Tamp.Sbom
1.13.0
Prefix Reserved
dotnet add package Tamp.Sbom --version 1.13.0
NuGet\Install-Package Tamp.Sbom -Version 1.13.0
<PackageReference Include="Tamp.Sbom" Version="1.13.0" />
<PackageVersion Include="Tamp.Sbom" Version="1.13.0" />
<PackageReference Include="Tamp.Sbom" />
paket add Tamp.Sbom --version 1.13.0
#r "nuget: Tamp.Sbom, 1.13.0"
#:package Tamp.Sbom@1.13.0
#addin nuget:?package=Tamp.Sbom&version=1.13.0
#tool nuget:?package=Tamp.Sbom&version=1.13.0
Tamp's CycloneDX SBOM contract package: typed records (CycloneDxBom, Component, Vulnerability with inline VEX, Dependency, ...) plus load/write helpers and the ISbomSource/ISbomSink interfaces. Producers (Tamp.CycloneDx, Tamp.Syft) emit CycloneDxBom; sinks (Tamp.DependencyTrack) consume it. Chosen over SPDX for inline VEX support.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 is compatible. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- Microsoft.Extensions.FileSystemGlobbing (>= 9.0.0)
- Tamp.Core (>= 1.13.0)
-
net8.0
- Microsoft.Extensions.FileSystemGlobbing (>= 9.0.0)
- Tamp.Core (>= 1.13.0)
-
net9.0
- Microsoft.Extensions.FileSystemGlobbing (>= 9.0.0)
- Tamp.Core (>= 1.13.0)
NuGet packages (3)
Showing the top 3 NuGet packages that depend on Tamp.Sbom:
| Package | Downloads |
|---|---|
|
Tamp.Security.Pipeline
Tamp meta-package — one PackageReference, one base-class inheritance, get the whole Wave 1+2 security chain: CycloneDX SBOM → SAST (OpenGrep + Roslyn) → SCA (osv-scanner + Dependency-Track) → Trivy secrets+misconfig → DefectDojo reimport. Adopters override `SecurityProductName` + `SecuritySolutionPath` and run `tamp Security`. DT and DD legs are env-var-gated; producer half runs unconditionally. .NET-focused for v0 — non-.NET adopters override Sbom to use Tamp.Syft instead. |
|
|
Tamp.DependencyTrack.V1
Tamp REST client for OWASP Dependency-Track v4.x (API v1). Upload CycloneDX BOMs, poll the asynchronous analysis to completion, export findings in raw FPF JSON for downstream passthrough to DefectDojo. Uses Tamp.Sbom for typed BOM input and Tamp.Core's Polling.Until for the analysis-complete wait. |
|
|
Tamp.Ingest.V1
Typed C# client + DTOs for the tamp-ingest-v1 egress contract — the canonical wire shape any Tamp.Security.Pipeline-driven build pushes to a compliant dashboard / defect tracker / evidence vault. First server-side consumer: tamp.findings. Wraps the seven ingest endpoints (SBOM / provenance / findings / coverage / test results / scan runs / vulnerabilities) as Async methods on TampIngestClient (derived from Tamp.Http.TampApiClient). Hierarchy tuple (Client → Project → Component → ComponentVersion + Flavor / Branch / PullRequestRef) modelled as the IngestBuildContext record. |
GitHub repositories
This package is not used by any popular GitHub repositories.