mongo-go-driver - PR #2154: GODRIVER-3599 Add task and script to generate CycloneDX SBOM

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Duplicate
    • Priority: Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      jasonhills-mongodb has created PR #2154: GODRIVER-3599 Add task and script to generate CycloneDX SBOM in mongo-go-driver

      Issue Text:
      GODRIVER-3599

        1. Summary
          Added a task, etc/script, and pre-commit hook for generating a CycloneDX SBOM using a pinned version of the `cyclonedx-gomod` tool. The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages (i.e., only components used at runtime).

      The task (`generate-sbom`) is added to the default tasks and will run only when `go.mod` is newer than `sbom.json`.

      The pre-commit hook (`sbom-currency`) ensures that if `go.mod` is staged for commit, that an updated `sbom.json` is also staged.

      Future TODO: Add `libmongocrypt` as an optional component once the `libmongocrypt` SBOM is updated with newer automation

        1. Background & Motivation
          The GODRIVER SBOM (`sbom.json`) does not contain the direct and transitive dependencies defined in go.mod. Added code to generate a CycloneDX SBOM in order to better meet NITA Minimum Elements for Software Bill of Materials, OWASP Software Component Verification Standard (SCVS) Level 1, as well as include the necessary component identifiers for vulnerability discovery and VEX responses.

            Assignee:
            Unassigned
            Reporter:
            TPM Jira Automations Bot
            None
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: