- BuildMaster
- Getting Started with BuildMaster
- Builds and Continuous Integration
- What is a "Build" in BuildMaster?
- Git and Source Control
- Git Pipelines and Workflows
- Build Scripts & Templates
- Packages & Dependencies
- Build Artifacts
- Automated Testing & Verification
- Deployment & Continuous Delivery
- What is a “Pipeline” in BuildMaster?
- CI Server (Jenkins, TeamCity, etc.) Integration
- Deployment Scripts & Templates
- Automatic Checks & Approval Gates
- Manual Deployment Steps and Tasks
- Databases
- Configuration Files
- Rollbacks
- Advanced CD Patterns
- Applications & Releases
- Connecting to your Servers with BuildMaster
- Scripting in BuildMaster
- Configuring for Your Team
- Docker/Containers
- Development Platforms
- Deployment Targets
- Tools & Service Integrations
- Reference
- BuildMaster API Endpoints & Methods
- Extending BuildMaster
- Built-in Functions & Variables
- Applications
- Builds
- Configuration Files
- Containers
- Credentials
- Databases
- Deployables
- Environments
- Executions
- Files
- General
- JSON
- Linux
- Lists
- Maps
- Math
- Nuget
- Packages
- Pipelines
- PowerShell
- Python
- Releases
- Servers
- Strings
- XML
- Built-in Operations
- Batch
- BuildMaster
- Configuration Files
- Databases
- DotNet
- Files
- Firewall
- General
- Apply-Template
- Attach Package
- Build
- Checkout-Code
- Close-Issue
- Concatenate-Files
- Copy-Files
- Create-Directory
- Create-File
- Create-Issue
- Create-Issue
- Create-IssueComment
- Create-Package
- Create-ZipFile
- Delete-Files
- Download-Asset
- Download-Http
- Ensure-Directory
- Ensure-File
- Ensure-HostsEntry
- Ensure-Metadata
- Ensure-Milestone
- Ensure-Package
- Ensure-Release
- Ensure-Tag
- Exec
- Execute Python Script
- Execute VSTest Tests
- Get-Http
- Install-Package
- OSCall
- OSExec
- Post-Http
- Push-PackageFile
- PYCall
- PYEnsure
- Query-Package
- Remediate-Drift
- Rename-File
- Repackage
- Replace-Text
- Send-Email
- Set-FileAttributes
- Set-Variable
- SHEnsure
- Sleep
- Transfer-Files
- Transition-Issues
- Upload-Assets
- Upload-Http
- Upload-ReleaseAssets
- Git
- IIS
- Nuget
- PowerShell
- ProGet
- Python
- Registry
- Servers
- Services
- Shell
- Windows
- Administration
- Installation & Upgrading
- ProGet
- Getting Started with ProGet
- Packages: Managing & Tracking
- Feeds Types & Third-Party Packages
- What is a "Feed" in ProGet?
- What is a "Connector" in ProGet?
- NuGet (.NET)
- Universal Feeds & Packages
- PowerShell
- Chocolatey (Windows/Machine)
- RubyGems (ruby)
- Visual Studio Extension (.vsix)
- Maven (Java)
- npm (Node.js)
- Bower (JavaScript)
- Debian (Apt)
- Helm (Kubernetes)
- PyPI (Python)
- Conda (Python)
- RPM (Yum)
- Alpine (APK)
- CRAN (R)
- pub (Dart/Flutter)
- Cargo (Rust)
- Terraform Modules
- Conan (C++)
- Composer (PHP)
- Other Feed Types
- Asset Directories & File Storage
- Docker and Containers
- Replication & Feed Mirroring
- Software Composition Analysis (SCA)
- Security and Access Controls
- Cloud Storage (Amazon S3, Azure Blob)
- Administration
- Installation & Upgrading
- API Endpoints & Methods
- Otter
- Getting Started with Otter
- Orchestration & Server Automation
- Connecting to your Servers with Otter
- Collecting & Verifying Configuration
- Drift Remediation / Configuration as Code
- Scripting in Otter
- Configuring for Your Team
- Installation & Upgrading
- Administration & Maintenance
- Reference
- Otter API Reference
- OtterScript Reference
- Built-in Functions & Variables
- Executions
- Files
- General
- JSON
- Linux
- Lists
- Maps
- Math
- PowerShell
- Python
- Servers
- Strings
- XML
- Built-in Operations
- Batch
- Docker
- DotNet
- Files
- Firewall
- General
- Apply-Template
- Collect Debian Packages
- Collect RPM Packages
- Collect-InstalledPackages
- Concatenate-Files
- Copy-Files
- Create-Directory
- Create-File
- Create-Package
- Create-ZipFile
- Delete-Files
- Download-Asset
- Download-Http
- Ensure-Directory
- Ensure-File
- Ensure-HostsEntry
- Ensure-Metadata
- Ensure-Package
- Exec
- Execute Python Script
- Get-Http
- Install-Package
- OSCall
- OSExec
- Post-Http
- Push-PackageFile
- PYCall
- PYEnsure
- Query-Package
- Remediate-Drift
- Rename-File
- Repackage
- Replace-Text
- Send-Email
- Set-FileAttributes
- Set-Variable
- SHEnsure
- Sleep
- Transfer-Files
- Upload-Assets
- Upload-Http
- IIS
- Otter
- PowerShell
- ProGet
- Python
- Registry
- Servers
- Services
- Shell
- Windows
- Installation & Maintenance
- Windows (Inedo Hub)
- What is the Inedo Hub?
- Configuring & Maintaining Inedo Products
- Offline Installation (no Internet access)
- HOWTO: Install on Windows
- HOWTO: Upgrade or Downgrade with the Inedo Hub
- HOWTO: Install Pre-release Product Versions
- HOWTO: Configure Your Inedo Product to Run As a Windows Domain Account
- Silent/Automated Installation Guide
- Legacy (Traditional) Installer
- Linux (Docker)
- Manual Installation
- High Availability & Load Balancing
- LDAP/AD Integration
- IIS & Web Hosting on Windows
- Logging & Analytics
- SAML Authentication
- Upgrading your Inedo Product
- Managing Agents and Servers
- Backing Up & Restoring
- Installation Configuration Files
- SQL Server & Inedo Products
- Windows (Inedo Hub)
- Inedo Agent
- What is the Inedo Agent?
- Installation & Upgrading
- Downloads & Release Notes
- Maintenance & Configuration
- Internal Architecture
- MyInedo
- OtterScript (Execution Engine)
- Reference
- OtterScript
- Inedo Execution Engine
- Operations & Functions
- Text Templating
- Resource Pools
- Runtime Variables
- Advanced Scenarios & Features
- Statements and Blocks
- Romp (Discontinued)
- Using Romp
- Installing, Configuring, and Maintaining
- Romp CLI Reference
- Package Layout
- Downloads & Source Code
- Extensibility
- Inedo SDK
SBOM Importing & Exporting
ProGet's Software Composition Analysis (SCA) can leverage Software Bill of Materials (SBOM) documents that identify the open-source and third-party software components (i.e. packages) that your applications use.
This article will explain what an SBOM document is, and how importing and exporting these documents work in ProGet.
What is a "Software Bill of Materials" (SBOM)?
A "Software Bill of Materials" (SBOM) is a document that lists all of all the open-source and third-party components (i.e. library packages) that are used in a software application. This component list includes specific package versions and their license agreements, as well as any known vulnerabilities in the components.
ProGet uses the OWASP CycloneDX Specification for SBOM documents. This specification also followed by the US Federal Government, and meets several SBOM-related governance requirements, including Executive Order 14028 (also known as "SBOMs for National Security).
To learn more about the technical details of SBOM documents and different specifications, see the US government's SBOM Research List.
Importing SBOM Documents
You can import SBOM documents for a release from the web UI, or using the SCA API.
Behind the scenes, this is how pgscan
functions (i.e. it generates a document and the imports it). But you may wish to import SBOM documents if you're already using a tool like CycloneDX in your CI/CD pipeline.
When importing an SBOM document, ProGet will:
- Create a Project (based on
Metadata.Component.Version
name), if it doesn't already exist - Create a Release (based on
Metadata.Component.Version
), in the project if it doesn't already exist - Add Packages to the Release (based on
Components
) - Store the SBOM document on the Release
- Analyze the Release for Issues
Importing Third-Party SBOM Files
ProGet is designed to help you track your own applications, built with components (packages) that your store/cache in feeds. It was not designed to track third-party software that you do not build in-house.
For example, if you were to import an SBOM imported SBOM documents for applications provided to you by a vendor, you would likely end up with a lot of "Missing Package" issues. Those missing packages also wouldn't be scanned for vulnerabilities or license issues.
If you need to track SBOM documents for third-party applications that you do not build, consider a tool like Dependency-Track
Exporting SBOM Documents
You can export an SBOM document for a release from the web UI, or using the SCA API. This may be required by internal or external auditors, customers, or other users of your software.
When exporting an SBOM document, ProGet will merge metadata from the information stored in ProGet (such as the project name, release number, package licenses, etc.) as well as any additional component metadata found in the imported SBOM documents.
This merging functionality may be particularly useful if you're required to maintain metadata fields such as Author, Copyright, Pedigree, Publisher, ReleaseNotes, etc., that an automated tool like pgscan
cannot generate.