Jan 08, 2025 azure

Creating SBOM with sbom-tool and CycloneDX on Azure DevOps

What is SBOM?

software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and  proprietary software components. It is the software analogue to the traditional manufacturing Bill of Materials (BOM), which is used as part of supply chain management.[1]

An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities. Buyers and other stakeholders can use an SBOM to perform vulnerability or license analysis, which can be used to evaluate and manage risk in a product.[2]

While many companies use a spreadsheet for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.[3]

Why do organizations need a Software Bill of Materials?

High-profile security breaches like Codecov, Kaseya, and most recently Apache Log4j – all supply chain attacks –  prompted President Biden to issue a cybersecurity executive order (EO) detailing guidelines for how federal departments, agencies, and contractors doing business with the government must secure their software. Among the recommendations was a requirement for SBOMs, to ensure the safety and integrity of software applications used by the federal government.[4]

We covered so far what is Software Bill of Materials and what is used for. Let’s add SBOM creation to our existing Azure DevOps Pipeline. I will start creating SBOM json with Microsoft’s SBOM Tool.

Adding SBOM generation to an Azure Devops Pipeline with SBOM Tool

SBOM tool has a documentation for adding SBOM generation to an Azure DevOps Pipeline. I followed this documentation. And I changed my pool to vmImage to ubuntu-latest and add following 2 tasks under the steps of my WinamptoSpotify.yml.

pool:
  vmImage: ubuntu-latest
- task: UseDotNet@2
  inputs:
    packageType: 'sdk'
    version: '8.x'

- script: |
    dotnet build $(System.DefaultWorkingDirectory)/WinamptoSpotifyWeb/WinampToSpotifyWeb.csproj --output $(Build.ArtifactStagingDirectory)
  displayName: 'Build the project'

- script: |
    curl -Lo $(Agent.TempDirectory)/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
    chmod +x $(Agent.TempDirectory)/sbom-tool
    $(Agent.TempDirectory)/sbom-tool generate -b $(Build.ArtifactStagingDirectory) -bc $(System.DefaultWorkingDirectory)/WinamptoSpotifyWeb/ -pn Test -pv 1.0.0 -ps MyCompany -nsb https://sbom.mycompany.com -V Verbose
  displayName: Generate SBOM with sbom-tool

- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'
    ArtifactName: 'drop'
    publishLocation: 'Container'

We can see SBOM report is created under Artifacts -> drop -> _manifest -> spdx_2.2 -> manifest.spdx.json.

I discovered a website by Rancher SBOM Viewer that visualize json format SBOM reports.

After downloading json to my computer. I upload json file to Rancher SBOM Viewer. Output is below. Shows all package references with version and license.

Adding SBOM generation to an Azure Devops Pipeline with CycloneDX module for .Net

The CycloneDX module for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.[5]

Usage

CycloneDX for .NET is distributed via NuGet and Docker Hub.

Installing via NuGet

dotnet tool install --global CycloneDX

The following code will recursively scan the directory structure for packages.config and create a BOM:

dotnet CycloneDX /path/to/project -o /output/path

The following will recursively scan the directory structure for packages.config and create a BOM:

dotnet CycloneDX /path/to/project -o /output/path

Based on these instructions I added following 2 tasks to my WinamptoSpotify.yml.

- task: CmdLine@2
  displayName: 'Install CycloneDX dotnet tool'
  inputs:
      script: 'dotnet tool install --global CycloneDX -g'

- script: |
      dotnet CycloneDX $(System.DefaultWorkingDirectory)/WinamptoSpotifyWeb/WinampToSpotifyWeb.csproj --json --output $(Build.ArtifactStagingDirectory)
  displayName: Generate SBOM with CycloneDX

Default format for dotnet CycloneDX was XML but you can change it to json with “–json” argument in dotnet CycloneDX code.

Artifacts -> drop -> bom.json

Rancher SBOM Viewer output of bom.json is below:

  • [1] https://en.wikipedia.org/wiki/Software_supply_chain
  • [2] https://en.wikipedia.org/wiki/Software_supply_chain
  • [3] https://en.wikipedia.org/wiki/Software_supply_chain
  • [4] https://www.blackduck.com/blog/software-bill-of-materials-bom.html
  • [5] https://github.com/CycloneDX/cyclonedx-dotnet
SHARE NOW

Leave a Reply

Your email address will not be published. Required fields are marked *