[2023-03-28]: Dependency graph produces SBOMs (#35427)

Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Courtney Claessens <courtneycl@github.com>
2023-03-28 19:51:09 +02:00 · 2023-03-28 19:51:09 +02:00 · 891fbaec49
--- a/content/code-security/getting-started/github-security-features.md
+++ b/content/code-security/getting-started/github-security-features.md
@ -58,6 +58,8 @@ The dependency graph allows you to explore the ecosystems and packages that your

 You can find the dependency graph on the **Insights** tab for your repository. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."

+{% ifversion dependency-graph-sbom-export %}{% data reusables.dependency-graph.sbom-export %}{% endif %}
+
 {% ifversion security-overview-displayed-alerts %}
 ### Security overview

--- a/content/code-security/guides.md
+++ b/content/code-security/guides.md
@ -94,6 +94,7 @@ includeGuides:
  - /code-security/dependabot/dependabot-alerts/viewing-and-updating-dependabot-alerts
  - /code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review
  - /code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph
+  - /code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository
  - /code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
  - /code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository
 ---
--- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md
+++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-code.md
@ -45,7 +45,7 @@ You can secure the code you depend on by creating a vulnerability management pro

 ### Automatic inventory generation

-As a first step, you want to make a complete inventory of your dependencies. The dependency graph for a repository shows you dependencies for supported ecosystems. If you check in your dependencies, or use other ecosystems, you will need to supplement this with data from 3rd party tools or by listing dependencies manually. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."
+As a first step, you want to make a complete inventory of your dependencies. The dependency graph for a repository shows you dependencies for supported ecosystems. If you check in your dependencies, or use other ecosystems, you will need to supplement this with data from 3rd party tools or by listing dependencies manually.{% ifversion dependency-graph-sbom-export %} {% data reusables.dependency-graph.sbom-export %}{% else %} For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph)."{% endif %}

 ### Automatic detection of vulnerabilities in dependencies

--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-supply-chain-security.md
@ -59,7 +59,8 @@ To generate the dependency graph, {% data variables.product.company_short %} loo

 - The dependency graph includes information on your _direct_ dependencies and _transitive_ dependencies. 
 - The dependency graph is automatically updated when you push a commit to {% data variables.product.company_short %} that changes or adds a supported manifest or lock file to the default branch, and when anyone pushes a change to the repository of one of your dependencies.
- You can see the dependency graph by opening the repository's main page on {% data variables.product.product_name %}, and navigating to the **Insights** tab.
+- You can see the dependency graph by opening the repository's main page on {% data variables.product.product_name %}, and navigating to the **Insights** tab.{% ifversion dependency-graph-sbom-export %}
+- {% data reusables.dependency-graph.sbom-export %}{% endif %}

 {% ifversion dependency-submission-api %} 
 {% data reusables.dependency-submission.dependency-submission-link %}
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph.md
@ -30,6 +30,8 @@ When you push a commit to {% data variables.product.product_name %} that changes

 When you create a pull request containing changes to dependencies that targets the default branch, {% data variables.product.prodname_dotcom %} uses the dependency graph to add dependency reviews to the pull request. These indicate whether the dependencies contain vulnerabilities and, if so, the version of the dependency in which the vulnerability was fixed. For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)."

+{% ifversion dependency-graph-sbom-export %}{% data reusables.dependency-graph.sbom-export %}{% endif %}
+
 ## Dependency graph availability

 {% ifversion fpt or ghec %}
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository.md
@ -0,0 +1,30 @@
+---
+title: Exporting a software bill of materials for your repository
+intro: You can export a software bill of materials or SBOM for your repository from the dependency graph. SBOMs allow transparency into your open source usage and help expose supply chain vulnerabilities, reducing supply chain risks.
+versions:
+  feature: dependency-graph-sbom-export
+permissions: 'Anyone can export the dependency graph of a repository as a software bill of materials. The SBOM export will contain a list of the dependencies that are used in the repository.'
+type: how_to
+topics:
+  - Dependency graph
+  - Dependencies
+  - Repositories
+shortTitle: Export dependencies as SBOM
+---
+
+## About the dependency graph and SBOM exports
+
+{% data reusables.dependabot.about-the-dependency-graph %}
+
+You can export the current state of the dependency graph for your repository as a Software Bill of Materials (SBOM) using the industry standard [SPDX](https://spdx.github.io/spdx-spec/v2.3/) format. 
+
+{% data reusables.dependency-graph.sbom-intro %}
+
+If your company provides software to the US federal government per [Executive Order 14028](https://www.gsa.gov/technology/technology-products-services/it-security/executive-order-14028-improving-the-nations-cybersecurity), you will need to provide an SBOM for your product. You can also use SBOMs as part of your audit process and use them to comply with regulatory and legal requirements.
+
+## Exporting a software bill of material for your repository from the UI
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.accessing-repository-graphs %}
+1. In the left sidebar, click **Dependency graph**.
+1. On the top right side of the **Dependencies** tab, click **Export SBOM** to generate an SBOM file for download from your browser. 
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/index.md
@ -14,6 +14,7 @@ children:
  - /about-supply-chain-security
  - /about-the-dependency-graph
  - /configuring-the-dependency-graph
+  - /exporting-a-software-bill-of-materials-for-your-repository
  - /using-the-dependency-submission-api
  - /about-dependency-review
  - /configuring-dependency-review
--- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md
+++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api.md
@ -93,7 +93,15 @@ Alternatively, you can write your own action to submit dependencies for your pro

 ## Generating and submitting a software bill of materials (SBOM)

-You can use {% data variables.product.prodname_actions %} to generate a software bill of materials (SBOM), a formal, machine-readable inventory of your dependencies and associated information. The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)."
+{% data reusables.dependency-graph.sbom-intro %}
+
+{% ifversion dependency-graph-sbom-export %}
+To generate an SBOM, you can use:
+- the {% data variables.product.prodname_dotcom %} user interface.  For more information about how to export an SBOM for a repository using information from the dependency graph, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)."
+- {% data variables.product.prodname_actions %}. The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)."
+{% else %}
+You can use {% data variables.product.prodname_actions %} to generate an SBOM. The following actions will generate an SBOM for your repository and attach it as a workflow artifact which you can download and use in other applications. For more information about downloading workflow artifacts, see "[AUTOTITLE](/actions/managing-workflow-runs/downloading-workflow-artifacts)."
+{% endif %}

 Action | Details | <nobr>Maintained by {% data variables.product.prodname_dotcom %}</nobr>
 --- | --- | ---
--- a/data/features/dependency-graph-sbom-export.yml
+++ b/data/features/dependency-graph-sbom-export.yml
@ -0,0 +1,5 @@
+# Reference: Issue #9146 - Dependency graph produces SBOMs - [GA]
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>3.8'
--- a/data/reusables/dependency-graph/sbom-export.md
+++ b/data/reusables/dependency-graph/sbom-export.md
@ -0,0 +1 @@
+If you have at least read access to the repository, you can export the dependency graph for the repository as an SPDX-compatible, Software Bill of Materials (SBOM). For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)."
--- a/data/reusables/dependency-graph/sbom-intro.md
+++ b/data/reusables/dependency-graph/sbom-intro.md
@ -0,0 +1,6 @@
+An SBOM is a formal, machine-readable inventory of a project's dependencies and associated information (such as {%ifversion ghes %}versions and package identifiers{%else %}versions, package identifiers, and licenses{% endif %}). SBOMs help reduced supply chain risks by:
+
+- providing transparency about the dependencies used by your repository
+- allowing vulnerabilities to be identified early in the process
+- providing insights in the license compliance, security, or quality issues that may exist in your codebase
+- enabling you to better comply with various data protection standards
				`@ -0,0 +1 @@`
				`If you have at least read access to the repository, you can export the dependency graph for the repository as an SPDX-compatible, Software Bill of Materials (SBOM). For more information, see "[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)."`