SBOM?

[robrich]

How do I get an SBOM for .NET SDK-built OCI image?

[baronfel]

The images produced by this tooling are normal container images in every sense, so you can use any SBOM generation tooling that could otherwise detect and report on .NET dependencies.

Here's an example using syft on a simple WebAPI container generated from this tooling. Note the dotnet dependencies at the top - these are only mostly correct because Syft doesn't pick the correct data out. We're looking at better SBOM generation across the .NET ecosystem, so this should get better over time.

syft packages sdk-container-demo:1.0.0

``` syft packages sdk-container-demo:1.0.0 NAME VERSION TYPE DotNet.ReproducibleBuilds 1.1.1 dotnet Microsoft.AspNetCore.App.Runtime.linux-x64 7.0.5 dotnet Microsoft.Build.Tasks.Git 1.1.1 dotnet Microsoft.NET.Build.Containers 7.0.400-dev dotnet Microsoft.NETCore.App.Runtime.linux-x64 7.0.5 dotnet Microsoft.SourceLink.AzureRepos.Git 1.1.1 dotnet Microsoft.SourceLink.Bitbucket.Git 1.1.1 dotnet Microsoft.SourceLink.Common 1.1.1 dotnet Microsoft.SourceLink.GitHub 1.1.1 dotnet Microsoft.SourceLink.GitLab 1.1.1 dotnet adduser 3.118 deb apt 2.2.4 deb base-files 11.1+deb11u7 deb base-passwd 3.5.51 deb bash 5.1-2+deb11u1 deb bsdutils 1:2.36.1-8+deb11u1 deb ca-certificates 20210119 deb coreutils 8.32-4+b1 deb dash 0.5.11+git20200708+dd9ef66-5 deb debconf 1.5.77 deb debian-archive-keyring 2021.1.1+deb11u1 deb debianutils 4.11.2 deb diffutils 1:3.7-5 deb dpkg 1.20.12 deb e2fsprogs 1.46.2-2 deb findutils 4.8.0-1 deb gcc-10-base 10.2.1-6 deb gcc-9-base 9.3.0-22 deb gpgv 2.2.27-2+deb11u2 deb grep 3.6-1+deb11u1 deb gzip 1.10-4+deb11u1 deb hostname 3.23 deb init-system-helpers 1.60 deb libacl1 2.2.53-10 deb libapt-pkg6.0 2.2.4 deb libattr1 1:2.4.48-6 deb libaudit-common 1:3.0-2 deb libaudit1 1:3.0-2 deb libblkid1 2.36.1-8+deb11u1 deb libbz2-1.0 1.0.8-4 deb libc-bin 2.31-13+deb11u6 deb libc6 2.31-13+deb11u6 deb libcap-ng0 0.7.9-2.2+b1 deb libcom-err2 1.46.2-2 deb libcrypt1 1:4.4.18-4 deb libdb5.3 5.3.28+dfsg1-0.8 deb libdebconfclient0 0.260 deb libext2fs2 1.46.2-2 deb libffi7 3.3-6 deb libgcc-s1 10.2.1-6 deb libgcrypt20 1.8.7-6 deb libgmp10 2:6.2.1+dfsg-1+deb11u1 deb libgnutls30 3.7.1-5+deb11u3 deb libgpg-error0 1.38-2 deb libgssapi-krb5-2 1.18.3-6+deb11u3 deb libhogweed6 3.7.3-1 deb libicu67 67.1-7 deb libidn2-0 2.3.0-5 deb libk5crypto3 1.18.3-6+deb11u3 deb libkeyutils1 1.6.1-2 deb libkrb5-3 1.18.3-6+deb11u3 deb libkrb5support0 1.18.3-6+deb11u3 deb liblz4-1 1.9.3-2 deb liblzma5 5.2.5-2.1~deb11u1 deb libmount1 2.36.1-8+deb11u1 deb libnettle8 3.7.3-1 deb libnsl2 1.3.0-2 deb libp11-kit0 0.23.22-1 deb libpam-modules 1.4.0-9+deb11u1 deb libpam-modules-bin 1.4.0-9+deb11u1 deb libpam-runtime 1.4.0-9+deb11u1 deb libpam0g 1.4.0-9+deb11u1 deb libpcre2-8-0 10.36-2+deb11u1 deb libpcre3 2:8.39-13 deb libseccomp2 2.5.1-1+deb11u1 deb libselinux1 3.1-3 deb libsemanage-common 3.1-1 deb libsemanage1 3.1-1+b2 deb libsepol1 3.1-1 deb libsmartcols1 2.36.1-8+deb11u1 deb libss2 1.46.2-2 deb libssl1.1 1.1.1n-0+deb11u4 deb libstdc++6 10.2.1-6 deb libsystemd0 247.3-7+deb11u2 deb libtasn1-6 4.16.0-2+deb11u1 deb libtinfo6 6.2+20201114-2+deb11u1 deb libtirpc-common 1.3.1-1+deb11u1 deb libtirpc3 1.3.1-1+deb11u1 deb libudev1 247.3-7+deb11u2 deb libunistring2 0.9.10-4 deb libuuid1 2.36.1-8+deb11u1 deb libxxhash0 0.8.0-2 deb libzstd1 1.4.8+dfsg-2.1 deb login 1:4.8.1-1 deb logsave 1.46.2-2 deb lsb-base 11.1.0 deb mawk 1.3.4.20200120-2 deb mount 2.36.1-8+deb11u1 deb ncurses-base 6.2+20201114-2+deb11u1 deb ncurses-bin 6.2+20201114-2+deb11u1 deb openssl 1.1.1n-0+deb11u4 deb passwd 1:4.8.1-1 deb perl-base 5.32.1-4+deb11u2 deb sed 4.7-1 deb sysvinit-utils 2.96-7+deb11u1 deb tar 1.34+dfsg-1 deb tzdata 2021a-1+deb11u10 deb util-linux 2.36.1-8+deb11u1 deb zlib1g 1:1.2.11.dfsg-2+deb11u2 deb ```

[baronfel]

There's an effort to bake in SBOM generation support into the .NET SDK, which is being tracked at https://github.com/NuGet/Home/issues/12497.

As that progresses, we definitely will figure out what needs to happen to produce SBOMs for generated container images as well.

Prior art here: https://docs.docker.com/engine/sbom/ (though this includes OS libraries, etc that we don't have direct knowledge of here).