using dotnet to generate SBOM

SBOM is really useful to ensure we are using secure packages in our code base. This involve ensuring we are aware of any CVE / vulnerable packages. And this is what SBOM comes into the picture. There are many tool that you can use such as CycloneDX, SPDX and SWID.

In this post, we are going to look at CycloneDX.

dotnet tool install --global CycloneDX

Then you can generate a sbom.xml (by default) in OUTPUT_DIRECTORY)

dotnet CycloneDX <path> -o <OUTPUT_DIRECTORY>

To output in json instead of XML. 

dotnet CycloneDX . -o sbom --json

A example output for my test project

And then you can use tool like trivy to check for vulnerabilities

trivy sbom .\sbom.json




https://github.com/CycloneDX/cyclonedx-dotnet



Comments

Post a Comment

Popular posts from this blog

The specified initialization vector (IV) does not match the block size for this algorithm

Image
If you're getting  exception when trying to assigned key to a symmetric key and getting error message below :- The specified initialization vector (IV) does not match the block size for this algorithm And your code probably look like something below :- Then you need to go into debug mode and start looking into the supported size for IV as shown in diagram below :- As you can see, IV is 16 bytes, so you need to provide 16 bytes. The same goes for Key field too, if you're adding anything to it. As long as you provide a valid key size, then we're good and you're code will be ready.
Read more