Generate SBOM for nuget packages #1752
Draft
+20
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SimonCropp
reviewed
May 12, 2025
SimonCropp
reviewed
Jun 3, 2025
| <ItemGroup> | ||
| <PackageReference Include="Microsoft.TestPlatform.ObjectModel" /> | ||
| <PackageReference Include="NuGet.Frameworks" /> | ||
| <PackageReference Include="Microsoft.Sbom.Targets"> |
There was a problem hiding this comment.
i prefer the more compact version of this. 1 line compared to 4
<PackageReference Include="Microsoft.Sbom.Targets" PrivateAssets="all" />
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for generating SBOM files for NuGet packages across multiple projects by enabling SBOM generation during CI builds and adding the required package references.
- Added the property driven by the TF_BUILD environment variable in three csproj files.
- Included a PackageReference to Microsoft.Sbom.Targets with appropriate PrivateAssets and IncludeAssets settings in the csproj files.
- Updated Directory.Packages.props to pin the Microsoft.Sbom.Targets package version.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj | Added GenerateSBOM property and Microsoft.Sbom.Targets package reference for SBOM generation. |
| src/coverlet.console/coverlet.console.csproj | Enabled SBOM generation and added Microsoft.Sbom.Targets package reference. |
| src/coverlet.collector/coverlet.collector.csproj | Introduced the GenerateSBOM flag and added Microsoft.Sbom.Targets package reference. |
| Directory.Packages.props | Added package version for Microsoft.Sbom.Targets. |
Comments suppressed due to low confidence (7)
src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:22
- [nitpick] Consider enhancing this comment with details on the expected value of TF_BUILD and the conditions under which SBOM generation occurs to support future maintainability.
<!-- create SBOM for CI build-->
src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:46
- Verify that the configured PrivateAssets and IncludeAssets for Microsoft.Sbom.Targets conform with the project’s dependency management policies.
<PackageReference Include="Microsoft.Sbom.Targets">
src/coverlet.console/coverlet.console.csproj:9
- [nitpick] Consider adding a brief note about TF_BUILD in this comment to clarify when SBOM generation is enabled during CI builds.
<!-- create SBOM for CI build-->
src/coverlet.console/coverlet.console.csproj:30
- Ensure that the dependency settings (PrivateAssets and IncludeAssets) for Microsoft.Sbom.Targets are consistent with other projects and meet the overall design requirements.
<PackageReference Include="Microsoft.Sbom.Targets">
src/coverlet.collector/coverlet.collector.csproj:21
- [nitpick] Expand this comment to specify what TF_BUILD represents and the scenario under which SBOM generation will be triggered.
<!-- create SBOM for CI build-->
src/coverlet.collector/coverlet.collector.csproj:45
- Review the asset inclusion/exclusion settings for Microsoft.Sbom.Targets to ensure they are optimal and consistent with related projects.
<PackageReference Include="Microsoft.Sbom.Targets">
Directory.Packages.props:32
- Consider using a centralized version variable for Microsoft.Sbom.Targets to maintain consistency across projects, if applicable.
<PackageVersion Include="Microsoft.Sbom.Targets" Version="3.1.0" />
Updated the `<GenerateSBOM>` property in `coverlet.collector.csproj`, `coverlet.console.csproj`, and `coverlet.msbuild.tasks.csproj` to explicitly set it to `true`, ensuring consistent SBOM generation across all environments. Previously, this property relied on the `$(TF_BUILD)` variable. Additionally, removed a redundant closing `</Project>` tag from `coverlet.collector.csproj` to improve file structure and readability.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add SBOM files for coverlet nuget packages e.g.