SBOM for Unity-project created without any components #824
Comments
Originally, CycloneDX dotnet tool only supports NuGet-Packages. Direct dependencies to .dlls are not yet supported. I have this planned for the 'near' future. Related to: #79 |
|
Thank you for the quick response. Then I'm hopeful we'll be able to create SBOMs for our apps within the not-too-distant future. Our own SBOM requirements will need more than just the DLL name and version but we have solutions in place to merge the missing info into the SBOM, once it is generated. I've subscribed to #79 and will close this issue. |
|
Hello, any updates on this issue? We currently face the same problem and #79 seems to be dormant too. |
|
Still in the backlog behind more urging matters. Sorry If it helps I am working on a tool that one could use to easily add a predefined component to a created sbom - I assume those all references don't change often and as mentioned, the information that could be read automatically are rather limited anyways. |
I'm not sure that's true in our case. This Unity-generated project contains hundreds of references, if I'm not mistaken and versions would probably change with every update of Unity. |
|
Thanks for the quick reply. In our case some of the dlls do change quite often, others not so much. So we will also take the path of merging the missing information into the SBOM after initial creation. |
I'm trying to create an SBOM for an application written in Unity and I'm not getting anywhere. I'm neither an expert on Unity, nor the .NET project structure, so I'd like to apologize in advance if this issue is not on your end.
Basically, an SBOM gets created but apart from the highest-level components making up the Unity project, it doesn't list any dependencies, notably none of Unity's own modules are listed, even tough the app obviously depends on them. When I build the app from within Unity, I see tons of Unity DLLs being copied into the artifact.
Here is what I understand of how Unity and .NET interact:
.slnand several.csprojfiles in the sdk-style.I've tried both project styles but neither lets cyclonedx-dotnet create a complete SBOM.
Here's my guess what's happening, but as I said, I don't know much about .NET projects are structured:
I saw that all references to Unity-provided modules are listed as
<Reference>elements – not for instance<PackageReference>which is used for depending on Nuget packages. These<Reference>s basically only point the compiler to the location of the DLL to link against but they are not taken into account by cyclonedx-dotnet when computing the components included in the product.Do you see any way to generate a complete SBOM from these project files or is the way Unity generates the files simply not suited for SBOM-generation and therefore we'll have to push for a Unity-aware CycloneDX generator?
The following are some samples of the project files created and what cyclonedx-dotnet makes of them.
Experiments done with:
Project style
Expand for a modified example of one of the .csproj files ("PathCreator.csproj")
Here's the output of dotnet-cyclonedx.exe:
From my research I gathered that
project.asset.jsonmight be generated elsewhere and that I can specify that location using the-biopparameter. Unfortunately, there is noproject.asset.jsonanywhere in the project folder.sdk-style
Expand for "PathCreator.csproj"
This time, at least a
project.assets.jsongets generated insideTemp\obj\PathCreator:Expand for "project.assets.json"
```json { "version": 3, "targets": { ".NETStandard,Version=v2.1": {} }, "libraries": {}, "projectFileDependencyGroups": { ".NETStandard,Version=v2.1": [] }, "packageFolders": { "C:\\Users\\morit\\.nuget\\packages\\": {}, "C:\\Program Files (x86)\\Microsoft Visual Studio\\Shared\\NuGetPackages": {} }, "project": { "version": "1.0.0", "restore": { "projectUniqueName": "C:\\Users\\morit\\Downloads\\vr00-getting-started\\PathCreator.csproj", "projectName": "PathCreator", "projectPath": "C:\\Users\\morit\\Downloads\\vr00-getting-started\\PathCreator.csproj", "packagesPath": "C:\\Users\\morit\\.nuget\\packages\\", "outputPath": "C:\\Users\\morit\\Downloads\\vr00-getting-started\\Temp\\obj\\\\PathCreator\\", "projectStyle": "PackageReference", "fallbackFolders": [ "C:\\Program Files (x86)\\Microsoft Visual Studio\\Shared\\NuGetPackages" ], "configFilePaths": [ "C:\\Users\\morit\\AppData\\Roaming\\NuGet\\NuGet.Config", "C:\\Program Files (x86)\\NuGet\\Config\\Microsoft.VisualStudio.FallbackLocation.config", "C:\\Program Files (x86)\\NuGet\\Config\\Microsoft.VisualStudio.Offline.config" ], "originalTargetFrameworks": [ "netstandard2.1" ], "sources": { "C:\\Program Files (x86)\\Microsoft SDKs\\NuGetPackages\\": {}, "C:\\Program Files\\dotnet\\library-packs": {}, "https://api.nuget.org/v3/index.json": {} }, "frameworks": { "netstandard2.1": { "targetAlias": "netstandard2.1", "projectReferences": {} } }, "warningProperties": { "warnAsError": [ "NU1605" ] } }, "frameworks": { "netstandard2.1": { "targetAlias": "netstandard2.1", "imports": [ "net461", "net462", "net47", "net471", "net472", "net48", "net481" ], "assetTargetFallback": true, "warn": true, "runtimeIdentifierGraphPath": "C:\\Program Files\\dotnet\\sdk\\8.0.100\\RuntimeIdentifierGraph.json" } } } } ```The generator now runs without errors:
The resulting SBOM still has zero components, though.
The text was updated successfully, but these errors were encountered: