Open robrich opened 1 year ago
The images produced by this tooling are normal container images in every sense, so you can use any SBOM generation tooling that could otherwise detect and report on .NET dependencies.
Here's an example using syft
on a simple WebAPI container generated from this tooling. Note the dotnet
dependencies at the top - these are only mostly correct because Syft doesn't pick the correct data out. We're looking at better SBOM generation across the .NET ecosystem, so this should get better over time.
There's an effort to bake in SBOM generation support into the .NET SDK, which is being tracked at https://github.com/NuGet/Home/issues/12497.
As that progresses, we definitely will figure out what needs to happen to produce SBOMs for generated container images as well.
Prior art here: https://docs.docker.com/engine/sbom/ (though this includes OS libraries, etc that we don't have direct knowledge of here).
How do I get an SBOM for .NET SDK-built OCI image?