mitzen

SBOM is really useful to ensure we are using secure packages in our code base. This involve ensuring we are aware of any CVE / vulnerable packages. And this is what SBOM comes into the picture. There are many tool that you can use such as CycloneDX, SPDX and SWID. In this post, we are going to look at CycloneDX. dotnet tool install --global CycloneDX Then you can generate a sbom.xml (by default) in OUTPUT_DIRECTORY) dotnet CycloneDX <path> -o <OUTPUT_DIRECTORY> To output in json instead of XML.  dotnet CycloneDX . -o sbom --json A example output for my test project And then you can use tool like trivy to check for vulnerabilities trivy sbom .\sbom.json https://github.com/CycloneDX/cyclonedx-dotnet

When you add a NuGet package to a project, NuGet creates a lock file to record the exact versions of all installed packages and their dependencies. For projects using PackageReference, this file is named packages.lock.json, while for those using packages.config, it is packages.config.lock. To generate the packages.lock.json file, you must explicitly set the RestorePackagesWithLockFile property to true in the .csproj file. This ensures consistent package versions across environments like development, testing, and production. Furthermore, the lock file enhances security by including a hash of each package's archive, helping to verify its integrity and safeguard against supply chain attacks involving open-source software.

  When keycloak issue a JWT token with session id, you may want to query this against the database to check out if it is really created. From the JWT token, you can see we have a session id. Copy the session id and you can hit it against your database by running the following command:- select * from kc_ispn_offlineClientSession where id='your-session-id-in-JWT-token '