Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2893

Integrate with Silk and generate SBOM documents for releases

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Security
    • Labels:
      None
    • Needed - No Spec Changes
    • Hide

      Summary of necessary driver changes

      •  

      Commits for syncing spec/prose tests
      (and/or refer to an existing language POC if needed)

      •  

      Context for other referenced/linked tickets

      •  
      Show
      Summary of necessary driver changes   Commits for syncing spec/prose tests (and/or refer to an existing language POC if needed)   Context for other referenced/linked tickets  
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-5535 Scheduled
      CXX-3008 In Code Review
      CSHARP-5048 Scheduled
      GODRIVER-3187 Backlog
      JAVA-5430 Backlog
      NODE-6113 Backlog
      MOTOR-1302 Backlog
      PYTHON-4383 Backlog
      PHPLIB-1434 Investigating
      RUBY-3449 Backlog
      RUST-1919 Fixed 3.0.0
      PHPC-2384 Blocked
      PHPORM-185 Blocked
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-5535 Scheduled CXX-3008 In Code Review CSHARP-5048 Scheduled GODRIVER-3187 Backlog JAVA-5430 Backlog NODE-6113 Backlog MOTOR-1302 Backlog PYTHON-4383 Backlog PHPLIB-1434 Investigating RUBY-3449 Backlog RUST-1919 Fixed 3.0.0 PHPC-2384 Blocked PHPORM-185 Blocked

      Drivers MUST generate Software Bill of Materials (SBOM) Lite documents for releases and provide those to Silk, which is a tool DevProd is using for vulnerability tracking. If a driver bundles no dependencies, the SBOM Lite will be empty. See SBOMs: SBOM Lites and Augmented SBOMs in the Centralized Vulnerability Management README for a description of SBOM formats.

      Drivers MUST maintain SBOM Lite documents in their git repositories.

      Drivers with bundled dependencies MUST integrate with a supported tool (e.g. Snyk) that can perform vulnerability scanning and feed results into Silk for SBOM generation. If Snyk is used, drivers SHOULD NOT rely on it to infer dependencies, as it is prone to false-positives and version inaccuracies.

      Drivers MUST publish Augmented SBOM documents (produced by Silk processing SBOM Lite documents) alongside releases.

      Note: For purposes of reporting and vulnerability tracking, third-party dependencies only refers to bundled dependencies that ship with a driver. It does not include any dependencies that may be installed by a package manager.

            Assignee:
            Unassigned Unassigned
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: