search

microsoft / sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
MIT License
1.63k stars 133 forks source link

Please explain authentication of private feeds #686

Closed georg-eckert-zeiss closed 2 months ago

georg-eckert-zeiss commented 2 months ago

Hi there, could you please tell me how to make sure that sbom-tool can access private feeds. Does it need to do that? I always get this error:

##[warning]Error encountered while fetching license information from API,
 resulting SBOM may have incomplete license information: The request was
 canceled due to the configured HttpClient.Timeout of 30 seconds elapsing.

Can this be the cause? If so - how would I authenticate private NuGet and NPM feeds? I tried with .npmrc (which directory?) and nuget.config with password.

Best regards, Georg

DaveTryon commented 2 months ago

Hi, @georg-eckert-zeiss!

We don't directly provide any mechanism for authentication of private feeds. That said, sbom-tool wraps https://github.com/microsoft/component-detection, which is the code that is querying the feeds for metadata. You might check their documentation and/or ask your question there. If it's something in the environment, you should be able to configure that before calling sbom-tool and you'll be good to go.

If they don't already have this capability, you can open a feature request to see if they can provide it.