Generate sbom for arcade

[epananth]

To double check:

• The right tests are in and and the right validation has happened. Guidance: https://github.com/dotnet/core-eng/tree/master/Documentation/Validation

Generate sbom for arcade and repos using arcade

1. Repos using job.yml will not have to make any change on their end. They will just need an arcade update to generate sbom
2. Repos who do not use job.yml will have to import steps/template/generate-sbom.yml in their pipeline yml

[epananth]

Arcade test -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1588768&view=logs&s=6884a131-87da-5381-61f3-d7acc3b91d76

[epananth]

Removed flag enableSbom as we need this in all repos

Sdk test -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1588939&view=logs&j=fa59fe4e-195c-56fa-189b-58fd241f10dd

[epananth]

arcade test-> https://dev.azure.com/dnceng/internal/_build/results?buildId=1590521&view=results

sdk test-> https://dev.azure.com/dnceng/internal/_build/results?buildId=1590720&view=results

[riarenas]

Could you test this in a repo that has multiple build legs? Both arcade and SDK only have a windows leg.

[epananth]

arcade test -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1604133&view=results

[epananth]

aspnetcore test -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1604274&view=results

[riarenas]

Some comments.

Your aspnetcore test failed to generate all linux sboms due to execute permissions for the prep script. Does it still have the execute flag set in git?

EDIT: Also, I'd like us to keep trying to use a common variables template so that we don't have to copy the same defaults in 3 different templates, but if it's proving difficult it's fine as a followup PR.

[riarenas]

Wondering why you're using two conditions instead of adding the sbom parameter check to this one?

[epananth]

we do the same for microbuild, where we have enableMicrobuild in job.yml, so I used the same format... I will move it other condition

[riarenas]

Suggested change

	PackageVersion : $ {{ parameters.packageVersion}}
	PackageVersion : ${{ parameters.packageVersion}}

[epananth]

Updated this

[riarenas]

[nit] trailing space it looks like?

[riarenas]

Suggested change

	#Sbom related params
	# Sbom related params

Here and everywhere

[epananth]

added a space inbetween the comment and #

[riarenas]

Make sure to not check in this testing change.

[epananth]

removed this unwanted code

[riarenas]

The default is missing for the version.

[riarenas]

And for the BuildDropPath.

[epananth]

Added above params in generete-sbom.yml

[riarenas]

These scripts are still being called as if they were inline. You can take a look at how checked in scripts should be used with the tasks in a bunch of our other templates, such as:

arcade/eng/common/templates/job/publish-build-assets.yml

Lines 58 to 62 in c2af37f

	- task: PowerShell@2
	displayName: Enable cross-org NuGet feed authentication
	inputs:
	filePath: $(Build.SourcesDirectory)/eng/common/enable-cross-org-publishing.ps1
	arguments: -token $(dn-bot-all-orgs-artifact-feeds-rw)

[epananth]

Updated to use the task instead of inline script

[epananth]

aspnetcore test -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1604274&view=results

Some comments.

Your aspnetcore test failed to generate all linux sboms due to execute permissions for the prep script. Does it still have the execute flag set in git?

EDIT: Also, I'd like us to keep trying to use a common variables template so that we don't have to copy the same defaults in 3 different templates, but if it's proving difficult it's fine as a followup PR.

I added the link, it was late at night and didn't stick around for the entire test. I did add the execute script before I ran it last night. That did not work, so I will have to add chmod back in the script.

I agree I need more time to test that template, I don't want to rush it.

[riarenas]

That did not work, so I will have to add chmod back in the script.

You mentioned you had a test where it had worked?

[riarenas]

I wonder if the Linux failure is related to my other comment of calling the task incorrectly?

[epananth]

I did a test in arcade, unfortunately that does not have a linux leg. So it not work.

[riarenas]

I just checked out this branch: https://dev.azure.com/dnceng/internal/_git/dotnet-aspnetcore?version=GBsbom

 git ls-files -s eng/common/generate-sbom-prep.sh
100644 d7d132c8d8fd8dfc081c9ea144baf11a621ac0c7 0       eng/common/generate-sbom-prep.sh

So the file is not marked as executable. Make sure to run the command I shared before and commit the file again.

[epananth]

Arcade test -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1605919&view=logs&j=fa59fe4e-195c-56fa-189b-58fd241f10dd&t=fa59fe4e-195c-56fa-189b-58fd241f10dd

Aspnet core test -> https://dev.azure.com/dnceng/internal/_build/results?buildId=1605974&view=logs&j=4a1f0fe1-d87a-57fd-c29d-71ea15e38f30&t=dd5521f1-f2eb-55e5-cb58-87c5968347ac

[riarenas]

Assuming all tests work I think all I have remaining are nits.
Let's create a followup issue to make the templates source their default values from a common location though.

[riarenas]

Don't you need to pass -ManifestDirPath first so the script knows which parameter it is? or does this work because there's a single argument to the script?

[epananth]

this happened :(

I def want that approval pls !!!!

[ghost]

Hello @epananth!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

[mmitche]

WOOHOO!

[ericstj]

Nice! Trying this out in machinelearning now dotnet/machinelearning#6076.