This tutorial illustrates how to produce an SBOM from C# projects using the CycloneDX-Dotnet CLI.
.NET framework.
NuGet
Run the command:
dotnet tool install --global CycloneDX
Note: You may need to add the ./dotnet/tools directory to your PATH. e.g. export PATH="$PATH:/location/of/.dotnet/tools"
Verify installation with the command:
dotnet CycloneDX
You should get the response:
A .NET Core global tool which creates CycloneDX Software Bill-of-Materials (SBOM) from .NET projects.
Usage: dotnet cyclonedx [options] <path>
Arguments:
path The path to a .sln, .csproj, .fsproj, .vbproj, or packages.config file or the path to a directory which
will be recursively analyzed for packages.config files
Options:
-v|--version Output the tool version and exit
-tfm|--framework <FRAMEWORK> The target framework to use. If not defined, all will be aggregated.
-rt|--runtime <RUNTIME> The runtime to use. If not defined, all will be aggregated.
-o|--out <OUTPUT_DIRECTORY> The directory to write the BOM
-f|--filename <OUTPUT_FILENAME> Optionally provide a filename for the BOM (default: bom.xml or bom.json)
-j|--json Produce a JSON BOM instead of XML
-d|--exclude-dev Exclude development dependencies from the BOM (see
https://github.com/NuGet/Home/wiki/DevelopmentDependency-support-for-PackageReference)
-t|--exclude-test-projects Exclude test projects from the BOM
-u|--url <BASE_URL> Alternative NuGet repository URL to https://<yoururl>/nuget/<yourrepository>/v3/index.json
-us|--baseUrlUsername <BASE_URL_USER_NAME> Alternative NuGet repository username
-usp|--baseUrlUserPassword <BASE_URL_USER_PASSWORD> Alternative NuGet repository username password/apikey
-uspct|--isBaseUrlPasswordClearText Alternative NuGet repository password is cleartext
-r|--recursive To be used with a single project file, it will recursively scan project references of the supplied project
file
-ns|--no-serial-number Optionally omit the serial number from the resulting BOM
-gu|--github-username <GITHUB_USERNAME> Optionally provide a GitHub username for license resolution. If set you also need to provide a GitHub
personal access token
-gt|--github-token <GITHUB_TOKEN> Optionally provide a GitHub personal access token for license resolution. If set you also need to provide
a GitHub username
-gbt|--github-bearer-token <GITHUB_BEARER_TOKEN> Optionally provide a GitHub bearer token for license resolution. This is useful in GitHub actions
-dgl|--disable-github-licenses Optionally disable GitHub license resolution
-dpr|--disable-package-restore Optionally disable package restore
-dhc|--disable-hash-computation Optionally disable hash computation for packages
-dct|--dotnet-command-timeout <DOTNET_COMMAND_TIMEOUT> dotnet command timeout in milliseconds (primarily used for long dotnet restore operations)
Default value is: 300000.
-biop|--base-intermediate-output-path <BASE_INTERMEDIATE_OUTPUT_PATH> Optionally provide a folder for customized build environment. Required if folder 'obj' is relocated.
-imp|--import-metadata-path <IMPORT_METADATA_PATH> Optionally provide a metadata template which has project specific details.
-sn|--set-name <SET_NAME> Override the autogenerated BOM metadata component name.
-sv|--set-version <SET_VERSION> Override the default BOM metadata component version (defaults to 0.0.0).
-st|--set-type <SET_TYPE> Override the default BOM metadata component type (defaults to application).
Allowed values are: Null, Application, Framework, Library, OperationSystem, Device, File, Container,
Firmware.
Default value is: Null.
-?|-h|--help Show help information.
A path is required
Run the following command:
dotnet CycloneDX <path-to-manifest-file> -o <path-to-output-folder>
The resultant output will be a folder in the path that you specified, containing your SBOM, default xml format. JSON files can be obtained by adding the -j flag.
Only .sln, .csproj, .fsproj, .vbproj, and packages.config manifest files are supported by this tool.
CycloneDX-Dotnet is only supported by NET 6.0 and .NET 7.0. It may produce errors with creating SBOMs from modules for other versions.
When the appropriate manifest file is not given, or left blank, the resulting SBOM will have no dependency data, and will expose information about the user’s computer e.g. hostname, project name and location.
Depending on the manifest file used (noted above), different, or less fully featured, dependency information may be saved to the SBOM generated, which may have implications for vulnerability analysis.
CycloneDX. (2023). CycloneDX-Dotnet. https://github.com/CycloneDX/cyclonedx-dotnet