Skip to content

Generate SBOM for nuget packages #1752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Bertk merged 16 commits into from
Jan 11, 2026
Merged

Generate SBOM for nuget packages #1752

Bertk merged 16 commits into from
Jan 11, 2026
+29 −4

Conversation

@Bertk
Copy link
Collaborator

@Bertk Bertk commented Apr 22, 2025

Add SBOM files for coverlet nuget packages e.g.

image

@Bertk Bertk mentioned this pull request Apr 27, 2025
Closed
SimonCropp
SimonCropp reviewed May 12, 2025
View reviewed changes
@Bertk Bertk requested review from SimonCropp and removed request for SimonCropp June 3, 2025 11:30
SimonCropp
SimonCropp reviewed Jun 3, 2025
View reviewed changes
@Bertk Bertk requested a review from Copilot June 6, 2025 08:35
Copilot AI reviewed Jun 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for generating SBOM files for NuGet packages across multiple projects by enabling SBOM generation during CI builds and adding the required package references.

  • Added the property driven by the TF_BUILD environment variable in three csproj files.
  • Included a PackageReference to Microsoft.Sbom.Targets with appropriate PrivateAssets and IncludeAssets settings in the csproj files.
  • Updated Directory.Packages.props to pin the Microsoft.Sbom.Targets package version.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj Added GenerateSBOM property and Microsoft.Sbom.Targets package reference for SBOM generation.
src/coverlet.console/coverlet.console.csproj Enabled SBOM generation and added Microsoft.Sbom.Targets package reference.
src/coverlet.collector/coverlet.collector.csproj Introduced the GenerateSBOM flag and added Microsoft.Sbom.Targets package reference.
Directory.Packages.props Added package version for Microsoft.Sbom.Targets.
Comments suppressed due to low confidence (7)

src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:22

  • [nitpick] Consider enhancing this comment with details on the expected value of TF_BUILD and the conditions under which SBOM generation occurs to support future maintainability.
<!-- create SBOM for CI build-->

src/coverlet.msbuild.tasks/coverlet.msbuild.tasks.csproj:46

  • Verify that the configured PrivateAssets and IncludeAssets for Microsoft.Sbom.Targets conform with the project’s dependency management policies.
<PackageReference Include="Microsoft.Sbom.Targets">

src/coverlet.console/coverlet.console.csproj:9

  • [nitpick] Consider adding a brief note about TF_BUILD in this comment to clarify when SBOM generation is enabled during CI builds.
<!-- create SBOM for CI build-->

src/coverlet.console/coverlet.console.csproj:30

  • Ensure that the dependency settings (PrivateAssets and IncludeAssets) for Microsoft.Sbom.Targets are consistent with other projects and meet the overall design requirements.
<PackageReference Include="Microsoft.Sbom.Targets">

src/coverlet.collector/coverlet.collector.csproj:21

  • [nitpick] Expand this comment to specify what TF_BUILD represents and the scenario under which SBOM generation will be triggered.
<!-- create SBOM for CI build-->

src/coverlet.collector/coverlet.collector.csproj:45

  • Review the asset inclusion/exclusion settings for Microsoft.Sbom.Targets to ensure they are optimal and consistent with related projects.
<PackageReference Include="Microsoft.Sbom.Targets">

Directory.Packages.props:32

  • Consider using a centralized version variable for Microsoft.Sbom.Targets to maintain consistency across projects, if applicable.
<PackageVersion Include="Microsoft.Sbom.Targets" Version="3.1.0" />

@Bertk Bertk marked this pull request as ready for review June 6, 2025 08:36
@Bertk Bertk closed this Jul 19, 2025
@Bertk Bertk mentioned this pull request Dec 1, 2025
Open
@Bertk Bertk reopened this Dec 3, 2025
@Bertk Bertk closed this Dec 3, 2025
@Bertk Bertk reopened this Dec 3, 2025
@Bertk
Enable explicit SBOM generation in project files
48159e4 
Updated the `<GenerateSBOM>` property in `coverlet.collector.csproj`, `coverlet.console.csproj`, and `coverlet.msbuild.tasks.csproj` to explicitly set it to `true`, ensuring consistent SBOM generation across all environments. Previously, this property relied on the `$(TF_BUILD)` variable.

Additionally, removed a redundant closing `</Project>` tag from `coverlet.collector.csproj` to improve file structure and readability.
@Bertk Bertk marked this pull request as draft December 6, 2025 11:11
@Bertk Bertk added the feature PR label for new features label Dec 9, 2025
Bertk added 3 commits January 11, 2026 09:21
@Bertk
Merge branch 'master' into nuget-SBOM
1a050d3
@Bertk
Create SBOM for coverlet.MTP
ccb28a6
@Bertk
Update Microsoft.Sbom.Targets to version 4.1.5
82eb0c2 
Upgraded the Microsoft.Sbom.Targets NuGet package from version 3.1.0 to 4.1.5 in Directory.Packages.props to ensure compatibility with the latest features and improvements.
@Bertk Bertk marked this pull request as ready for review January 11, 2026 09:10
@Bertk Bertk added the enhancement General enhancement request label Jan 11, 2026
Bertk added 4 commits January 11, 2026 10:32
@Bertk
Generate SBOM for nuget packages
f252850
@Bertk
generate SBOM for CI builds
4d77fa0
@Bertk
Enable explicit SBOM generation in project files
010155d 
Updated the `<GenerateSBOM>` property in `coverlet.collector.csproj`, `coverlet.console.csproj`, and `coverlet.msbuild.tasks.csproj` to explicitly set it to `true`, ensuring consistent SBOM generation across all environments. Previously, this property relied on the `$(TF_BUILD)` variable.

Additionally, removed a redundant closing `</Project>` tag from `coverlet.collector.csproj` to improve file structure and readability.
@Bertk
Create SBOM for coverlet.MTP
c234456
Bertk added 6 commits January 11, 2026 10:32
@Bertk
Update Microsoft.Sbom.Targets to version 4.1.5
62955b3 
Upgraded the Microsoft.Sbom.Targets NuGet package from version 3.1.0 to 4.1.5 in Directory.Packages.props to ensure compatibility with the latest features and improvements.
@Bertk
add condition for CheckNugetStatus
9ae54d8
@Bertk
Merge branch 'nuget-SBOM' of https://github.com/Bertk/coverlet into n…
5be202f 
…uget-SBOM
@Bertk
Merge branch 'master' into nuget-SBOM
a7516a0
@Bertk
fix yaml
34935e6 
Fix indentation of condition in CheckNugetStatus template step

Corrected the indentation of the condition property under the CheckNugetStatus.yml template step in azure-pipelines.yml. This structural fix ensures the condition is properly associated with the template step, improving YAML validity without changing any logic.
@Bertk
Merge branch 'nuget-SBOM' of https://github.com/Bertk/coverlet into n…
fa129b4 
…uget-SBOM
@Bertk Bertk merged commit 68efb63 into coverlet-coverage:master Jan 11, 2026
11 checks passed
@Bertk Bertk deleted the nuget-SBOM branch January 11, 2026 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@SimonCropp SimonCropp SimonCropp left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement General enhancement request feature PR label for new features

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Bertk @SimonCropp