Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-5430

Integrate with Silk and generate SBOM documents for releases

    • Type: Icon: Task Task
    • Resolution: Won't Do
    • Priority: Icon: Unknown Unknown
    • None
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Hide

      DRIVERS-2893:
      Drivers MUST generate Software Bill of Materials (SBOM) Lite documents for releases and provide those to Silk, which is a tool DevProd is using for vulnerability tracking. If a driver bundles no dependencies, the SBOM Lite will be empty. See SBOMs: SBOM Lites and Augmented SBOMs in the Centralized Vulnerability Management README for a description of SBOM formats.

      Drivers MUST maintain SBOM Lite documents in their git repositories.

      Drivers with bundled dependencies MUST integrate with a supported tool (e.g. Snyk) that can perform vulnerability scanning and feed results into Silk for SBOM generation. If Snyk is used, drivers SHOULD NOT rely on it to infer dependencies, as it is prone to false-positives and version inaccuracies.

      Drivers MUST publish Augmented SBOM documents (produced by Silk processing SBOM Lite documents) alongside releases.

      Note: For purposes of reporting and vulnerability tracking, third-party dependencies only refers to bundled dependencies that ship with a driver. It does not include any dependencies that may be installed by a package manager.

      Show
      DRIVERS-2893 : Drivers MUST generate Software Bill of Materials (SBOM) Lite documents for releases and provide those to Silk, which is a tool DevProd is using for vulnerability tracking. If a driver bundles no dependencies, the SBOM Lite will be empty. See SBOMs: SBOM Lites and Augmented SBOMs in the Centralized Vulnerability Management README for a description of SBOM formats. Drivers MUST maintain SBOM Lite documents in their git repositories. Drivers with bundled dependencies MUST integrate with a supported tool (e.g. Snyk) that can perform vulnerability scanning and feed results into Silk for SBOM generation. If Snyk is used, drivers SHOULD NOT rely on it to infer dependencies, as it is prone to false-positives and version inaccuracies. Drivers MUST publish Augmented SBOM documents (produced by Silk processing SBOM Lite documents) alongside releases. Note: For purposes of reporting and vulnerability tracking, third-party dependencies only refers to bundled dependencies that ship with a driver. It does not include any dependencies that may be installed by a package manager.
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      This ticket was split from DRIVERS-2893, please see that ticket for a detailed description.

            Assignee:
            valentin.kovalenko@mongodb.com Valentin Kavalenka
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: