Validate SBOM for .NET Repos using Arcade main

[epananth]

• If your repo is using Arcade from the ‘.NET Eng – latest’ channel and using Arcade’s ([jobs.yml]) template to build, you should just need the latest arcade update to get SBOM generation automatically added to your pipelines. • If your repo is not using Arcade’s templates, or not using Arcade at all, you will need to manually add the SBOM generation task manually to every build job that creates or modifies assets. You can follow the steps outlined here to use a helper template that we’re providing through Arcade.

• Action required by 2/25/2022- SBOM validation for repos using Arcade main: We need to make sure all repositories are generating SBOMs as part of their official builds, and that those SBOMs meet certain initial requirements. Follow the steps outlined here to validate the generated SBOMs, and update status below when you have completed the work. Note that if two people are editing the issue, one of the changes might get lost, so double check that your information is recorded appropriately.

• For repositories that produce assets released via the .NET release pipeline or if your repo name is in the list here, your builds are automatically retained. • For repositories that have their own release process, you can follow the steps outlined here

Status	Description
✔️	Results verified. Good to go!
❌	Did not work

Repository	Owner	Status	Does this need sbom?	Notes
Nuget.BuildTasks	@MiYanni			Spl case, gets arcade update and inserts only to VS
ASP.Net Classic nuget packages	@StephenMolloy			New case, has not been updated in a few years (added 3/8 to this list)
aspnet-AspNetWebHooks	@dougbu	❌	N/A	we haven't built this in ages
aspnet-AspNetWebStack	@dougbu	❌		we do not have a pipeline to build this; currently builds on TeamCity
AzureSignalR-samples	@Y-Sindo	❌	N/A	No pipeline
aspnet-Benchmarks	@sebastienros	❌	N/A	No pipeline
aspnet-SignalR-Client-Cpp	@BrennanConroy	❌	N/A	Ships as code
dotnet-project-system	@MiYanni	✔️	Spl case, inserts to VS
dotnet-project-system-tools	@MiYanni	✔️		Update done, need to verify
microsoft-dotnet-framework-docker	@mthalman	❌	N/A	N/A - only produces Windows Docker images, SBOM only supports Linux Docker images
microsoft-go	@dagood	❌		Not part of .NET
microsoft-go-images	@dagood	❌		Not part of .NET
microsoft-go-infra	@dagood	❌	N/A	No pipeline: source is the asset. Not part of .NET
microsoft-go-infra-images	@dagood	❌		Not part of .NET
dotnet-diagnostictests	@hoyosjs	❌		Test only repo does not require SBOM generation
SignalR-SignalR	@BrennanConroy	✔️		Working on arcade udpate
dotnet-insertions-client	@bekir-ozturk
dotnet-roslyn-tools	@JoeRobich	✔️		https://github.com/dotnet/roslyn-tools/pull/1171
dotnet-source-indexer	@alexperovich	❌	N/A	Is a website
dotnet-arcade-extensions	@riarenas	✔️
dotnet-aspnetcore	@dougbu			https://github.com/microsoft/dropvalidator/issues/397
dotnet-crank	@sebastienros	✔️	Uses arcade release/6.0	Created on 2/21
dotnet-deployment-tools	@NikolaMilosavljevic	✔️		working on it
dotnet-diagnostics-internal-components	@hoyosjs			Look for successful build
dotnet-efcore	@dougbu	✔️		has manifests for jobs that never publish and list everything in the artifacts/ folder
dotnet-emsdk	@lewing/@akoeplinger	✔️
dotnet-fsharp	@brettfo/@kevinransom	✔️	Needs arcade update
dotnet-interactive	@colombod	✔️		Needs arcade update
dotnet-interactive-window	@tmat	✔️
dotnet-iot	@joperezr	❌	N/A	Spl repo uses arcade but is not microsoft owned
dotnet-llvm-project	@akoeplinger			(https://github.com/microsoft/dropvalidator/issues/368)
dotnet-machinelearning-assets	@ericstj	✔️		arcade update is flowing?
dotnet-machinelearning	@ericstj	✔️
dotnet-maui	@antonfirsov			arcade update is flowing?
dotnet-microsoft.maui.graphics	@mjbond-msft		arcade update is flowing?
dotnet-msbuild	@rainersigwald	✔️		Needs arcade update
dotnet-optimization	@DrewScoggins			Need work
dotnet-razor-compiler	@dougbu	✔️
dotnet-razor-tooling	@NTaylorMullen	✔️		Needs arcade update
dotnet-roslyn	@JoeRobich	✔️		Still needs update to reference SBOM from VS Component manifests
dotnet-roslyn-debug	@tmat			arcade update is flowing?
dotnet-roslyn-sdk	@JoeRobich	✔️		https://github.com/dotnet/roslyn-sdk/pull/970
dotnet-sdk	@marcpopMSFT	✔️
dotnet-source-build	@MichaelSimons	❌	N/A	No source/build in main
dotnet-source-build-reference-packages	@MichaelSimons	❌	N/A	Does not produce shippable packages
dotnet-source-build-utilities	@MichaelSimons	❌	N/A	Internal non-shipping source-build tooling
dotnet-sourcelink	@tmat	✔️
dotnet-spark	@suhsteve			Needs arcade update
dotnet-symuploader	@hoyosjs			Not sure
dotnet-templating	@vlada-shubina	✔️		Needs arcade update
dotnet-test-templates	@Haplois	✔️		Needs arcade update
dotnet-try-convert	@jmarolf	✔️		last update was in oct 21st
dotnet-upgrade-assistant	@sunandabalu	✔️		arcade update taken on 2/16
dotnet-wcf	@HongGit	✔️		Needs arcade update
dotnet-windowsdesktop	@dreddy-work	✔️		Needs update
dotnet-winforms-designer	@Shyam-Gupta	✔️		Verified that SBOM is getting generated correctly
dotnet-winforms		✔️
dotnet-winforms-datavisualization	@RussKie			last update was in dec 31st
dotnet-wpf-int	@singhashish-wpf			Needs arcade update
Microsoft-clrmd	@leculver			Needs arcade update
dotnet-docker-tools	@mthalman		N/A	N/A - Doesn't produce anything shipped to customers
microsoft-vstest	@Evangelink
Nuget.Client	@zivkan	✔️
vs-code-coverage
dotnet-arcade	@epananth	✔️
dotnet-arcade-services	@epananth	✔️
dotnet-arcade-validation	@epananth	✔️
aspnet-AspLabs	@dougbu	✔️		has manifests for jobs that never publish and list everything in the artifacts/ folder
aspnet-AspNetKatana	@Tratcher			Repo does not use Arcade; builds on TeamCity and will move to Azdo in future, they are working on this and will add sbom in future
dotnet-ef6	@dougbu	✔️		hasn't released in ages and may never again /cc @ajcvickers; oddly configured, does not create a MergedManifest.xml
dotnet-runtime-assets	@lewing	✔️
dotnet-command-line-api	@vlada-shubina	✔️
dotnet-diagnostics	@hoyosjs	✔️
dotnet-dotnet-monitor	@jander-msft	✔️
dotnet-helix-machines	@epananth	✔️
dotnet-helix-service	@epananth	✔️
dotnet-hotreload-utils	@akoeplinger	✔️
dotnet-HttpRepl	@tlmii	✔️
dotnet-icu	@lewing	✔️
dotnet-installer	@marcpopMSFT	✔️
dotnet-linker	@sbomer	✔️
dotnet-metadata-tools	@tmat	✔️
dotnet-msquic	@wfurt	✔️
dotnet-performance	@wfurt	✔️
dotnet-release	@epananth	✔️
dotnet-roslyn-analyzers	@JoeRobich	✔️
dotnet-runtime	@agocke	✔️	https://github.com/microsoft/dropvalidator/issues/397
dotnet-Scaffolding	@deepchoudhery	✔️
dotnet-source-build-externals	@MichaelSimons	✔️
dotnet-symreader	@tmat	✔️
dotnet-symreader-converter	@tmat	✔️
dotnet-symreader-portable	@tmat	✔️
dotnet-symstore	@hoyosjs	✔️
dotnet-tye	@philliphoff	✔️
dotnet-winforms-designer	@dreddy-work	✔️
dotnet-wpf	@singhashish-wpf	✔️
dotnet-xharness	@epananth	✔️
dotnet-xliff-tasks	@epananth	✔️
microsoft-reverse-proxy	@MihaZupan	✔️
dotnet-cli-lab	@joeloff	✔️		Internal build with changes succeeded, waiting to merge PR

[jander-msft]

I cannot edit this issue, so here are the results I'd like to report:

• Repository: dotnet-dotnet-monitor
• Ownership: please change to @jander-msft
• Status: Verified

I'd also like to report that the Linux Musl (Alpine) x64 build leg fails to generate an SBOM and creates an empty artifact. However, we do not ship files out of this build leg. See https://dev.azure.com/dnceng/internal/_build/results?buildId=1625839&view=logs&j=ce9b67a1-188c-57b1-9fb6-8fdc7e08cad8&t=bfa3c9d4-d8b2-5ecb-1e13-ed53d43bfaa5 for the example failure.

[epananth]

I cannot edit this issue, so here are the results I'd like to report:

• Repository: dotnet-dotnet-monitor
• Ownership: please change to @jander-msft
• Status: Verified

I'd also like to report that the Linux Musl (Alpine) x64 build leg fails to generate an SBOM and creates an empty artifact. However, we do not ship files out of this build leg. See https://dev.azure.com/dnceng/internal/_build/results?buildId=1625839&view=logs&j=ce9b67a1-188c-57b1-9fb6-8fdc7e08cad8&t=bfa3c9d4-d8b2-5ecb-1e13-ed53d43bfaa5 for the example failure.

Updated the issue. Thanks for validating @jander-msft . For follow up on linux-musl, I created https://github.com/microsoft/dropvalidator/issues/397. Waiting to hear from SBOM folks.

[epananth]

@epananth thanks for your responses.

We have an issue opened for Sbom folks (microsoft/dropvalidator#368) Once that is fixed that should go away.

I don't believe that issue really covers the problems doing SBOM generation on Linux MUSL x64 machines. Is there another issue to track for that❔

@dougbu For AspLabs you should be able to update the version here -> https://github.com/dotnet/arcade/blob/f7136626d0109856df867481219eb7366951985d/eng/common/templates/job/job.yml#L36

Also update on the linux musl leg, I tried to run the build with updated verbosity, that did not work. We are waiting on SBOM folks for that.

[RussKie]

@epananth @dreddy-work please feel to merge, if these look correct.

• https://github.com/dotnet/winforms/pull/6759 -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1631751&view=results
• https://github.com/dotnet/windowsdesktop/pull/2651 -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1631811&view=results

Release/6.0 branches (neither public nor internal) for both repos don't appear to have generate-sbom.yml. Is this something coming?

[epananth]

@RussKie Thank you! We already have backported this to arcade release/6.0 https://github.com/dotnet/arcade/pull/8479, you should have an arcade update for your repo for that..

[joeloff]

@mmitche I talked to to @epananth The SDK SBOM is 1.4 million lines. It crashed VS, VSCode. I finally managed to open it in Notepad++, but reducing size of the files should be a priority next if possible.

[RussKie]

In dotnet/winforms it's a measly 114K lines... There are lot of entries for non-prod artifacts (e.g., tests), which could probably be ignored.

[zivkan]

NuGet's PR is merged now, and new builds will generate the sbom file & build artifact. Our next insertion will be next week.

[RussKie]

https://github.com/dotnet/winforms/pull/6759 is merged. https://github.com/dotnet/windowsdesktop/pull/2651 is failing to generate SBOM on "Prepare for publish" leg. See https://dev.azure.com/dnceng/internal/_build/results?buildId=1633615&view=logs&j=5ab303af-16db-5f58-82d4-945dcabe3bb5&t=24962100-60d4-5768-b736-1d1c025ebd15. I'd appreciate guidance.

[epananth]

@RussKie looking into this

[MiYanni]

@epananth The dotnet-project-system has now been verified to have SBOM. The insertion PR hasn't merged yet, but the SBOM check has passed. https://devdiv.visualstudio.com/DevDiv/_git/VS/pullrequest/385416

[epananth]

@epananth The dotnet-project-system has now been verified to have SBOM. The insertion PR hasn't merged yet, but the SBOM check has passed. https://devdiv.visualstudio.com/DevDiv/_git/VS/pullrequest/385416

Thanks @MiYanni. I updated the list

[hoyosjs]

Forgot to update - dotnet-symuploader is good. I am not sure who deals with internal-components atm

[epananth]

Forgot to update - dotnet-symuploader is good. I am not sure who deals with internal-components atm

Thanks @hoyosjs

[epananth]

Calling this done and closing the issue.

[Tratcher]

Completed for aspnetkatana. https://dev.azure.com/dnceng/internal/_build/results?buildId=1700756&view=logs&j=0bc77094-9fcd-5c38-f6e4-27d2ae131589&t=f5edc144-6ff8-5609-0882-2ee7397b69c1

[StephenMolloy]

ASP.Net Classic nuget package pipelines have been updated.