Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support extracting SBOMs from NuGet packages that contain them #13979

Open
baronfel opened this issue Dec 3, 2024 · 1 comment
Open

Support extracting SBOMs from NuGet packages that contain them #13979

baronfel opened this issue Dec 3, 2024 · 1 comment

Comments

@baronfel
Copy link

baronfel commented Dec 3, 2024

NuGet Product(s) Involved

NuGet.exe, dotnet.exe

The Elevator Pitch

Now that it's easy to generate SBOMs for packages via the Microsoft.SBOM.Targets package, it would be great if the NuGet tooling made it easy to access the SBOM generated for a package without having to

  • generate the package via dotnet pack
  • extract the package
  • locate the SBOM in the package

Many interop scenarios, like uploading an SBOM to GitHub to participate in their Dependency Graph services, require access to the raw SBOM and it's annoying to do this dance every time. It would be great to run a command like dotnet package extract-sbom <path to package> to get the SBOM and signature from the package.

Additional Context and Details

No response

@kartheekp-ms
Copy link
Contributor

I think if we add the dotnet nuget install command, customers will be able to use it to extract all the files from a package. Once all the files are extracted to a local folder, it will be easier to access the SBOM and signature from the package.

@nkolev92 nkolev92 added the Priority:2 Issues for the current backlog. label Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants