update: Test results, template and documentation.

2025-01-17 15:52:50 +01:00 · 2025-01-17 15:52:50 +01:00 · e7f6417abb
commit e7f6417abb
parent 0e57c789fa
1 changed files with 67 additions and 0 deletions
--- a/sbom.md
+++ b/sbom.md
@ -88,3 +88,70 @@ Most used from this list: https://spdx.dev/use/spdx-tools/
 | [ScanCode Toolkit](https://github.com/nexB/scancode-toolkit) | Simple and easy to install and use. Poor result. Packages not recognized but binaries. No licenses and vulnerabilities information. Difficult to evaluate the result. Graphical processing provided with external tool. |

 Further tests are therefore carried out with [Microsoft's SBOM Tool](https://github.com/microsoft/sbom-tool).
+
+## Pipeline Templates
+
+With [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool) a simple call as task with all needed parameters already exists. Therefore no template is required.
+
+## Documentation
+
+### Install Extension
+
+Appropriate permissions or an authorization are required for the installation of [SBOM Tool Azure DevOps Extension](https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool).
+
+After installation a task in the pipeline can look like the following example:
+
+```yaml
+- task: sbom-tool@1
+  displayName: 'Generate SBOM Manifest'
+  inputs:
+    command: 'generate'
+    buildSourcePath: '$(Build.SourcesDirectory)'
+    buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
+    enableManifestSpreadsheetGeneration: true
+    enableManifestGraphGeneration: true
+    enablePackageMetadataParsing: true
+    fetchLicenseInformation: true
+    fetchSecurityAdvisories: true
+    gitHubConnection: 'GitHubForSandbox'
+    packageSupplier: 'MyOrganisation'
+    packageName: 'MyPackage'
+    packageVersion: '$(Build.BuildNumber)'
+```
+
+A complete example:
+
+```yaml
+jobs:
+  - job: publish
+    steps:
+      - task: DotNetCoreCLI@2
+        displayName: 'Publish project'
+        inputs:
+          command: 'publish'
+          publishWebProjects: true
+          arguments: '--output "$(Build.ArtifactStagingDirectory)"'
+
+      - task: sbom-tool@1
+        displayName: 'Generate project SBOM manifest'
+        inputs:
+          command: 'generate'
+          buildSourcePath: '$(Build.SourcesDirectory)'
+          buildArtifactPath: '$(Build.ArtifactStagingDirectory)'
+          enableManifestSpreadsheetGeneration: true
+          enableManifestGraphGeneration: true
+          enablePackageMetadataParsing: true
+          fetchLicenseInformation: true
+          fetchSecurityAdvisories: true
+          gitHubConnection: 'GitHub Advisory Database Connection'
+          packageSupplier: 'MyOrganisation'
+          packageName: 'MyPackage'
+          packageVersion: '$(Build.BuildNumber)'
+
+      - task: PublishBuildArtifacts@1
+        displayName: 'Publish artifacts'
+        inputs:
+          PathtoPublish: '$(Build.ArtifactStagingDirectory)'
+          ArtifactName: 'drop'
+          publishLocation: 'Container'
+```