From 509ecb10507cb5ccfbd7e0003f7c838dea07d85c Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 9 Dec 2021 09:53:39 -0800 Subject: [PATCH] Enable SBOM generation for Windows Terminal (#11908) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Microsoft will be providing a Software Bill of Materials for our products. This onboards the Windows Terminal product to the common engineering system task that can scavenge for this information within our build project (already recorded for internal compliance reasons) and present it in a machine-readable interchange format. See also: https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/ This does not yet include packaging and distributing the SBOM with our final packages. We are waiting for that tooling to come online for MSIX. Guidance is "Coming Soon™️." ## References - https://github.com/microsoft/dropvalidator/issues/216 - `cgmanifest.json` are not being pulled in yet, but I've been told internally this will fix it. I will double-check when I hear back on this issue. ## PR Checklist * [x] Closes #11810 * [x] I work here * [x] I ran it and I see the manifest generated. --- build/pipelines/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 5c2ac1c1e6..220c76da23 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -237,6 +237,10 @@ jobs: TargetFolder: $(Build.ArtifactStagingDirectory)/appx OverWrite: true flattenFolders: true + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generate SBOM manifest' + inputs: + BuildDropPath: '$(System.ArtifactsDirectory)/appx' - task: PublishBuildArtifacts@1 displayName: Publish Artifact (appx) inputs: