Unofficial Azure DevOps extension for microsoft/sbom-tool. Use this task to:
- Generate SPDX 2.2 compatible SBOMs from Azure DevOps repository build artifacts;
- Check package dependencies for known vulnerabilities against the GitHub Advisory Database;
- Graph manifest files, packages, dependencies, and security vulnerabilities as SVG image;
- Export manifest files, packages, dependencies, and security vulnerabilities as XLSX spreadsheet;
Install the extension from the Visual Studio marketplace.
In YAML pipelines:
jobs:
- job: publish
steps:
- task: DotNetCoreCLI@2
displayName: 'Publish project'
inputs:
command: 'publish'
publishWebProjects: true
arguments: '--output "$(Build.ArtifactStagingDirectory)"'
- task: sbom-tool@1
displayName: 'Generate project SBOM manifest'
inputs:
command: 'generate'
buildSourcePath: '$(Build.SourcesDirectory)'
buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
enablePackageMetadataParsing: true
fetchLicenseInformation: true
fetchSecurityAdvisories: true
gitHubConnection: 'GitHub Advisory Database Connection'
packageSupplier: 'MyOrganisation'
packageName: 'MyPackage'
packageVersion: '$(Build.BuildNumber)'
- task: PublishBuildArtifacts@1
displayName: 'Publish artifacts'
inputs:
PathtoPublish: '$(Build.ArtifactStagingDirectory)'
ArtifactName: 'drop'
publishLocation: 'Container'The SBOM manifest files will be uploaded to the _manifest folder of the build pipeline artifact container.
The SBOM tab on the build result page provides a summary of key information within the manifest, including options to export files, dependencies, and security advisories to an SVG image or XLSX spreadsheet.