microsoft · baronfel · Sep 26, 2024 · Oct 1, 2024 · Feb 16, 2025 · Feb 16, 2025
@@ -27,6 +27,7 @@
   </PropertyGroup>
 
   <ItemGroup Label="Package References">
+    <PackageReference Include="Microsoft.Extensions.Options" />
     <PackageReference Include="Microsoft.VisualStudio.Threading.Analyzers" PrivateAssets="all"/>
     <PackageReference Include="MinVer" PrivateAssets="all"/>
     <PackageReference Include="StyleCop.Analyzers" PrivateAssets="all"/>

@@ -27,6 +27,8 @@
     <PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.2" />
+    <PackageVersion Include="Microsoft.Extensions.Options" Version="8.0.2" />
+    <PackageVersion Include="Microsoft.Extensions.Primitives" Version="8.0.0" />
     <PackageVersion Include="Microsoft.IO.Redist" Version="6.1.0" />
     <PackageVersion Include="Microsoft.VisualStudio.Threading.Analyzers" Version="17.12.19" />
     <PackageVersion Include="MinVer" Version="6.0.0" />

@@ -4,36 +4,19 @@ steps:
     inputs:
       useGlobalJson: true
 
-  - task: DotNetCoreCLI@2
+  - pwsh: dotnet restore --configfile nuget.config
     displayName: 'Restore solution'
-    inputs:
-      command: restore
-      feedsToUse: config
-      nugetConfigPath: nuget.config
-      verbosityRestore: Normal
 
-  - task: DotNetCoreCLI@2
+  - pwsh: dotnet build --configuration $(BuildConfiguration) --no-restore
     displayName: Build
-    inputs:
-      arguments: '-c $(BuildConfiguration)'
 
-  - task: DotNetCoreCLI@2
+  - pwsh: dotnet test --no-build --configuration $(BuildConfiguration) -- --report-trx --results-directory $(Agent.TempDirectory) --coverage --coverage-output $(Agent.TempDirectory)/coverage.cobertura.xml --coverage-output-format cobertura
     displayName: Run unit tests (with coverage on Windows)
     condition: eq(variables['Agent.OS'], 'Windows_NT')
-    inputs:
-      command: 'test'
-      nobuild: true
-      configuration: '$(BuildConfiguration)'
-      arguments: '-- --report-trx --results-directory $(Agent.TempDirectory) --coverage --coverage-output $(Agent.TempDirectory)/coverage.cobertura.xml --coverage-output-format cobertura'
 
-  - task: DotNetCoreCLI@2
+  - pwsh: dotnet test --no-build --configuration $(BuildConfiguration) -- --report-trx --results-directory $(Agent.TempDirectory)
     displayName: Run unit tests (without coverage on non-Windows)
     condition: ne(variables['Agent.OS'], 'Windows_NT')
-    inputs:
-      command: 'test'
-      nobuild: true
-      configuration: '$(BuildConfiguration)'
-      arguments: '-- --report-trx --results-directory $(Agent.TempDirectory)'
 
   # While DotNetCoreCLI docs say that it publishes both TRX and coverage, it doesn't actually publish coverage.
   # https://github.com/microsoft/azure-pipelines-tasks/issues/18254

@@ -11,6 +11,8 @@
     <PackageReference Include="Microsoft.ComponentDetection.Contracts" />
     <PackageReference Include="Newtonsoft.Json" />
     <PackageReference Include="packageurl-dotnet" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Primitives" />
   </ItemGroup>
 
   <ItemGroup>

@@ -17,6 +17,7 @@
 using Microsoft.Sbom.Api.Utils;
 using Microsoft.Sbom.Common;
 using Microsoft.Sbom.Common.Config;
+using Microsoft.Sbom.Contracts;
 using Microsoft.Sbom.Extensions;
 using Constants = Microsoft.Sbom.Api.Utils.Constants;
 using ILogger = Serilog.ILogger;
@@ -34,6 +35,7 @@ public abstract class ComponentDetectionBaseWalker
     private readonly ISbomConfigProvider sbomConfigs;
     private readonly IFileSystemUtils fileSystemUtils;
     private readonly ILicenseInformationFetcher licenseInformationFetcher;
+    private readonly RuntimeConfiguration? runtimeConfiguration;
     private readonly IPackageDetailsFactory packageDetailsFactory;
 
     public ConcurrentDictionary<string, string> LicenseDictionary = new ConcurrentDictionary<string, string>();
@@ -48,7 +50,8 @@ public ComponentDetectionBaseWalker(
         ISbomConfigProvider sbomConfigs,
         IFileSystemUtils fileSystemUtils,
         IPackageDetailsFactory packageDetailsFactory,
-        ILicenseInformationFetcher licenseInformationFetcher)
+        ILicenseInformationFetcher licenseInformationFetcher,
+        RuntimeConfiguration? runtimeConfiguration)
     {
         this.log = log ?? throw new ArgumentNullException(nameof(log));
         this.componentDetector = componentDetector ?? throw new ArgumentNullException(nameof(componentDetector));
@@ -57,6 +60,7 @@ public ComponentDetectionBaseWalker(
         this.fileSystemUtils = fileSystemUtils ?? throw new ArgumentNullException(nameof(fileSystemUtils));
         this.packageDetailsFactory = packageDetailsFactory ?? throw new ArgumentNullException(nameof(packageDetailsFactory));
         this.licenseInformationFetcher = licenseInformationFetcher ?? throw new ArgumentNullException(nameof(licenseInformationFetcher));
+        this.runtimeConfiguration = runtimeConfiguration;
     }
 
     public (ChannelReader<ScannedComponent> output, ChannelReader<ComponentDetectorException> error) GetComponents(string buildComponentDirPath)
@@ -112,6 +116,10 @@ async Task Scan(string path)
             var cmdLineParams = configuration.ToComponentDetectorCommandLineParams(cliArgumentBuilder);
 
             var scanSettings = cliArgumentBuilder.BuildScanSettingsFromParsedArgs(cmdLineParams);
+            if (runtimeConfiguration != null)
+            {
+                scanSettings.NoSummary = runtimeConfiguration.NoComponentGovernanceSummary;
+            }
 
             var scanResult = await componentDetector.ScanAsync(scanSettings);
 

@@ -9,6 +9,7 @@
 using Microsoft.Sbom.Api.Utils;
 using Microsoft.Sbom.Common;
 using Microsoft.Sbom.Common.Config;
+using Microsoft.Sbom.Contracts;
 using Microsoft.Sbom.Extensions;
 using ILogger = Serilog.ILogger;
 
@@ -19,8 +20,8 @@ namespace Microsoft.Sbom.Api.Executors;
 /// </summary>
 public class PackagesWalker : ComponentDetectionBaseWalker
 {
-    public PackagesWalker(ILogger log, ComponentDetectorCachedExecutor componentDetector, IConfiguration configuration, ISbomConfigProvider sbomConfigs, IFileSystemUtils fileSystemUtils, IPackageDetailsFactory packageDetailsFactory, ILicenseInformationFetcher licenseInformationFetcher)
-        : base(log, componentDetector, configuration, sbomConfigs, fileSystemUtils, packageDetailsFactory, licenseInformationFetcher)
+    public PackagesWalker(ILogger log, ComponentDetectorCachedExecutor componentDetector, IConfiguration configuration, ISbomConfigProvider sbomConfigs, IFileSystemUtils fileSystemUtils, IPackageDetailsFactory packageDetailsFactory, ILicenseInformationFetcher licenseInformationFetcher, RuntimeConfiguration runtimeConfiguration = null)
+        : base(log, componentDetector, configuration, sbomConfigs, fileSystemUtils, packageDetailsFactory, licenseInformationFetcher, runtimeConfiguration)
     {
     }
 

@@ -9,6 +9,7 @@
 using Microsoft.Sbom.Api.Utils;
 using Microsoft.Sbom.Common;
 using Microsoft.Sbom.Common.Config;
+using Microsoft.Sbom.Contracts;
 using Microsoft.Sbom.Extensions;
 using ILogger = Serilog.ILogger;
 
@@ -19,8 +20,8 @@ namespace Microsoft.Sbom.Api.Executors;
 /// </summary>
 public class SbomComponentsWalker : ComponentDetectionBaseWalker
 {
-    public SbomComponentsWalker(ILogger log, ComponentDetectorCachedExecutor componentDetector, IConfiguration configuration, ISbomConfigProvider sbomConfigs, IFileSystemUtils fileSystemUtils, IPackageDetailsFactory packageDetailsFactory, ILicenseInformationFetcher licenseInformationFetcher)
-        : base(log, componentDetector, configuration, sbomConfigs, fileSystemUtils, packageDetailsFactory, licenseInformationFetcher)
+    public SbomComponentsWalker(ILogger log, ComponentDetectorCachedExecutor componentDetector, IConfiguration configuration, ISbomConfigProvider sbomConfigs, IFileSystemUtils fileSystemUtils, IPackageDetailsFactory packageDetailsFactory, ILicenseInformationFetcher licenseInformationFetcher, RuntimeConfiguration runtimeConfiguration = null)
+        : base(log, componentDetector, configuration, sbomConfigs, fileSystemUtils, packageDetailsFactory, licenseInformationFetcher, runtimeConfiguration)
     {
     }
 

@@ -23,17 +23,11 @@
         <PackageReference Include="Serilog.Extensions.Hosting" />
         <PackageReference Include="Serilog.Sinks.Console" />
         <PackageReference Include="Spectre.Console.Cli" />
-        <PackageReference Include="System.IO.FileSystem.AccessControl" />
         <PackageReference Include="System.Private.Uri" />
         <PackageReference Include="System.Threading.Channels" />
         <PackageReference Include="System.Threading.Tasks.Extensions" />
     </ItemGroup>
 
-    <ItemGroup>
-        <!-- Pinned assemblies for transitive dependencies -->
-        <PackageReference Include="System.Net.Http" />                     <!-- Used by ComponentDetection -->
-    </ItemGroup>
-
     <ItemGroup>
         <AssemblyAttribute Include="System.Runtime.CompilerServices.InternalsVisibleToAttribute">
             <_Parameter1>$(AssemblyName).Tests, PublicKey=$(StrongNameSigningPublicKey)</_Parameter1>

@@ -170,7 +170,7 @@ public virtual async Task<bool> RunAsync()
                     recorder.RecordTotalErrors(validErrors.ToList());
                 }
 
-               // Delete the generated _manifest folder if generation failed.
+                // Delete the generated _manifest folder if generation failed.
                 if (deleteSbomDir || validErrors.Any())
                 {
                     DeleteManifestFolder(sbomDir);
@@ -293,7 +293,7 @@ private void RemoveExistingManifestDirectory()
                         $"overwrite this folder.");
                 }
 
-                log.Warning(
+                log.Information(
                     $"Deleting pre-existing folder {rootManifestFolderPath} as {Constants.DeleteManifestDirBoolVariableName}" +
                     $" is 'true'.");
                 fileSystemUtils.DeleteDir(rootManifestFolderPath, true);

@@ -9,7 +9,6 @@
   <ItemGroup>
     <PackageReference Include="Serilog" />
     <PackageReference Include="Serilog.Sinks.Console" />
-    <PackageReference Include="System.IO.FileSystem.AccessControl" />
     <PackageReference Include="System.Private.Uri" />
   </ItemGroup>
 

@@ -50,6 +50,11 @@ public class RuntimeConfiguration
     /// </summary>
     public bool FollowSymlinks { get; set; } = true;
 
+    /// <summary>
+    /// Gets or sets a value indicating whether if set to true, we will not print a summary of the component governance to stdout.
+    /// </summary>
+    public bool NoComponentGovernanceSummary { get; set; } = false;
+
     /// <summary>
     /// Gets or sets a value of additional arguments for the component detector.
     /// <para>

@@ -46,6 +46,14 @@ namespace Microsoft.Sbom.Extensions.DependencyInjection;
 
 public static class ServiceCollectionExtensions
 {
+    /// <summary>
+    /// Initializes the services required to use the SBOM Tool using a default <see cref="InputConfiguration"/> and <see cref="LogEventLevel"/>.
+    /// </summary>
+    /// <param name="services">The services to which registrations are added.</param>
+    /// <param name="inputConfiguration">The default configuration to use, which will be registered as a singleton and will overwrite the currently-set <see cref="Configuration"/>.</param>
+    /// <param name="logLevel">The log verbosity level with which to use for the minimal logger used for internal services. These services require an <see cref="ILogger"/> but may themselves be used to <strong>initialize</strong> an <see cref="ILogger"/>, so need separate configuration.</param>
+    /// <remarks>The <see cref="InputConfiguration"/> is registered as a singleton in the container, and the <paramref name="logLevel"/> is used to create a default logger for internal utility classes, irrespective of any other <see cref="ILogger"/> registered in the container. This method does not register an instance of <see cref="ILogger"/>, however one is required for the system to function. Callers need to provide their own implementation.</remarks>
+    /// <returns></returns>
     public static IServiceCollection AddSbomConfiguration(this IServiceCollection services, InputConfiguration inputConfiguration, LogEventLevel logLevel = LogEventLevel.Information)
     {
         ArgumentNullException.ThrowIfNull(inputConfiguration);
@@ -59,16 +67,17 @@ public static IServiceCollection AddSbomConfiguration(this IServiceCollection se
         return services;
     }
 
+    /// <summary>
+    /// Initializes the services required to use the SBOM Tool using a default <see cref="LogEventLevel"/>.
+    /// </summary>
+    /// <param name="services">The services to which registrations are added.</param>
+    /// <param name="logLevel">The log verbosity level with which to use for the minimal logger used for internal services. These services require an <see cref="ILogger"/> but may themselves be used to <strong>initialize</strong> an <see cref="ILogger"/>, so need separate configuration.</param>
+    /// <remarks>This method does not register an instance of <see cref="ILogger"/>, however one is required for the system to function. Callers need to provide their own implementation.</remarks>
     public static IServiceCollection AddSbomTool(this IServiceCollection services, LogEventLevel logLevel = LogEventLevel.Information)
     {
         services
             .AddSingleton<IConfiguration, Configuration>()
-            .AddTransient(_ => FileSystemUtilsProvider.CreateInstance(CreateLogger(logLevel)))
-            .AddTransient(x =>
-            {
-                logLevel = x.GetService<InputConfiguration>()?.Verbosity?.Value ?? logLevel;
-                return Log.Logger = CreateLogger(logLevel);
-            })
+            .AddTransient(x => FileSystemUtilsProvider.CreateInstance(CreateLogger(logLevel)))
             .AddTransient<IWorkflow<SbomParserBasedValidationWorkflow>, SbomParserBasedValidationWorkflow>()
             .AddTransient<IWorkflow<SbomGenerationWorkflow>, SbomGenerationWorkflow>()
             .AddTransient<IWorkflow<SbomConsolidationWorkflow>, SbomConsolidationWorkflow>()
@@ -126,7 +135,8 @@ public static IServiceCollection AddSbomTool(this IServiceCollection services, L
             .AddSingleton<IFileTypeUtils, FileTypeUtils>()
             .AddSingleton<ISignValidationProvider, SignValidationProvider>()
             .AddSingleton<IManifestParserProvider, ManifestParserProvider>()
-            .AddSingleton(x => {
+            .AddSingleton(x =>
+            {
                 var comparer = x.GetRequiredService<IOSUtils>().GetFileSystemStringComparer();
                 return new FileHashesDictionary(new ConcurrentDictionary<string, FileHashes>(comparer));
             })
@@ -181,6 +191,11 @@ public static IServiceCollection AddSbomTool(this IServiceCollection services, L
         return services;
     }
 
+    /// <summary>
+    /// This method integrates Serilog into the <see cref="Microsoft.Extensions.Logging"/> infrastructure.
+    /// </summary>
+    /// <param name="services"></param>
+    /// <returns></returns>
     public static IServiceCollection ConfigureLoggingProviders(this IServiceCollection services)
     {
         var providers = new LoggerProviderCollection();
@@ -201,7 +216,13 @@ public static IServiceCollection ConfigureLoggingProviders(this IServiceCollecti
         return services;
     }
 
-    private static ILogger CreateLogger(LogEventLevel logLevel)
+    /// <summary>
+    /// Creates a logger with the specified <paramref name="logLevel"/> that writes to a file and optionally to stderr.
+    /// This logger converts all errors from ComponentDetection assemblies to warnings, and does not write tabular output to stdout/stderr, only the configured file.
+    /// </summary>
+    /// <param name="logLevel"></param>
+    /// <returns></returns>
+    public static ILogger CreateLogger(LogEventLevel logLevel = LogEventLevel.Information)
     {
         return new RemapComponentDetectionErrorsToWarningsLogger(
             new LoggerConfiguration()