https://github.com/bigbuildbench/cyclonedx_cyclonedx-dotnet

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

○
CITATION.cff file
✓
codemeta.json file
Found codemeta.json file
○
.zenodo.json file
○
DOI references
○
Academic publication links
○
Academic email domains
○
Institutional organization owner
○
JOSS paper metadata
○
Scientific vocabulary similarity
Low similarity (11.7%) to scientific vocabulary

Last synced: 10 months ago · JSON representation

Repository

Basic Info

Host: GitHub
Owner: BigBuildBench
License: apache-2.0
Language: C#
Default Branch: master
Size: 2.61 MB

Statistics

Stars: 0
Watchers: 0
Forks: 0
Open Issues: 2
Releases: 0

Created over 1 year ago · Last pushed over 1 year ago

Metadata Files

Readme License Codeowners

CycloneDX module for .NET

The CycloneDX module for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.

This module runs on * .NET 6.0 * .NET 7.0 * .NET 8.0

This module no longer runs on

.NET Core 2.1
.NET Core 3.1
.NET 5.0
see https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core for more information

Usage

CycloneDX for .NET is distributed via NuGet and Docker Hub.

Installing via NuGet

bash dotnet tool install --global CycloneDX

If you already have a previous version of CycloneDX installed, you can upgrade to the latest version using the following command:

bash dotnet tool update --global CycloneDX

Execution via DotNet

bash dotnet CycloneDX <path> -o <OUTPUT_DIRECTORY>

Execution via Docker

bash docker run cyclonedx/cyclonedx-dotnet [OPTIONS] <path>

Options

```text Usage: CycloneDX [options]

Arguments: The path to a .sln, .csproj, .fsproj, .vbproj, or packages.config file or the path to a directory which will be recursively analyzed for packages.config files.

Options: -tfm, --framework The target framework to use. If not defined, all will be aggregated. -rt, --runtime The runtime to use. If not defined, all will be aggregated. -o, --output The directory to write the BOM -fn, --filename Optionally provide a filename for the BOM (default: bom.xml or bom.json) -j, --json Produce a JSON BOM instead of XML -ed, --exclude-dev Exclude development dependencies from the BOM (see https://github.com/NuGet/Home/wiki/DevelopmentDependency-support-for-PackageReference) -t, --exclude-test-projects Exclude test projects from the BOM -u, --url Alternative NuGet repository URL to https:///nuget//v3/index.json -us, --baseUrlUsername Alternative NuGet repository username -usp, --baseUrlUserPassword Alternative NuGet repository username password/apikey -uspct, --isBaseUrlPasswordClearText Alternative NuGet repository password is cleartext -rs, --recursive To be used with a single project file, it will recursively scan project references of the supplied project file -ns, --no-serial-number Optionally omit the serial number from the resulting BOM -gu, --github-username Optionally provide a GitHub username for license resolution. If set you also need to provide a GitHub personal access token -gt, --github-token Optionally provide a GitHub personal access token for license resolution. If set you also need to provide a GitHub username -gbt, --github-bearer-token Optionally provide a GitHub bearer token for license resolution. This is useful in GitHub actions -egl, --enable-github-licenses Enables GitHub license resolution -dpr, --disable-package-restore Optionally disable package restore -dhc, --disable-hash-computation Optionally disable hash computation for packages -dct, --dotnet-command-timeout dotnet command timeout in milliseconds (primarily used for long dotnet restore operations) [default: 300000] -biop, --base-intermediate-output-path Optionally provide a folder for customized build environment. Required if folder 'obj' is relocated. -imp, --import-metadata-path Optionally provide a metadata template which has project specific details. -ipr, --include-project-references Include project references as components (can only be used with project files). -sn, --set-name Override the autogenerated BOM metadata component name. -sv, --set-version Override the default BOM metadata component version (defaults to 0.0.0). -st, --set-type
--version Show version information -?, -h, --help Show help and usage information ```

Examples

To run the CycloneDX tool you need to specify a solution or project file. In case you pass a solution, the tool will aggregate all the projects.

The following will create a BOM from a solution and all projects defined within: bash dotnet CycloneDX YourSolution.sln -o /output/path

The following will recursively scan the directory structure for packages.config and create a BOM: bash dotnet CycloneDX /path/to/project -o /output/path

The following will recursively scan the project references of the supplied project file, and create a BOM of all package references from all included projects: bash dotnet CycloneDX /path/to/project/MyProject.csproj -o /output/path -rs

Project metadata template example

xml <?xml version="1.0" encoding="utf-8"?> <bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:087d0712-f591-4995-ba76-03f1c5c48884" version="1" xmlns="http://cyclonedx.org/schema/bom/1.2"> <metadata> <component type="application" bom-ref="pkg:nuget/CycloneDX@1.3.0"> <name>CycloneDX</name> <version>1.3.0</version> <description> <![CDATA[The [CycloneDX module](https://github.com/CycloneDX/cyclonedx-dotnet) for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.]]> </description> <licenses> <license> <name>Apache License 2.0</name> <id>Apache-2.0</id> </license> </licenses> <purl>pkg:nuget/CycloneDX@1.3.0</purl> </component> </metadata> </bom>

Update the data and import it within a build pipeline e.g. create the file using a script and add also dynamic data (version, timestamp, ...)

GitHub License Resolution

SPDX license IDs can be resolved for packages that reference a supported license file in a GitHub repository.

The GitHub license API has an unauthenticated call limit of 60 calls per hour. To ensure consistent output if a rate limit is exceeded BOM generation will fail. If you start hitting rate limits you will need to generate a personal access token and provide this, and your username, when running CycloneDX.

To generate a token go to Personal access tokens under Settings / Developer setings. From there select the option to Generate new token. No special token permissions are required.

Due to current limitations in the GitHub API licenses will only be resolved for master branch license references.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Contributing

Pull requests are welcome. But please read the CycloneDX contributing guidelines first.

To build and test the solution locally you should have .NET 6.0 or .NET 7.0 installed. Standard commands like dotnet build and dotnet test work.

Alternatively, you can use VS Code and the included devcontainer configuration to work in a pre-configured docker image. (You will also need the "Remote - Containers" extension and Docker)

It is generally expected that pull requests will include relevant tests. Tests are automatically run on Windows, MacOS and Linux for every pull request. And build warnings will break the build.

If you are having trouble debugging a test that is failing for a platform you don't have access to please us know.

Thanks to Gitpod there is a really easy way of creating a ready to go development environment with VS Code. You can open a Gitpod hosted development environment in your browser.

Owner

Name: BigBuildBench
Login: BigBuildBench
Kind: organization

Repositories: 1
Profile: https://github.com/BigBuildBench

abbr. B3, benchmarking the repo-level understanding capability of your LLMs by reconstructing project build-file.

GitHub Events

Total

Delete event: 4
Issue comment event: 4
Pull request event: 16
Create event: 19

Last Year

Delete event: 4
Issue comment event: 4
Pull request event: 16
Create event: 19

Issues and Pull Requests

Last synced: 10 months ago

All Time

Total issues: 0
Total pull requests: 3
Average time to close issues: N/A
Average time to close pull requests: about 1 month
Total issue authors: 0
Total pull request authors: 1
Average comments per issue: 0
Average comments per pull request: 0.67
Merged pull requests: 0
Bot issues: 0
Bot pull requests: 3

Past Year

Issues: 0
Pull requests: 3
Average time to close issues: N/A
Average time to close pull requests: about 1 month
Issue authors: 0
Pull request authors: 1
Average comments per issue: 0
Average comments per pull request: 0.67
Merged pull requests: 0
Bot issues: 0
Bot pull requests: 3

View more stats

Top Authors

Issue Authors

Pull Request Authors

dependabot[bot] (10)

Top Labels

Issue Labels

Pull Request Labels

dependencies (10) docker (7) github_actions (3)

Dependencies

.github/workflows/dotnetcore.yml actions

actions/checkout v4.1.2 composite
actions/setup-dotnet v4 composite
actions/upload-artifact v4 composite
danielpalme/ReportGenerator-GitHub-Action v5 composite

.github/workflows/issue-close-inactive.yml actions

actions/stale v9 composite

.github/workflows/issue-label-triage.yml actions

actions/github-script v7 composite

.github/workflows/release.yml actions

CycloneDX/gh-dotnet-generate-sbom master composite
actions/checkout v4.1.2 composite
actions/create-release v1.1.4 composite
actions/setup-dotnet v4 composite
actions/upload-release-asset v1.0.2 composite

.devcontainer/Ubuntu22.04/Dockerfile docker

ubuntu 22.04 build

Dockerfile docker

mcr.microsoft.com/dotnet/sdk 8.0.101 build

CycloneDX/CycloneDX.csproj nuget

CycloneDX.Tests/CycloneDX.Tests.csproj nuget

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Open Source Science