Microsoft.Sbom.Targets 2.2.8 doesn't find the names of referenced NuGet packages when I use it with .NET SDK 8.0.304 in a project that specifies artifacts output layout in Directory.Build.props:
When the artifacts output layout is used, project.assets.json is not within $(MSBuildProjectDirectory) so it is not found during component detection.
It seems I can work around the incompatibility by setting <SbomGenerationBuildComponentPath>$(BaseIntermediateOutputPath)</SbomGenerationBuildComponentPath>, but I'm not sure whether that could break something else. Perhaps it'll break detection of third-party non-NuGet components that have been copied into the project source directory.
Fixing this properly may require changing https://github.com/microsoft/component-detection/ so that the artifacts path can be passed as a separate parameter and each component detector can then decide whether to search for files in the source directory, in the artifacts directory, or both.
Microsoft.Sbom.Targets 2.2.8 doesn't find the names of referenced NuGet packages when I use it with .NET SDK 8.0.304 in a project that specifies artifacts output layout in
Directory.Build.props
:Specifically, the NuGet and NuGetProjectCentric component detectors do not detect any components in this case.
The component detectors search for files such as
project.assets.json
in$(SbomGenerationBuildComponentPath)
, whose default value is$(MSBuildProjectDirectory)
here: https://github.com/microsoft/sbom-tool/blob/08ba73d303228eb4d92a6a5f75350d78230bca30/src/Microsoft.Sbom.Targets/Microsoft.Sbom.Targets.targets#L20When the artifacts output layout is used,
project.assets.json
is not within$(MSBuildProjectDirectory)
so it is not found during component detection.It seems I can work around the incompatibility by setting
<SbomGenerationBuildComponentPath>$(BaseIntermediateOutputPath)</SbomGenerationBuildComponentPath>
, but I'm not sure whether that could break something else. Perhaps it'll break detection of third-party non-NuGet components that have been copied into the project source directory.Fixing this properly may require changing https://github.com/microsoft/component-detection/ so that the artifacts path can be passed as a separate parameter and each component detector can then decide whether to search for files in the source directory, in the artifacts directory, or both.
Originally posted by @KalleOlaviNiemitalo in https://github.com/microsoft/sbom-tool/issues/693#issuecomment-2340562147