-
Type:
Task
-
Resolution: Duplicate
-
Priority:
Unknown
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
jasonhills-mongodb has created PR #2154: GODRIVER-3599 Add task and script to generate CycloneDX SBOM in mongo-go-driver
Issue Text:
GODRIVER-3599
-
- Summary
Added a task, etc/script, and pre-commit hook for generating a CycloneDX SBOM using a pinned version of the `cyclonedx-gomod` tool. The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages (i.e., only components used at runtime).
- Summary
The task (`generate-sbom`) is added to the default tasks and will run only when `go.mod` is newer than `sbom.json`.
The pre-commit hook (`sbom-currency`) ensures that if `go.mod` is staged for commit, that an updated `sbom.json` is also staged.
Future TODO: Add `libmongocrypt` as an optional component once the `libmongocrypt` SBOM is updated with newer automation
-
- Background & Motivation
The GODRIVER SBOM (`sbom.json`) does not contain the direct and transitive dependencies defined in go.mod. Added code to generate a CycloneDX SBOM in order to better meet NITA Minimum Elements for Software Bill of Materials, OWASP Software Component Verification Standard (SCVS) Level 1, as well as include the necessary component identifiers for vulnerability discovery and VEX responses.
- Background & Motivation
- duplicates
-
GODRIVER-3599 Automate SBOM generation using CycloneDX tools for Client Libraries
-
- In Code Review
-