buildalyzerhttps://www.nuget.org/packages/Buildalyzer which can be used to access build details (uses design-time buildhttps://daveaglick.com/posts/running-a-design-time-build-with-msbuild-apis).

— Reply to this email directly, view it on GitHubhttps://github.com/CycloneDX/cyclonedx-dotnet/issues/740#issuecomment-1683903112, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AX2FOQOABHYULWQMWZXODQDXV5S7XANCNFSM6AAAAAA2ZBA4KI. You are receiving this because you were mentioned.Message ID: @.***>

NOTICE: This message, including any attachments, is only for the use of the intended recipient(s) and may contain confidential, sensitive and/or privileged information, or information otherwise prohibited from dissemination or disclosure by law or regulation, including applicable export regulations. If the reader of this message is not the intended recipient, you are hereby notified that any use, disclosure, copying, dissemination or distribution of this message or any of its attachments is strictly prohibited. If you received this message in error, please contact the sender immediately by reply email and destroy this message, including all attachments, and any copies thereof.

Bertk commented 1 year ago

@JayAtFujifilm Thank you for the details which are very helpful. Managing SBOM needs additional tooling and in my understanding not in scope for cyclonedx-dotnet. cyclonedx-dotnet is a dotnet stand-alone tool and not a library.

A potential improvement is the support of multiple solution or CS project files. @coderpatros Please add "enhancement" or "feature request" label

JayAtFujifilm commented 1 year ago

Hi all,

Thank you for considering this.

Best regards,

Jay

From: Bert @.> Sent: Saturday, August 19, 2023 3:52 AM To: CycloneDX/cyclonedx-dotnet @.> Cc: James Rogers @.>; Mention @.> Subject: Re: [CycloneDX/cyclonedx-dotnet] Reimplement the tool as a DLL with a frontend console app? (Issue #740)

@JayAtFujifilmhttps://github.com/JayAtFujifilm Thank you for the details which are very helpful. Managing SBOM needs additional tooling and in my understanding not in scope for cyclonedx-dotnet. cyclonedx-dotnet is a dotnet stand-alone toolhttps://learn.microsoft.com/en-us/dotnet/core/tools/global-tools and not a library.

A potential improvement is the support of multiple solution or CS project files. @coderpatroshttps://github.com/coderpatros Please add "enhancement" or "feature request" label

— Reply to this email directly, view it on GitHubhttps://github.com/CycloneDX/cyclonedx-dotnet/issues/740#issuecomment-1684884975, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AX2FOQOAZHLGTKMNJ4ZKTXDXWBWDTANCNFSM6AAAAAA2ZBA4KI. You are receiving this because you were mentioned.Message ID: @.***>

NOTICE: This message, including any attachments, is only for the use of the intended recipient(s) and may contain confidential, sensitive and/or privileged information, or information otherwise prohibited from dissemination or disclosure by law or regulation, including applicable export regulations. If the reader of this message is not the intended recipient, you are hereby notified that any use, disclosure, copying, dissemination or distribution of this message or any of its attachments is strictly prohibited. If you received this message in error, please contact the sender immediately by reply email and destroy this message, including all attachments, and any copies thereof.

mtsfoni commented 1 year ago

When you download and unzip the nuget-package, cyclonedx actually is a dll.

Just the program class is set to internal. However, you might be able to use reflection to call Main(string[]).

I will likely make this a little easier by offering a public entry point.

mtsfoni commented 10 months ago

The main logic now runs in a class, called runner. For normal use you can call the parameterless constructor.

HandleCommandAsync then generates the bom. RunOptions are respective to the arguments.

It should be fairly easy to build on top of that, if you want to use the tool as part of another one.