CycloneDX.MSBuild
1.0.2
See the version list below for details.
dotnet add package CycloneDX.MSBuild --version 1.0.2
NuGet\Install-Package CycloneDX.MSBuild -Version 1.0.2
<PackageReference Include="CycloneDX.MSBuild" Version="1.0.2"> <PrivateAssets>all</PrivateAssets> <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets> </PackageReference>
<PackageVersion Include="CycloneDX.MSBuild" Version="1.0.2" />
<PackageReference Include="CycloneDX.MSBuild"> <PrivateAssets>all</PrivateAssets> <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets> </PackageReference>
paket add CycloneDX.MSBuild --version 1.0.2
#r "nuget: CycloneDX.MSBuild, 1.0.2"
#:package CycloneDX.MSBuild@1.0.2
#addin nuget:?package=CycloneDX.MSBuild&version=1.0.2
#tool nuget:?package=CycloneDX.MSBuild&version=1.0.2
CycloneDX.MSBuild
MSBuild targets for automatic CycloneDX SBOM (Software Bill of Materials) generation during build and pack operations. Seamlessly integrates the CycloneDX .NET tool into your build pipeline.
๐ฏ Overview
CycloneDX.MSBuild is a NuGet package inspired by Microsoft.Sbom.Targets that automatically generates CycloneDX SBOMs for your .NET projects. Simply add the package reference, and SBOMs are generated automatically during dotnet build or dotnet pack.
Why CycloneDX.MSBuild?
- โ Zero Configuration: Works out of the box with sensible defaults
- โ Security by Design: Runs in build context, no elevated permissions required
- โ Multi-Target Support: Handles projects with multiple target frameworks
- โ Flexible: Highly configurable via MSBuild properties
- โ Standards Compliant: Generates CycloneDX 1.2-1.6 compatible SBOMs
- โ Development Dependency: Doesn't pollute your dependency tree
๐ Quick Start
Installation
Add the package to your project:
dotnet add package CycloneDX.MSBuild
Or add it manually to your .csproj:
<ItemGroup>
<PackageReference Include="CycloneDX.MSBuild" Version="1.0.0" PrivateAssets="all" />
</ItemGroup>
Build Your Project
dotnet build
That's it! Your SBOM will be generated at bin/Debug/net8.0/sbom.json (or your output directory).
๐ Features
Automatic SBOM Generation
SBOMs are generated automatically:
- During Build: After successful compilation
- During Pack: Included in NuGet packages under
/sbom/ - Multi-Targeting: Generates once per project, not per framework
Supported Output Formats
- JSON (default) - CycloneDX JSON format
- XML - CycloneDX XML format
CycloneDX Specification Versions
The tool automatically uses the latest CycloneDX specification version supported by the installed tool version (typically 1.6).
โ๏ธ Configuration
All configuration is done via MSBuild properties. Set them in your .csproj, Directory.Build.props, or command line.
Core Settings
Enable/Disable SBOM Generation
<PropertyGroup>
<GenerateCycloneDxSbom>false</GenerateCycloneDxSbom>
</PropertyGroup>
Error Handling
<PropertyGroup>
<CycloneDxContinueOnError>false</CycloneDxContinueOnError>
</PropertyGroup>
Output Configuration
Output Format
<PropertyGroup>
<CycloneDxOutputFormat>xml</CycloneDxOutputFormat>
</PropertyGroup>
Output Location
<PropertyGroup>
<CycloneDxOutputDirectory>$(MSBuildProjectDirectory)/sbom/</CycloneDxOutputDirectory>
<CycloneDxOutputFilename>software-bom</CycloneDxOutputFilename>
</PropertyGroup>
Advanced Options
Exclude Dependencies
<PropertyGroup>
<CycloneDxExcludeDev>true</CycloneDxExcludeDev>
<CycloneDxExcludeTestProjects>true</CycloneDxExcludeTestProjects>
</PropertyGroup>
Serial Number Control
<PropertyGroup>
<CycloneDxDisableSerialNumber>true</CycloneDxDisableSerialNumber>
</PropertyGroup>
Import Metadata Template
<PropertyGroup>
<CycloneDxImportMetadataPath>$(MSBuildProjectDirectory)/sbom-metadata.xml</CycloneDxImportMetadataPath>
</PropertyGroup>
The metadata template allows you to provide project-specific details that will be included in the generated SBOM. This is useful for adding custom component information, licenses, and descriptions to your SBOM.
Example sbom-metadata.xml:
Note: CycloneDX.MSBuild supports metadata templates using CycloneDX schema versions 1.2 through 1.6. You may use any supported version, but 1.6 is recommended for new projects.
<?xml version="1.0" encoding="utf-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6">
<metadata>
<component type="application" bom-ref="pkg:nuget/YourProject@1.0.0">
<name>YourProject</name>
<version>1.0.0</version>
<description>
<![CDATA[Your project description]]>
</description>
<licenses>
<license>
<name>Apache License 2.0</name>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:nuget/YourProject@1.0.0</purl>
</component>
</metadata>
</bom>
GitHub License Resolution
<PropertyGroup>
<CycloneDxEnableGitHubLicenses>true</CycloneDxEnableGitHubLicenses>
<CycloneDxGitHubUsername>your-username</CycloneDxGitHubUsername>
<CycloneDxGitHubToken>ghp_yourtoken</CycloneDxGitHubToken>
</PropertyGroup>
Tool Version
<PropertyGroup>
<CycloneDxToolVersion>5.5.0</CycloneDxToolVersion>
</PropertyGroup>
๐ฆ NuGet Package Integration
When you run dotnet pack, the generated SBOM is automatically included in the NuGet package under the /sbom/ directory.
dotnet pack
Consumers of your NuGet package can inspect the SBOM:
# Extract and view
unzip -q MyPackage.1.0.0.nupkg -d extracted
cat extracted/sbom/sbom.json
๐๏ธ Architecture
MSBuild Integration
CycloneDX.MSBuild uses MSBuild's extensibility hooks:
.propsfile - Defines configurable properties with defaults.targetsfile - Implements build targets for SBOM generationbuildMultiTargeting/- Special handling for multi-target projects
Target Execution Order
Build โ ValidateCycloneDxConfiguration โ EnsureCycloneDxToolInstalled โ GenerateCycloneDxSbom
Security by Design
- Sandboxed Execution: Runs in build context without elevated privileges
- Input Validation: All properties are validated before use
- Fail-Safe Defaults: Continues build on errors by default
- No Code Execution: Only executes vetted CycloneDX tool
- Dependency Pinning: Explicit tool version control
Clean Code Principles
- Separation of Concerns: Configuration (
.props) separated from logic (.targets) - Single Responsibility: Each target has one clear purpose
- DRY: Reusable property groups
- Consistent Naming:
CycloneDx*prefix for all properties - Comprehensive Documentation: XML comments for all properties
๐งช Testing
The repository includes integration tests for various scenarios:
tests/
โโโ SimpleProject/ # Basic single-target project
โโโ MultiTargetProject/ # Multi-targeting (.NET 6, 8, Standard 2.0)
โโโ DisabledProject/ # Project with SBOM generation disabled
๐ Versioning
This project uses automated semantic versioning with:
- MinVer: Automatic version calculation from Git tags
- semantic-release: Automated releases, changelogs, and NuGet publishing
All commits must follow Conventional Commits format.
๐ For detailed information, see VERSIONING.md
๐ CI/CD Pipeline
This project includes a comprehensive CI/CD pipeline with automated testing and publishing:
Continuous Integration (CI)
Runs on all pull requests and feature branches:
- โ Multi-platform testing (Ubuntu, Windows, macOS)
- โ Multi-version .NET testing (.NET 6.0 and 8.0)
- โ Code quality checks (formatting, package validation)
- โ Dependency security scanning (vulnerable and deprecated packages)
- โ Build artifact generation
Continuous Deployment (CD)
Runs on pushes to main, master, beta, or alpha branches:
- Build & Test - Full test suite execution
- Package Validation - NuGet package quality checks
- Semantic Release - Automatic version determination from commits
- NuGet Publishing - Automatic publishing to NuGet.org
- GitHub Release - Automated release notes and changelog
Setting up Automated Publishing
To enable automated NuGet publishing:
- Get a NuGet API key from NuGet.org
- Add it as a GitHub secret named
NUGET_API_KEY - The release workflow will automatically publish on version bumps
๐ For detailed CI/CD documentation, see .github/workflows/README.md
๐ง Development
Project Structure
CycloneDX.MSBuild/
โโโ src/
โ โโโ CycloneDX.MSBuild/
โ โโโ build/
โ โ โโโ CycloneDX.MSBuild.props # Configuration properties
โ โ โโโ CycloneDX.MSBuild.targets # Build integration
โ โโโ buildMultiTargeting/ # Multi-target support
โ โโโ CycloneDX.MSBuild.csproj # Package definition
โโโ tests/
โ โโโ Integration.Tests/
โโโ README.md
Building Locally
# Build the package
dotnet build src/CycloneDX.MSBuild/CycloneDX.MSBuild.csproj
# Pack the package
dotnet pack src/CycloneDX.MSBuild/CycloneDX.MSBuild.csproj
# Test with local projects
dotnet build tests/Integration.Tests/SimpleProject/SimpleProject.csproj
๐ Comparison with Microsoft.Sbom.Targets
| Feature | Microsoft.Sbom.Targets | CycloneDX.MSBuild |
|---|---|---|
| SBOM Format | SPDX 2.2 | CycloneDX 1.2-1.6 |
| Tool | Microsoft.Sbom.Tool (embedded) | CycloneDX .NET tool (local tool, installed on demand) |
| Build Support | โ | โ |
| Pack Support | โ | โ |
| Publish Support | โ | โณ Planned |
| Multi-Targeting | โ | โ |
| Development Dependency | โ | โ |
๐ค Contributing
Contributions are welcome! Please feel free to submit issues, feature requests, or pull requests.
Guidelines
- Follow existing code style and architecture
- Maintain security by design principles
- Add tests for new features
- Update documentation
๐ License
This project is licensed under the MIT License - see the LICENSE file for details.
๐ Related Projects
- CycloneDX .NET Tool - The underlying SBOM generation tool
- CycloneDX Specification - CycloneDX standard
- Microsoft.Sbom.Targets - Microsoft's SPDX SBOM tool
- OWASP Dependency-Track - SBOM analysis platform
๐ Support
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- CycloneDX Community: https://cyclonedx.org/
Made with โค๏ธ for Software Supply Chain Security
Learn more about Target Frameworks and .NET Standard.
-
.NETStandard 2.0
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Initial release:
- Automatic SBOM generation during build
- Support for dotnet build and dotnet pack
- Configurable output format (JSON/XML)
- Integration with CycloneDX .NET tool