Add a SBOM Generation Task (#674)

* Experimenting with dotnet

* Add comments

* Make the Sbom.Targets project to build.

* Add all arguments to GenerateSBOMTask (#1)

Co-authored-by: vpatakottu <[email protected]>

* Add call to the SBOM API from GenerateSbomTask#Execute (#2)

* Start implementing Execute

* Make SBOM Targets test target .NET 8 only.

* Make the Component Path not required.

* Build the current project in test, and check that the manifest was generated.

* Ad a few comments for TODOs.

* Validate and Sanitize Arguments  (#3)

* Validate arguments

* ignore case for enum conversion

* create method for manifestinfo

---------

Co-authored-by: vpatakottu <[email protected]>

* Add tests for Generate SBOM Task (#4)

* Add more tests for GenerateSbomTask.Execute logic

* Add SBOM Validation to the Generate SBOM Task tests.

* Add a utility method that validates the SBOM being generated during tests

* Make more tests use the new utility validator method

* Pass sbom specification during tests

* Refactor GenerateSbomTask tests to be parametrized through the SBOM Specification

* Fix typo

* Add an abstract method for the Sbom Specification of the AbstractGenerateSbomTaskTests

* Address PR suggestions

* Made fields internal instead of private in AbstractGenerateSbomTaskTests

* Add unit tests for GenerateSbomTask inputs (#6)

* add unit tests for GenerateSbomTask inputs

* remove console print

* Addressing feedback

* addressing feedback and adding more tests'

---------

Co-authored-by: vpatakottu <[email protected]>

* Add additional unit tests for valid cases (#7)

* add additional unit tests for valid cases

* address feedback and add few more cases

---------

Co-authored-by: vpatakottu <[email protected]>

* Merging Varshita's branch into our feature branch (#12)

* setting up imports

* Add reference to local Nuget package, for testing purposes

* rename targets and props, export them to the build folder

* Fix test project

* Fix Targets file to include props

* Manually adding the Sources Providers that support ProviderType.Packages

* Manually add the missing classes for SBOM generation

* Add MSBuild properties to our Props file (#8)

* Use MSBuild/.NET props for default values of the Generate SBOM task.

* Remove hardcoded path from the Targets

* Add default value to props file for SbomGenerationManifestDirPath

* Add final ManifestDirPath to SbomGenerationResult.

* Fix typo

* Change Summary comment for ManifestDirPath

* include sbom files in user's nuget packages (#11)

Co-authored-by: vpatakottu <[email protected]>

* Make the task target .net 8 and .net 6 (#13)

* Remove unrooted checks (#14)

* Downgrade Microsoft.Extensions.Hosting back to 7.0.1

* Remove LocalNuget configuration

* Stop tracking nuspec file

* Remove unnecessary comments.

* Remove reference to Microsoft.Sbom.Targets Nuget

* Apply suggestions from the linter and PR comments.

---------

Co-authored-by: vpatakottu <[email protected]>
Co-authored-by: vpatakottu <[email protected]>

* Fix ubuntu tests (#16)

* add users/gustavoca/net-sdk-sbom-tool branch to PR pipelines

* Fix Ubuntu tests for Targets project

* Update feature branch (#17)

* build(deps): bump actions/checkout from 4.1.1 to 4.1.6 (#574)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@b4ffde6...a5ac7e5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.24.3 to 3.25.8 (#591)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.25.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@3796146...2e230e8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add missing header to AbstractGenerateSbomTaskTests (#598)

* Create template tool task (#600)

* create template tool task

* Make the tests successfully run

* Include the SBOM CLI Tool to the .NET Framework package folder.

* refactor code a little and address feedback

@microsoft-github-policy-service agree company="Microsoft"

---------

Co-authored-by: vpatakottu <[email protected]>
Co-authored-by: gustavoaca1997 <[email protected]>

* Run the Github build also for feature branches.

* Implement SBOM CLI ToolTask (#607)

* implement ToolTask

* addressing feedback

* addressing feedback pt. 2

---------

Co-authored-by: vpatakottu <[email protected]>

* Update System.Text.Json

* Stop importing the props twice when referencing the Nuget package (#612)

* Add tests for the MSBuild Full version of the Generate SBOM task (#613)

* Bring changes from feautre branch

* Make the Targets.Tests project also target .NET Framework

* Remove props file

* Implement tests for MSBuild Full version of the task

* Simplify how the CLI tool is called from the tests.

* Add test for file being in use.

* Test the output of the ToolTask.

* Change the name of AbstractGenerateSBomTaskInputTests to AbstractGenerateSbomTaskInputTests

* Include .NET Framework output in Sbom_Generation_Succeeds_For_Null_Verbosity

* Update src/Microsoft.Sbom.Targets/SbomCLIToolTask.cs

Co-authored-by: Dave Tryon <[email protected]>

* Skip tests that are failing due to known issues

* Add debug messages for the test pipeline

* Fix .net core tests

* Target .NET Framework only on Windows

* Remove unnecessary comment.

* Update default Verbosity.

* Address comments.

* Change name of AbstractGenerateSbomTaskInputTests

* Address PR Comments

---------

Co-authored-by: Dave Tryon <[email protected]>

* Update NuGet Package Format and Surface Errors (#619)

* update nuget package format and surface errors

* simplify sbom output

* update targets to use SbomPath output var for ToolTask

* fix bad merge

* append manifest folder name for manifestdirpath

* add path.combine and property checks

* append platform version

* create ManifestDirPath if needed

* temporarily comment out

* remove manifestdirpath logic for now

* use path.combine and full path

---------

Co-authored-by: vpatakottu <[email protected]>

* Add README for Microsoft.Sbom.Targets project (#651)

* Adding readme

* add code quotes

---------

Co-authored-by: vpatakottu <[email protected]>

* Workaround for generating a SBOM manifest at the root level of the Nuget Package (#656)

* Add buildMultiTargeting folder to the Nuget package

* Unzip and Zip again for including the SBOM into the Nuget package.

* Append GUID to the temporary unzipped folder.

* Use Path.Combine for Unzip and Nupkg paths (#663)

* Add E2E tests for Microsoft.Sbom.Targets project (#658)

* add base setup for tests

* updates to test

* cleanup

* Add more tests

* update package version

* cleanup

* mini fix for copying sample project

* add unloading step

* create separate project for E2E tests

* cleanup

* rearrange method

* cleanup

* check for platform

* try with locator

* disable analyzers for sample project

---------

Co-authored-by: vpatakottu <[email protected]>

* Remove GenerateSBOMTest project (#673)

* Remove GenerateSBOMTest project

* Remove N/A comment

* Add ContinueOnError=ErrorAndContinue to the ZipDirectory, GenerateSBOM and Unzip (#672)

* User/gustavoca/update with main (#675)

* Bump Component Detection version (#624)

* Bump Component Detection version

* Bump NuGet Config and Framework versions

* Raise dependabot PR limit (#629)

* build(deps): bump stefanzweifel/git-auto-commit-action (#552)

Bumps [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases)
- [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md)
- [Commits](stefanzweifel/git-auto-commit-action@8756aa0...8621497)

---
updated-dependencies:
- dependency-name: stefanzweifel/git-auto-commit-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dave Tryon <[email protected]>

* build(deps): bump Microsoft.NET.Test.Sdk from 17.7.2 to 17.10.0 (#630)

Bumps [Microsoft.NET.Test.Sdk](https://github.com/microsoft/vstest) from 17.7.2 to 17.10.0.
- [Release notes](https://github.com/microsoft/vstest/releases)
- [Changelog](https://github.com/microsoft/vstest/blob/main/docs/releases.md)
- [Commits](microsoft/vstest@v17.7.2...v17.10.0)

---
updated-dependencies:
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MSTest.TestAdapter from 3.1.1 to 3.5.0 (#644)

Bumps [MSTest.TestAdapter](https://github.com/microsoft/testfx) from 3.1.1 to 3.5.0.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.1.1...v3.5.0)

---
updated-dependencies:
- dependency-name: MSTest.TestAdapter
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Spectre.Console.Cli from 0.48.0 to 0.49.1 (#637)

Bumps [Spectre.Console.Cli](https://github.com/spectreconsole/spectre.console) from 0.48.0 to 0.49.1.
- [Release notes](https://github.com/spectreconsole/spectre.console/releases)
- [Commits](spectreconsole/spectre.console@0.48.0...0.49.1)

---
updated-dependencies:
- dependency-name: Spectre.Console.Cli
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.25.12 to 3.25.15 (#625)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.12 to 3.25.15.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@4fa2a79...afb54ba)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MSTest.TestFramework from 3.1.1 to 3.5.0 (#642)

Bumps [MSTest.TestFramework](https://github.com/microsoft/testfx) from 3.1.1 to 3.5.0.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.1.1...v3.5.0)

---
updated-dependencies:
- dependency-name: MSTest.TestFramework
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.VisualStudio.Threading.Analyzers (#638)

Bumps [Microsoft.VisualStudio.Threading.Analyzers](https://github.com/microsoft/vs-threading) from 17.7.30 to 17.10.48.
- [Release notes](https://github.com/microsoft/vs-threading/releases)
- [Commits](microsoft/vs-threading@v17.7.30...v17.10.48)

---
updated-dependencies:
- dependency-name: Microsoft.VisualStudio.Threading.Analyzers
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump github/codeql-action from 3.25.15 to 3.26.0 (#654)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@afb54ba...eb055d7)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MSTest.TestAdapter from 3.5.0 to 3.5.1 (#653)

Bumps [MSTest.TestAdapter](https://github.com/microsoft/testfx) from 3.5.0 to 3.5.1.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.5.0...v3.5.1)

---
updated-dependencies:
- dependency-name: MSTest.TestAdapter
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sarah Oslund <[email protected]>

* build(deps): bump MSTest.TestFramework from 3.5.0 to 3.5.1 (#652)

Bumps [MSTest.TestFramework](https://github.com/microsoft/testfx) from 3.5.0 to 3.5.1.
- [Release notes](https://github.com/microsoft/testfx/releases)
- [Changelog](https://github.com/microsoft/testfx/blob/main/docs/Changelog.md)
- [Commits](microsoft/testfx@v3.5.0...v3.5.1)

---
updated-dependencies:
- dependency-name: MSTest.TestFramework
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sarah Oslund <[email protected]>

* build(deps): bump Moq from 4.17.2 to 4.20.70 (#640)

Bumps [Moq](https://github.com/moq/moq) from 4.17.2 to 4.20.70.
- [Release notes](https://github.com/moq/moq/releases)
- [Changelog](https://github.com/devlooped/moq/blob/main/CHANGELOG.md)
- [Commits](moq/moq.spikes@v4.17.2...v4.20.70)

---
updated-dependencies:
- dependency-name: Moq
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump coverlet.collector from 6.0.0 to 6.0.2 (#641)

Bumps [coverlet.collector](https://github.com/coverlet-coverage/coverlet) from 6.0.0 to 6.0.2.
- [Release notes](https://github.com/coverlet-coverage/coverlet/releases)
- [Commits](coverlet-coverage/coverlet@v6.0.0...v6.0.2)

---
updated-dependencies:
- dependency-name: coverlet.collector
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump StyleCop.Analyzers (#636)

Bumps [StyleCop.Analyzers](https://github.com/DotNetAnalyzers/StyleCopAnalyzers) from 1.2.0-beta.507 to 1.2.0-beta.556.
- [Release notes](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/releases)
- [Changelog](https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/KnownChanges.md)
- [Commits](DotNetAnalyzers/StyleCopAnalyzers@1.2.0-beta.507...1.2.0-beta.556)

---
updated-dependencies:
- dependency-name: StyleCop.Analyzers
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.SourceLink.GitHub from 1.1.1 to 8.0.0 (#645)

Bumps [Microsoft.SourceLink.GitHub](https://github.com/dotnet/sourcelink) from 1.1.1 to 8.0.0.
- [Release notes](https://github.com/dotnet/sourcelink/releases)
- [Commits](dotnet/sourcelink@1.1.1...8.0.0)

---
updated-dependencies:
- dependency-name: Microsoft.SourceLink.GitHub
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump MinVer from 4.3.0 to 5.0.0 (#634)

Bumps [MinVer](https://github.com/adamralph/minver) from 4.3.0 to 5.0.0.
- [Changelog](https://github.com/adamralph/minver/blob/main/CHANGELOG.md)
- [Commits](adamralph/minver@4.3.0...5.0.0)

---
updated-dependencies:
- dependency-name: MinVer
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.Extensions.Http, Microsoft.Extensions.Logging.Abstractions and Microsoft.Extensions.DependencyInjection (#649)

Bumps [Microsoft.Extensions.Http](https://github.com/dotnet/runtime), [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/runtime) and [Microsoft.Extensions.DependencyInjection](https://github.com/dotnet/runtime). These dependencies needed to be updated together.

Updates `Microsoft.Extensions.Http` from 7.0.0 to 8.0.0
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.0...v8.0.0)

Updates `Microsoft.Extensions.Logging.Abstractions` from 7.0.1 to 8.0.0
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.1...v8.0.0)

Updates `Microsoft.Extensions.DependencyInjection` from 7.0.0 to 8.0.0
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.0...v8.0.0)

---
updated-dependencies:
- dependency-name: Microsoft.Extensions.Http
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.Extensions.DependencyInjection
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Microsoft.Extensions.Logging.Abstractions and Microsoft.Extensions.DependencyInjection.Abstractions (#650)

Bumps [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/runtime) and [Microsoft.Extensions.DependencyInjection.Abstractions](https://github.com/dotnet/runtime). These dependencies needed to be updated together.

Updates `Microsoft.Extensions.Logging.Abstractions` from 7.0.1 to 8.0.1
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v7.0.1...v8.0.1)

Updates `Microsoft.Extensions.DependencyInjection.Abstractions` from 8.0.0 to 8.0.1
- [Release notes](https://github.com/dotnet/runtime/releases)
- [Commits](dotnet/runtime@v8.0.0...v8.0.1)

---
updated-dependencies:
- dependency-name: Microsoft.Extensions.Logging.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Microsoft.Extensions.DependencyInjection.Abstractions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump Scrutor from 4.2.0 to 4.2.2 (#646)

Bumps [Scrutor](https://github.com/khellang/Scrutor) from 4.2.0 to 4.2.2.
- [Release notes](https://github.com/khellang/Scrutor/releases)
- [Commits](khellang/Scrutor@v4.2.0...v4.2.2)

---
updated-dependencies:
- dependency-name: Scrutor
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix tests

* Bump Microsoft.Extensions.Hosting

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: José Renan <[email protected]>
Co-authored-by: Dave Tryon <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sarah Oslund <[email protected]>

* Update README

* Address Feedback (#679)

* Address feedback and remove SbomPath

* remove whitespace

* remove comment

---------

Co-authored-by: vpatakottu <[email protected]>

* address more feedback (#682)

Co-authored-by: vpatakottu <[email protected]>

* Pack each project separately (#681)

* Pack each project separately

* Remove extra dotnet apck

* Inspect the content of the Nuget package instead of extracting to disk during e2e tests.

* User/gustavoca/dont extract e2e tests (#684)

* Inspect the content of the Nuget package instead of extracting to disk during e2e tests.

* Remove extra changes in Directory.Packages.Props

* Remove instance of Newtonsoft.Json

* Remove not needed Message

* Revert "Remove instance of Newtonsoft.Json"

This reverts commit 52329d4.

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Sarah Oslund <[email protected]>
Co-authored-by: vpatakottu <[email protected]>
Co-authored-by: vpatakottu <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Dave Tryon <[email protected]>
Co-authored-by: José Renan <[email protected]>

Author: 7 people

.gitignore

@@ -189,6 +189,7 @@ PublishScripts/
 
 # NuGet Packages
 *.nupkg
+*.nuspec
 # NuGet Symbol Packages
 *.snupkg
 # The packages folder can be ignored because of Package Restore

Directory.Packages.props

@@ -14,6 +14,11 @@
         <PackageVersion Include="AutoMapper.Extensions.Microsoft.DependencyInjection" Version="8.1.1" />
         <PackageVersion Include="coverlet.collector" Version="6.0.2" />
         <PackageVersion Include="FluentAssertions" Version="6.12.0" />
+        <PackageVersion Include="Microsoft.Build" Version="17.3.2" />
+        <PackageVersion Include="Microsoft.Build.Framework" Version="17.10.4" />
+        <PackageVersion Include="Microsoft.Build.Locator" Version="1.7.8" />
+        <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="17.10.4" />
+        <PackageVersion Include="Microsoft.CSharp" Version="4.7.0" />
         <PackageVersion Include="MSTest.TestAdapter" Version="3.5.2" />
         <PackageVersion Include="MSTest.TestFramework" Version="3.5.2" />
         <PackageVersion Include="Microsoft.ComponentDetection.Common" Version="$(ComponentDetectionPackageVersion)" />
@@ -22,7 +27,7 @@
         <PackageVersion Include="Microsoft.ComponentDetection.Orchestrator" Version="$(ComponentDetectionPackageVersion)" />
         <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
         <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.1" />
-        <PackageVersion Include="Microsoft.Extensions.Hosting" Version="7.0.1" />
+        <PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.0" />
         <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.0" />
         <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.1" />
         <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.0" />
@@ -44,6 +49,7 @@
         <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
         <PackageVersion Include="Spectre.Console.Cli" Version="0.49.1" />
         <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
+        <PackageVersion Include="System.IO.Compression" Version="4.3.0" />
         <PackageVersion Include="System.IO.FileSystem.AccessControl" Version="5.0.0" />
         <PackageVersion Include="System.Linq.Async" Version="6.0.1" />
         <PackageVersion Include="System.Memory" Version="4.5.5" />

Microsoft.Sbom.sln

@@ -49,8 +49,14 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.D
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.DependencyInjection.Tests", "test\Microsoft.Sbom.Extensions.DependencyInjection.Tests\Microsoft.Sbom.Extensions.DependencyInjection.Tests.csproj", "{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Targets", "src\Microsoft.Sbom.Targets\Microsoft.Sbom.Targets.csproj", "{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Targets.Tests", "test\Microsoft.Sbom.Targets.Tests\Microsoft.Sbom.Targets.Tests.csproj", "{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}"
+EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Tool.Tests", "test\Microsoft.Sbom.Tool.Tests\Microsoft.Sbom.Tool.Tests.csproj", "{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.Sbom.Targets.E2E.Tests", "test\Microsoft.Sbom.Targets.E2E.Tests\Microsoft.Sbom.Targets.E2E.Tests.csproj", "{3FDE7800-F61F-4C45-93AB-648A4C7979C7}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -109,10 +115,22 @@ Global
 		{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E6C3C851-EEA0-466E-BA36-73ED85F13EEA}.Release|Any CPU.Build.0 = Release|Any CPU
+		{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{E31B914C-F24B-4DC8-ACC7-CAEA952563B8}.Release|Any CPU.Build.0 = Release|Any CPU
 		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3FDE7800-F61F-4C45-93AB-648A4C7979C7}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

nuget.config

@@ -1,7 +1,7 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <packageSources>
     <clear />
     <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
   </packageSources>
-</configuration>
+</configuration>

pipelines/sbom-tool-main-build.yaml

@@ -105,7 +105,7 @@ extends:
                 ]
             condition: and(succeeded(), startswith(variables['Build.SourceBranch'], 'refs/tags/'))
 
-          - powershell: 'dotnet pack Microsoft.Sbom.sln -c $(BuildConfiguration) --no-restore --no-build -o $(Build.ArtifactStagingDirectory)/nuget --include-symbols -p:SymbolPackageFormat=snupkg'
+          - powershell: 'Get-ChildItem -Recurse -Filter *.csproj -Path src | ForEach-Object { dotnet pack $_.FullName  -c $(BuildConfiguration) --no-restore --no-build -o $(Build.ArtifactStagingDirectory)/nuget --include-symbols -p:SymbolPackageFormat=snupkg }'
             displayName: 'Pack NuGet package'
 
           - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3

src/Microsoft.Sbom.Targets/GenerateSbom.cs

@@ -0,0 +1,102 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+namespace Microsoft.Sbom.Targets;
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics.Tracing;
+using Microsoft.Build.Framework;
+
+/// <summary>
+/// This partial class defines and sanitizes the arguments that will be passed
+/// into the SBOM API and CLI tool for generation.
+/// </summary>
+public partial class GenerateSbom
+{
+    /// <summary>
+    /// Gets or sets the path to the drop directory for which the SBOM will be generated.
+    /// </summary>
+    [Required]
+    public string BuildDropPath { get; set; }
+
+    /// <summary>
+    /// Gets or sets the supplier of the package the SBOM represents.
+    /// </summary>
+    [Required]
+    public string PackageSupplier { get; set; }
+
+    /// <summary>
+    /// Gets or sets the name of the package the SBOM represents.
+    /// </summary>
+    [Required]
+    public string PackageName { get; set; }
+
+    /// <summary>
+    /// Gets or sets the version of the package the SBOM represents.
+    /// </summary>
+    [Required]
+    public string PackageVersion { get; set; }
+
+    /// <summary>
+    /// Gets or sets the base path of the SBOM namespace uri.
+    /// </summary>
+    [Required]
+    public string NamespaceBaseUri { get; set; }
+
+    /// <summary>
+    /// Gets or sets the path to the directory containing build components and package information.
+    /// For example, path to a .csproj or packages.config file.
+    /// </summary>
+    public string BuildComponentPath { get; set; }
+
+    /// <summary>
+    /// Gets or sets a unique URI part that will be appended to NamespaceBaseUri.
+    /// </summary>
+    public string NamespaceUriUniquePart { get; set; }
+
+    /// <summary>
+    /// Gets or sets the path to a file containing a list of external SBOMs that will be appended to the
+    /// SBOM that is being generated.
+    /// </summary>
+    public string ExternalDocumentListFile { get; set; }
+
+    /// <summary>
+    /// Indicates whether licensing information will be fetched for detected packages.
+    /// </summary>
+    public bool FetchLicenseInformation { get; set; }
+
+    /// <summary>
+    /// Indicates whether to parse licensing and supplier information from a packages metadata file.
+    /// </summary>
+    public bool EnablePackageMetadataParsing { get; set; }
+
+    /// <summary>
+    /// Gets or sets the verbosity level for logging output.
+    /// </summary>
+    public string Verbosity { get; set; }
+
+    /// <summary>
+    /// Gets or sets a list of names and versions of the manifest format being used.
+    /// </summary>
+    public string ManifestInfo { get; set; }
+
+    /// <summary>
+    /// Indicates whether the previously generated SBOM manifest directory should be deleted
+    /// before generating a new SBOM in the directory specified by ManifestDirPath.
+    /// Defaults to true.
+    /// </summary>
+    public bool DeleteManifestDirIfPresent { get; set; } = true;
+
+    /// <summary>
+    /// Gets or sets the path where the SBOM will be generated. For now, this property
+    /// will be unset as the _manifest directory is intended to be at the root of a NuGet package
+    /// specified by BuildDropPath.
+    /// </summary>
+    public string ManifestDirPath { get; set; }
+
+    /// <summary>
+    /// Gets or sets the path to the SBOM CLI tool
+    /// </summary>
+    public string SbomToolPath { get; set; }
+}

src/Microsoft.Sbom.Targets/GenerateSbomTask.cs

@@ -0,0 +1,125 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+namespace Microsoft.Sbom.Targets;
+
+using System;
+using System.Collections.Generic;
+using System.Diagnostics.Tracing;
+using System.IO;
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Sbom.Api.Manifest.ManifestConfigHandlers;
+using Microsoft.Sbom.Api.Metadata;
+using Microsoft.Sbom.Api.Providers;
+using Microsoft.Sbom.Api.Providers.ExternalDocumentReferenceProviders;
+using Microsoft.Sbom.Api.Providers.FilesProviders;
+using Microsoft.Sbom.Api.Providers.PackagesProviders;
+using Microsoft.Sbom.Contracts;
+using Microsoft.Sbom.Contracts.Entities;
+using Microsoft.Sbom.Contracts.Interfaces;
+using Microsoft.Sbom.Extensions;
+using Microsoft.Sbom.Extensions.DependencyInjection;
+using Microsoft.Sbom.Parsers.Spdx22SbomParser;
+
+/// <summary>
+/// MSBuild task for generating SBOMs from build output.
+/// </summary>
+public partial class GenerateSbom : Task
+{
+    private ISBOMGenerator Generator { get; set; }
+
+    /// <summary>
+    /// Constructor for the GenerateSbomTask.
+    /// </summary>
+    public GenerateSbom()
+    {
+        var host = Host.CreateDefaultBuilder()
+            .ConfigureServices((host, services) =>
+                services
+                .AddSbomTool()
+                /* Manually adding some dependencies since `AddSbomTool()` does not add them when
+                 * running the MSBuild Task from another project.
+                 */
+                .AddSingleton<ISourcesProvider, SBOMPackagesProvider>()
+                .AddSingleton<ISourcesProvider, CGExternalDocumentReferenceProvider>()
+                .AddSingleton<ISourcesProvider, DirectoryTraversingFileToJsonProvider>()
+                .AddSingleton<ISourcesProvider, ExternalDocumentReferenceFileProvider>()
+                .AddSingleton<ISourcesProvider, ExternalDocumentReferenceProvider>()
+                .AddSingleton<ISourcesProvider, FileListBasedFileToJsonProvider>()
+                .AddSingleton<ISourcesProvider, SbomFileBasedFileToJsonProvider>()
+                .AddSingleton<ISourcesProvider, CGScannedExternalDocumentReferenceFileProvider>()
+                .AddSingleton<ISourcesProvider, CGScannedPackagesProvider>()
+                .AddSingleton<IAlgorithmNames, AlgorithmNames>()
+                .AddSingleton<IManifestGenerator, Generator>()
+                .AddSingleton<IMetadataProvider, LocalMetadataProvider>()
+                .AddSingleton<IMetadataProvider, SBOMApiMetadataProvider>()
+                .AddSingleton<IManifestInterface, Validator>()
+                .AddSingleton<IManifestConfigHandler, SPDX22ManifestConfigHandler>())
+            .Build();
+        this.Generator = host.Services.GetRequiredService<ISBOMGenerator>();
+    }
+
+    /// <inheritdoc/>
+    public override bool Execute()
+    {
+        try
+        {
+            // Validate required args and args that take paths as input.
+            if (!ValidateAndSanitizeRequiredParams() || !ValidateAndSanitizeNamespaceUriUniquePart())
+            {
+                return false;
+            }
+
+            // Set other configurations. The GenerateSBOMAsync() already sanitizes and checks for
+            // a valid namespace URI and generates a random guid for NamespaceUriUniquePart if
+            // one is not provided.
+            var sbomMetadata = new SBOMMetadata
+            {
+                PackageSupplier = this.PackageSupplier,
+                PackageName = this.PackageName,
+                PackageVersion = this.PackageVersion,
+            };
+            var runtimeConfiguration = new RuntimeConfiguration
+            {
+                NamespaceUriBase = this.NamespaceBaseUri,
+                NamespaceUriUniquePart = this.NamespaceUriUniquePart,
+                DeleteManifestDirectoryIfPresent = this.DeleteManifestDirIfPresent,
+                Verbosity = ValidateAndAssignVerbosity(),
+            };
+#pragma warning disable VSTHRD002 // Avoid problematic synchronous waits
+            var result = System.Threading.Tasks.Task.Run(() => this.Generator.GenerateSbomAsync(
+                rootPath: this.BuildDropPath,
+                manifestDirPath: this.ManifestDirPath,
+                metadata: sbomMetadata,
+                componentPath: this.BuildComponentPath,
+                runtimeConfiguration: runtimeConfiguration,
+                specifications: ValidateAndAssignSpecifications(),
+                externalDocumentReferenceListFile: this.ExternalDocumentListFile)).GetAwaiter().GetResult();
+#pragma warning restore VSTHRD002 // Avoid problematic synchronous waits
+
+            return result.IsSuccessful;
+        }
+        catch (Exception e)
+        {
+            Log.LogError($"SBOM generation failed: {e.Message}");
+            return false;
+        }
+    }
+
+    /// <summary>
+    /// Check for ManifestInfo and create an SbomSpecification accordingly.
+    /// </summary>
+    /// <returns>A list of the parsed manifest info. Null if the manifest info is null or empty.</returns>
+    private IList<SbomSpecification> ValidateAndAssignSpecifications()
+    {
+        if (!string.IsNullOrWhiteSpace(this.ManifestInfo))
+        {
+           return [SbomSpecification.Parse(this.ManifestInfo)];
+        }
+
+        return null;
+    }
+}