Automate SBOM generation using CycloneDX tools for Client Libraries

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Unresolved
    • Priority: Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: None
    • Hide

      DRIVERS-3214:
      Summary of necessary driver changes

      • Automated generation of a CycloneDX SBOM that includes all required and optional runtime components.
      Show
      DRIVERS-3214: Summary of necessary driver changes Automated generation of a CycloneDX SBOM that includes all required and optional runtime components.
    • None
    • Go Drivers
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Summary

      A recent evaluation (as of Jun 6, 2025) of SBOM coverage indicates that some client libraries (.NET,  Node, Python, Go, PHP, Ruby, Rust, Java) have static SBOMs without any components defined. Our client libraries generally do not bundle third-party dependencies, but instead end-users make use of the ecosystem's package manager to install any dependencies.

      Motivation

      As we seek to improve the coverage of our third party vulnerability management, we’d like to raise the bar of how SBOMs are generated to increase transparency and enable proactive vulnerability management analysis. As a result, R&D Security recommends that we revise the previously accepted approach of SBOMs including bundled dependencies only (approach #1, approved in this scope in 2024:Scope: SSDLC Policy Conformance for Client Libs), and instead pursue approach #2 (full runtime dependencies).

      R&D Security seeks to be in alignment with the NITA Minimum Elements for Software Bill of Materials and OWASP Software Component Verification Standard (SCVS). Both publications emphasize that all components used in creation of software are to be documented in an SBOM, including ecosystem-based dependencies, as a best practice.

      Acceptance Criteria

      Automated generation of a CycloneDX SBOM that includes all required and optional runtime components.

              Assignee:
              Jason Hills
              Reporter:
              Jason Hills
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: