From 748367cd28f47fc6bfbdb39d8e25aeacf65d8054 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Mon, 7 Jul 2025 12:52:04 -0400 Subject: [PATCH 1/2] GODRIVER-3599: Add task script to generate CycloneDX SBOM Added a `task` and `etc` bash script to generate a build lifecycle CycloneDX SBOM using a pinned version of the `cyclonedx-gomod` tool. The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. The task will run only when go.mod is newer than sbom.cdx.json. The file is saved as sbom.cdx.json (as opposed to the current sbom.json) which is the preferred file extension for CycloneDX files. There is not yet any code to commit the new SBOM to the repo. This is to allow for evaluation of the new SBOM first without interfering with the current workflow to upload the static sbom.json file to Kondukto. TODOs: - Once the SBOM generation process has been approved, the GitHub Action in `mongodb-labs/drivers-github-tools` can be called with the updated SBOM file name. - Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation `task generate-sbom` --- .evergreen/config.yml | 8 ++++++++ Taskfile.yml | 13 +++++++++++++ 2 files changed, 21 insertions(+) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 05832906d1..ab8d4414c9 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -647,6 +647,14 @@ tasks: binary: bash args: [*task-runner, check-fmt, check-license, check-modules, lint] + - name: generate-sbom + tags: ["ssdlc"] + commands: + - command: subprocess.exec + params: + binary: bash + args: [*task-runner, generate-sbom] + - name: pull-request-helpers allowed_requesters: ["patch", "github_pr"] commands: diff --git a/Taskfile.yml b/Taskfile.yml index 3473cb4981..ac4bd7c0ef 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -85,6 +85,19 @@ tasks: update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES + generate-sbom: + desc: Generate a CycloneDX SBOM + summary: | + The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code. + The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. + Task will run only when go.mod is newer than sbom.cdx.json. + TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation + method: timestamp + sources: [go.mod] + generates: [sbom.cdx.json] + cmd: | + GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.9.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.cdx.json . + ### Local testing tasks. ### test: go test ${BUILD_TAGS} -timeout {{.TEST_TIMEOUT}}s -p 1 ./... From b30df0578246a536c64c766ca8ccb3f0788a21e1 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Mon, 7 Jul 2025 12:58:18 -0400 Subject: [PATCH 2/2] Create etc/generate-sbom.sh --- etc/generate-sbom.sh | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 etc/generate-sbom.sh diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh new file mode 100644 index 0000000000..9b00941586 --- /dev/null +++ b/etc/generate-sbom.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eux + +task generate-sbom