microsoft · JoseRenan · Aug 21, 2025 · Jul 29, 2025 · Jul 29, 2025 · Aug 5, 2025
@@ -46,6 +46,10 @@ protected BaseManifestConfigHandler(
 
     protected string BsiFilePath => fileSystemUtils.JoinPaths(SbomDirPath, Constants.BsiFileName);
 
+    protected string BsiCoseFilePath => fileSystemUtils.JoinPaths(SbomDirPath, Constants.BsiCoseFileName);
+
+    protected string ManifestCoseFilePath => fileSystemUtils.JoinPaths(SbomDirPath, Constants.ManifestCoseFileName);
+
     protected IMetadataBuilder MetadataBuilder => metadataBuilderFactory.Get(ManifestInfo);
 
     protected ISbomConfig CreateSbomConfig()
@@ -57,6 +61,8 @@ protected ISbomConfig CreateSbomConfig()
             ManifestJsonFilePath = SbomFilePath,
             CatalogFilePath = CatalogFilePath,
             BsiFilePath = BsiFilePath,
+            BsiCoseFilePath = BsiCoseFilePath,
+            ManifestCoseFilePath = ManifestCoseFilePath,
             ManifestJsonFileSha256FilePath = ManifestJsonSha256FilePath,
             MetadataBuilder = MetadataBuilder,
             Recorder = new SbomPackageDetailsRecorder()

@@ -50,6 +50,16 @@ public SbomConfig(IFileSystemUtils fileSystemUtils)
     /// </summary>
     public string BsiFilePath { get; set; }
 
+    /// <summary>
+    /// Gets or sets the absolute path of the build session information COSE file.
+    /// </summary>
+    public string BsiCoseFilePath { get; set; }
+
+    /// <summary>
+    /// Gets or sets the absolute path of the manifest COSE file.
+    /// </summary>
+    public string ManifestCoseFilePath { get; set; }
+
     /// <summary>
     /// Gets or sets derived manifestInfo or from configurations.
     /// </summary>

@@ -26,6 +26,8 @@ public ISbomConfig Get(
         string manifestFileSha256HashPath,
         string catalogFilePath,
         string bsiFilePath,
+        string bsiCoseFilePath,
+        string manifestCoseFilePath,
         ISbomPackageDetailsRecorder recorder,
         IMetadataBuilder metadataBuilder)
     {
@@ -35,6 +37,8 @@ public ISbomConfig Get(
             ManifestJsonDirPath = manifestDirPath,
             ManifestJsonFilePath = manifestFilePath,
             BsiFilePath = bsiFilePath,
+            BsiCoseFilePath = bsiCoseFilePath,
+            ManifestCoseFilePath = manifestCoseFilePath,
             CatalogFilePath = catalogFilePath,
             ManifestJsonFileSha256FilePath = manifestFileSha256HashPath,
             MetadataBuilder = metadataBuilder,
@@ -52,6 +56,8 @@ public ISbomConfig Get(
         var shaFilePath = $"{sbomFilePath}.sha256";
         var catFilePath = fileSystemUtils.JoinPaths(sbomDirPath, Constants.CatalogFileName);
         var bsiFilePath = fileSystemUtils.JoinPaths(sbomDirPath, Constants.BsiFileName);
+        var bsiCoseFilePath = fileSystemUtils.JoinPaths(sbomDirPath, Constants.BsiCoseFileName);
+        var manifestCoseFilePath = fileSystemUtils.JoinPaths(sbomDirPath, Constants.ManifestCoseFileName);
         if (!fileSystemUtils.FileExists(shaFilePath) && !fileSystemUtils.FileExists(catFilePath) && !fileSystemUtils.FileExists(bsiFilePath))
         {
             // This is likely a CloudBuild SBOM, adjust paths accordingly
@@ -66,6 +72,8 @@ public ISbomConfig Get(
             shaFilePath,
             catFilePath,
             bsiFilePath,
+            bsiCoseFilePath,
+            manifestCoseFilePath,
             new SbomPackageDetailsRecorder(),
             metadataBuilderFactory.Get(manifestInfo));
     }

@@ -70,6 +70,8 @@ public static class Constants
     public const string DefaultRootElement = "SPDXRef-Document";
     public const string CatalogFileName = "manifest.cat";
     public const string BsiFileName = "bsi.json";
+    public const string BsiCoseFileName = "bsi.cose";
+    public const string ManifestCoseFileName = "manifest.spdx.cose";
     public const string DeleteManifestDirBoolVariableName = "DeleteManifestDirIfPresent";
     public const string RootPackageIdValue = "SPDXRef-RootPackage";
 

@@ -21,6 +21,8 @@ public ISbomConfig Get(
         string manifestFileSha256HashPath,
         string catalogFilePath,
         string bsiFilePath,
+        string bsiCoseFilePath,
+        string manifestCoseFilePath,
         ISbomPackageDetailsRecorder recorder,
         IMetadataBuilder metadataBuilder);
 

@@ -37,6 +37,16 @@ public interface ISbomConfig : IDisposable, IAsyncDisposable
     /// </summary>
     public string BsiFilePath { get; set; }
 
+    /// <summary>
+    /// Gets or sets the absolute path of the build session information COSE file.
+    /// </summary>
+    public string BsiCoseFilePath { get; set; }
+
+    /// <summary>
+    /// Gets or sets the absolute path of the manifest COSE file.
+    /// </summary>
+    public string ManifestCoseFilePath { get; set; }
+
     /// <summary>
     /// Gets or sets derived manifestInfo or from configurations.
     /// </summary>

@@ -24,6 +24,8 @@ public class SbomConfigFactoryTests
     private string cbCatFilePathStub = "cloud-build-cat-file-path";
     private string bsiFilePathStub = "bsi-file-path";
     private string cbBsiFilePathStub = "cloud-build-bsi-file-path";
+    private string bsiCoseFilePathStub = "bsi-cose-file-path";
+    private string manifestCoseFilePathStub = "manifest-cose-file-path";
     private ManifestInfo manifestInfoStub = Api.Utils.Constants.SPDX30ManifestInfo;
     private string manifestInfoStringStub = "spdx_3.0";
     private string manifestFileNameStub = "manifest.spdx.json";
@@ -85,6 +87,12 @@ public void Get_ReturnsCorrectConfig_AdoStyleSbom()
         fileSystemUtilsMock
             .Setup(m => m.JoinPaths(spdxDirPathStub, Api.Utils.Constants.BsiFileName))
             .Returns(bsiFilePathStub);
+        fileSystemUtilsMock
+            .Setup(m => m.JoinPaths(spdxDirPathStub, Api.Utils.Constants.BsiCoseFileName))
+            .Returns(bsiCoseFilePathStub);
+        fileSystemUtilsMock
+            .Setup(m => m.JoinPaths(spdxDirPathStub, Api.Utils.Constants.ManifestCoseFileName))
+            .Returns(manifestCoseFilePathStub);
         fileSystemUtilsMock
             .Setup(m => m.FileExists($"{sbomFilePathStub}.sha256"))
             .Returns(true);
@@ -114,6 +122,12 @@ public void Get_ReturnsCorrectConfig_CloudBuildStyleSbom()
         fileSystemUtilsMock
             .Setup(m => m.JoinPaths(spdxDirPathStub, Api.Utils.Constants.BsiFileName))
             .Returns(bsiFilePathStub);
+        fileSystemUtilsMock
+            .Setup(m => m.JoinPaths(spdxDirPathStub, Api.Utils.Constants.BsiCoseFileName))
+            .Returns(bsiCoseFilePathStub);
+        fileSystemUtilsMock
+            .Setup(m => m.JoinPaths(spdxDirPathStub, Api.Utils.Constants.ManifestCoseFileName))
+            .Returns(manifestCoseFilePathStub);
         fileSystemUtilsMock
             .Setup(m => m.FileExists($"{sbomFilePathStub}.sha256"))
             .Returns(false);

@@ -220,6 +220,8 @@ private class PinnedISbomConfig : ISbomConfig
         public string ManifestJsonFileSha256FilePath { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
         public string CatalogFilePath { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
         public string BsiFilePath { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
+        public string BsiCoseFilePath { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
+        public string ManifestCoseFilePath { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
         public ManifestInfo ManifestInfo { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }
         public IMetadataBuilder MetadataBuilder { get => throw new NotImplementedException(); set => throw new NotImplementedException(); }