A Software Bill of Materials (SBOM) is a list of all components in a piece of software. It is a critical part of the software supply chain, helping to identify and track the components used in a project. This post describes how to easily generate an SBOM for NuGet packages.
To generate an SBOM for NuGet packages, you can use the Microsoft.Sbom.Targets package. This package runs the Microsoft.SbomTool tool to generate an SPDX file listing all packages used in a project, along with their licenses and other metadata. The SPDX file is then embedded in the NuGet package and can be consumed by other tools.
To use the Microsoft.Sbom.Targets package, add it to your project file:
csproj (MSBuild project file)
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<!--
Other options are available. Read the documentation for more information:
https://github.com/microsoft/sbom-tool/tree/fd23d6333c92bfc14f0e2c8af6681d178716c345/src/Microsoft.Sbom.Targets
-->
<GenerateSBOM>true</GenerateSBOM>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Sbom.Targets" Version="3.0.0" PrivateAssets="All" />
</ItemGroup>
</Project>
After adding the Microsoft.Sbom.Targets package to your project file, build the NuGet package as usual using dotnet pack. The target will automatically run the Microsoft.SbomTool tool and generate the SPDX file. Note that the actual flow is: generate the package, unzip it, generate the SPDX file, then rezip the package.
Shell
dotnet pack
You can open the generated NuGet package using a tool like NuGet Package Explorer or unzip it to view the SPDX file.
NuGet package containing an SPDX file
#Additional resources
Do you have a question or a suggestion about this post? Contact me!
