NuGet / Home

Repo for NuGet Client issues
Other
1.5k stars 252 forks source link

[Epic] Support SBOMs for NuGet packages #12497

Open JonDouglas opened 1 year ago

JonDouglas commented 1 year ago

A SBOM is a nested inventory; a list of ingredients that make up software components.

This epic tracks the work to support providing a SPDX formatted and NTIA compliant SBOM inside of a NuGet package based on the SBOM Everywhere initiative to bring a seamless interoperability end-to-end for security use cases at five major levels of software development:

  1. Clients and SDKs
  2. Package management plugins
  3. Native package manager integration
  4. Containerization integration
  5. Application/solution integration/deployment

We will most likely utilize sbom-tool to accomplish this task.

Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.

Further tracking issues will be created shortly as requirements are gathered and planned.

TiberiusDRAIG commented 1 year ago

Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX?

JonDouglas commented 1 year ago

@TiberiusDRAIG The intention would be to support what sbom-tool supports at this point.

Malcolmnixon commented 11 months ago

With this being removed from the 6.8 milestone:

JonDouglas commented 11 months ago

Don't read into our backlog tagging too much. It just means that we finished our 6.8 release recently.