Merge branch 'main' into dependabot/nuget/AutoMapper-13.0.1

.editorconfig

@@ -496,14 +496,31 @@ dotnet_diagnostic.CA1863.severity = none
 # https://github.com/DotNetAnalyzers/StyleCopAnalyzers
 ##########################################
 
+# SA1005: Single line comments should begin with single space
+dotnet_diagnostic.SA1005.severity = none
+
+# SA1515: Single-line comment should be preceded by blank line
+dotnet_diagnostic.SA1515.severity = none
+
+# SA1512: Single-line comments should not be followed by blank line
+dotnet_diagnostic.SA1512.severity = none
+
+# https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/SA1116.md
+# SA1116: The parameters should begin on the line after the declaration, whenever the parameter span across multiple lines 
+dotnet_diagnostic.SA1116.severity = suggestion
+
+# https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/SA1010.md
+# SA1010: Opening square brackets should not be preceded by a space
+dotnet_diagnostic.SA1010.severity = suggestion
+
+# https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/SA1024.md
+# SA1024: Colon should be followed by a space
+dotnet_diagnostic.SA1024.severity = suggestion
+
 # https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/SA1101.md
 # SA1101: Prefix local calls with this
 dotnet_diagnostic.SA1101.severity = suggestion
 
-# https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/SA1124.md
-# SA1124: Do not use regions
-dotnet_diagnostic.SA1124.severity = suggestion
-
 # https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/SA1200.md
 # SA1200: Using directive should appear within a namespace declaration
 dotnet_diagnostic.SA1200.severity = suggestion
@@ -1098,4 +1115,4 @@ dotnet_diagnostic.VSTHRD111.severity = suggestion
 
 # https://github.com/microsoft/vs-threading/blob/main/doc/analyzers/VSTHRD200.md
 # VSTHRD200: Use Async suffix for async methods
-dotnet_diagnostic.VSTHRD200.severity = suggestion
+dotnet_diagnostic.VSTHRD200.severity = suggestion

.github/workflows/build.yml

@@ -28,17 +28,21 @@ jobs:
         MINVERBUILDMETADATA: build.${{github.run_number}}
 
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+        uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
+        with:
+          dotnet-version: |
+            6.0.x
+            8.0.x
 
       - name: Run tests
         run: dotnet test --collect:"XPlat Code Coverage"
 
       - name: Upload code coverage
-        uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044  # v4.0.1
+        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673  # v4.5.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -23,15 +23,15 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
       with:
         languages: csharp
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      uses: github/codeql-action/autobuild@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+      uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12

.github/workflows/gen-docs.yml

@@ -16,10 +16,10 @@ jobs:
   gen-docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+        uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
 
       - name: Generate docs
         run: |

Directory.Packages.props

@@ -7,7 +7,7 @@
         </PackageVersion>
     </ItemDefinitionGroup>
     <PropertyGroup>
-        <ComponentDetectionPackageVersion>4.2.2</ComponentDetectionPackageVersion>
+        <ComponentDetectionPackageVersion>4.8.9</ComponentDetectionPackageVersion>
     </PropertyGroup>
     <ItemGroup>
         <PackageVersion Include="AutoMapper" Version="13.0.1" />
@@ -32,8 +32,8 @@
         <PackageVersion Include="Mono.Posix.NETStandard" Version="1.0.0" Condition="'$(TargetFramework)' == 'net6.0'"/>
         <PackageVersion Include="Moq" Version="4.17.2" />
         <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
-        <PackageVersion Include="NuGet.Configuration" Version="6.9.1" />
-        <PackageVersion Include="NuGet.Frameworks" Version="6.9.1" />
+        <PackageVersion Include="NuGet.Configuration" Version="6.10.1" />
+        <PackageVersion Include="NuGet.Frameworks" Version="6.10.1" />
         <PackageVersion Include="packageurl-dotnet" Version="1.1.0" />
         <PackageVersion Include="PowerArgs" Version="3.6.0" />
         <PackageVersion Include="Scrutor" Version="4.2.0" />
@@ -50,7 +50,7 @@
         <PackageVersion Include="System.Private.Uri" Version="4.3.2" />
         <PackageVersion Include="System.Reactive" Version="5.0.0" />
         <PackageVersion Include="System.Runtime.Loader" Version="4.3.0" />
-        <PackageVersion Include="System.Text.Json" Version="7.0.3" />
+        <PackageVersion Include="System.Text.Json" Version="8.0.4" />
         <PackageVersion Include="System.Threading.Channels" Version="6.0.0" />
         <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="4.11.1" />
         <PackageVersion Include="System.Threading.Tasks.Extensions" Version="4.5.4" />

Microsoft.Sbom.sln

@@ -47,6 +47,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.DotNetTool",
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.DependencyInjection", "src\Microsoft.Sbom.Extensions.DependencyInjection\Microsoft.Sbom.Extensions.DependencyInjection.csproj", "{2EB7C6CC-5E40-4DAF-AF8B-D69736B601D9}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Extensions.DependencyInjection.Tests", "test\Microsoft.Sbom.Extensions.DependencyInjection.Tests\Microsoft.Sbom.Extensions.DependencyInjection.Tests.csproj", "{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Sbom.Tool.Tests", "test\Microsoft.Sbom.Tool.Tests\Microsoft.Sbom.Tool.Tests.csproj", "{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -101,6 +105,14 @@ Global
 		{2EB7C6CC-5E40-4DAF-AF8B-D69736B601D9}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{2EB7C6CC-5E40-4DAF-AF8B-D69736B601D9}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{2EB7C6CC-5E40-4DAF-AF8B-D69736B601D9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{EE4E2E03-7B4C-46E5-B9D2-89E84A18D787}.Release|Any CPU.Build.0 = Release|Any CPU
+		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{FC5A9799-7C44-4BFA-BA22-55DCAF1A1B9F}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

README.md

@@ -35,9 +35,6 @@ winget install Microsoft.SbomTool
 
 ##### Homebrew
 
-> [!NOTE]
-> This Formulae requires the `x86_64` architecture, ARM is not supported at this time. For details see [#223](https://github.com/microsoft/sbom-tool/issues/223).
-
 ```bash
 brew install sbom-tool
 ```
@@ -113,11 +110,25 @@ sbom-tool validate -b <drop path> -o <output path> -mi SPDX:2.2
 This sample command provides the minimum mandatory arguments required to validate an SBOM:
      `-b` should be the path same path used to generate the SBOM file.
      In this scenario, the tool will default to searching for an SBOM at the `<drop path>\_manifest\spdx_2.2\manifest.spdx.json` path. 
-     `-o` is the output path where the tool should write the results to.
+     `-o` is the output path, including file name, where the tool should write the results to.
      `-mi` is the ManifestInfo, which provides the user's desired name and version of the manifest format.
 
 Currently only SPDX2.2 is supported.
 
+### SBOM Redact
+
+Use the tool to redact any references to files from a given SBOM or set of SBOMs with either of the following commands:
+
+```
+sbom-tool redact -sd <directory containing SBOMs to redact> -o <output path>
+```
+
+```
+sbom-tool redact -sp <path to the SBOM to redact> -o <output path>
+```
+
+This command will generate a mirrored set of SBOMs in the output directory, but with the file references removed. Note that the SBOM directory and output path arguments can not reference the same directory and the output path should point to an existing, empty directory.
+
 ## Integrating SBOM tool to your CI/CD pipelines.
 
 You can follow these guides to integrate the SBOM tool into your CI/CD pipelines 

docs/sbom-tool-arguments.md

@@ -81,5 +81,19 @@ Actions
     FollowSymlinks (-F)                       If set to false, we will not follow symlinks while traversing the build drop folder. Default is set to 'true'.
     ManifestInfo (-mi)                        A list of the name and version of the manifest format that we are using.
 
+  Redact -options - Redact file information from given SBOM(s).
+
+    Option            Description
+    SbomPath (-sp)    The file path of the SBOM to redact.
+    SbomDir (-sd)     The directory containing the sbom(s) to redact.
+    OutputPath (-o)   Gets or sets the directory where the redacted SBOM file(s) will be generated.
+    Verbosity (-V)    Display this amount of detail in the logging output.
+                      Verbose
+                      Debug
+                      Information
+                      Warning
+                      Error
+                      Fatal
+
   Version  - Displays the version of the tool being used. Can be used as '--version'
 ```

docs/setting-up-github-actions.md

@@ -82,8 +82,6 @@ Since the sbom tool will place the final SBOM file in the build drop folder (`bu
 
 This line of code produces a SBOM file with the same information as the GitHub Action.
 
-## The information being conveyed in this sentence needs clarification.  What is the reader  learn from "With the above our SBOM has the same retention as the build artifacts for the GitHub Action."
-
 ## Further reading
 
 If the organization or team stores the SBOM in a centrally-controlled repository, use the `-manifestDirPath` parameter to specify the intended folder location for the SBOM output file.