A Software Bill of Materials (SBOM) is a list of components in a piece of software. It is a critical part of the software supply chain, as it helps to identify and track the components used in a software project. In this post, I describe how to easily generate a Software Bill of Materials (SBOM) for NuGet packages.
To generate an SBOM for NuGet packages, you can use the Microsoft.Sbom.Targets package. This package run the Microsoft.SbomTool tool to generate a Software Bill of Materials (SBOM) for NuGet packages. The tool generates an SPDX file that lists all the packages used in a project, along with their licenses and other metadata. The SPDX file is then embedded in the NuGet package and can be consumed by other tools.
To use the Microsoft.Sbom.Targets package, you need to add it to your project file. You can do this by adding the following line to your project file:
csproj (MSBuild project file)
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<!--
Other options are available. Read the documentation for more information:
https://github.com/microsoft/sbom-tool/tree/fd23d6333c92bfc14f0e2c8af6681d178716c345/src/Microsoft.Sbom.Targets
-->
<GenerateSBOM>true</GenerateSBOM>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Sbom.Targets" Version="3.0.0" PrivateAssets="All" />
</ItemGroup>
</Project>
After adding the Microsoft.Sbom.Targets package to your project file, you can build the NuGet package as usual using dotnet pack. The target will automatically run the Microsoft.SbomTool tool and generate the SPDX file. Note that the actual flow is, generate the package, unzip it, generate the SPDX file, and then rezip the package.
Shell
dotnet pack
You can open the generated NuGet package using a tool like NuGet Package Explorer, or you can unzip it, to view the SPDX file.
NuGet package containing an SPDX file
#Additional resources
Do you have a question or a suggestion about this post? Contact me!
