Comments (4)
As discussed I suggest the following:
- Try to have the MS sbom-tool run on CMakeBuild (czicompress)
Expectations:
a) Dependencies currently statically stored in THIRD_PARTY_LICENSES_ARTIFACT_DISTRIBUTION.txt and THIRD_PARTY_LICENSES.txt are detected by the tool
b) SBOM is uploaded together with the artifacts - Make use of the SPDX Dependency Submission Action by uploading the results of Step 1 in SPDX and have this integrated with dependabot
- Following "Generating Software Bills of Materials (SBOMs) with SPDX at Microsoft | Validating our SBOMs at release", have a run of .NET Build (CziShrink) fail if the hash validation tool of the sbom-tool reports the NuGet package to not match the SBOM created in Step 1
- Create final SBOM for czishrink based on SBOM from Step 1 and SBOM from czishrink itself (either through sbom-tool as well or already existing dependabot [which would probably be the preferred option w.r.t. Step 2])
from czicompress.
See https://github.com/microsoft/sbom-tool/blob/main/docs/setting-up-github-actions.md
However, there's the problem that the build complains when you do
$ dotnet build netczicompress.sln --output /path/to/czishrink-build-output`
MSBuild version 17.7.3+8ec440e68 for .NET
[...]
C:\Program Files\dotnet\sdk\7.0.402\Current\SolutionFile\ImportAfter\Microsoft.NET.Sdk.Solution.targets(36,5): warning NET
SDK1194: The "--output" option isn't supported when building a solution. Specifying a solution-level output path results i
n all projects copying outputs to the same directory, which can lead to inconsistent builds.`
Command line for sbom-tool path/to/sbom-tool-for-current-platform generate -b /path/to/czishrink-build-output -li true -bc . -pn CziShrink -ps CZICOMPRESS -V verbose -pv 1.0.0-alpha.46 -nsb https://github.com/ZEISS/czicompress/tree/main/czishrink
from czicompress.
The build cmd could be adapted to be dotnet build --property:OutputPath=DESIRED_PATH
. Since we are not multi-targeting we shouldn't run into issues here. Otherwise we can always bump down the SDK version used for building
from czicompress.
Memo (some things to consider when deriving a solution):
Most SCA tools do not support C/C++ - vcpkg if at all. BlackDuck is one of the more promising here.
More info:
No support from dependabot:
dependabot/dependabot-core#2027
dependabot/dependabot-core#7451
No support from MS sbom-tool (not sure though):
https://github.com/microsoft/component-detection (only vcpkg in beta as of 2023-11-17)
Strangely enough there is microsoft/sbom-tool#81, which claims cmake support, but it does not say so on https://github.com/microsoft/component-detection
No support from ORT tool:
oss-review-toolkit/ort#2031
from czicompress.
Related Issues (13)
- quick question HOT 1
- Use codecov to monitor code coverage HOT 2
- Use dependabot to update github actions
- Add unittest demonstrating/checking "proper operation with CZI containing duplicate subblocks"
- Persist application state
- Make czishrink localizable
- Use github-actions-cache for nuget packages in czishrink build
- Use GitHub Packages NuGet Registry HOT 3
- Move czishrink from dotnet 7 to dotnet 8
- Make use of path filters for GitHub actions HOT 3
- The CSV report uses a locale-dependent decimal separator - that may be the same as the column separator
- List compression status of file HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from czicompress.