sbom-tool icon indicating copy to clipboard operation
sbom-tool copied to clipboard
verified publisher icon microsoft

ScanManifest_(timestamp).json file collision

Open AArnott opened this issue 2 years ago • 1 comments

The Microsoft.ManifestTool tool generates a temporary file in a shared directory, with apparently nothing but a timestamp to make it unique. But when msbuild builds a multi-targeting project, both projects may invoke the tool concurrently, and the timestamp can actually collide:

image

This breaks the build. Please add more entropy to the filename, or allow a command line switch to specify a directory that is safely isolated from concurrent builds, and I'll happily provide that location.

AArnott avatar Feb 06 '24 03:02 AArnott

@AArnott The name and path of that file are determined by the Component Detection library, and can be changed by passing "--ManifestFile <new file path>" to AdditionalComponentDetectorArgs (the -cd flag if running on command-line).

pownkel avatar Feb 15 '24 19:02 pownkel