Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .evergreen/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,14 @@ tasks:
binary: bash
args: [*task-runner, govulncheck]

- name: generate-sbom
tags: ["ssdlc", "static-analysis"]
commands:
- command: subprocess.exec
params:
binary: bash
args: [*task-runner, generate-sbom]

- name: pull-request-helpers
allowed_requesters: ["patch", "github_pr"]
commands:
Expand Down
7 changes: 7 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,10 @@ repos:
language: system
types: [go]
entry: etc/check_license.sh

- id: sbom-currency
name: sbom-currency
language: system
types: [json]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This hook won't run if a commit changes go.mod. Is that intentional?

Copy link
Author

@jasonhills-mongodb jasonhills-mongodb Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, thanks for the catch. Accidental undo before commit. Corrected to files: ^(go\.mod)$.

require_serial: true
entry: etc/generate-sbom.sh -c
13 changes: 12 additions & 1 deletion Taskfile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ tasks:

### Utility tasks. ###
default:
deps: [build, check-license, check-fmt, check-modules, lint, test-short]
deps: [build, check-license, check-fmt, check-modules, lint, test-short, generate-sbom]

add-license: bash etc/check_license.sh -a

Expand Down Expand Up @@ -87,6 +87,17 @@ tasks:

govulncheck: bash etc/govulncheck.sh

generate-sbom:
desc: Generate a CycloneDX SBOM
summary: |
Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand
The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages.
Task will run only when go.mod is newer than sbom.cdx.json.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be sbom.json and not sbom.cdx.json?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good catch. That is a typo leftover from when I was naming the file sbom.cdx.json. Will fix.

method: timestamp
sources: [go.mod]
generates: [sbom.json]
cmd: bash etc/generate-sbom.sh

update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES

### Local testing tasks. ###
Expand Down
32 changes: 32 additions & 0 deletions etc/generate-sbom.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
set -e

CHECK_CURRENCY="false"

# Options are:
# -c : check currency of staged sbom.json versus go.mod.
while getopts "c" opt; do
case $opt in
c)
CHECK_CURRENCY="true"
;;
*)
echo "usage: $0 [-c]" >&2
echo " -c : (optional) check currency of staged sbom.json versus go.mod." >&2
exit 1
;;
esac
done
#shift $((OPTIND - 1))

if ! $CHECK_CURRENCY; then
Copy link
Member

@prestonvasquez prestonvasquez Aug 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this script fail under certain conditions? For example, if it's being (1) called from the Evergreen CI and (2) calling results in a change to sbom.json? In such cases, I would expect the "Static Analysis" task to fail.

Running directly:

EXPECT_ERROR=1 bash etc/generate-sbon.sh # -> if sbom.json updates, exit 1

In the associated task:

  - name: generate-sbom
    tags: ["ssdlc", "static-analysis"]
    commands:
      - command: subprocess.exec
        params:
          binary: bash
          env:
            EXPECT_ERROR: 1
          args: [*task-runner, generate-sbom]

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. The expected workflow is that upon changing the go.mod file the contributor will also commit an updated sbom.json, which is enforced with the pre-commit check. But, this is not guaranteed and if the go.mod is newer than sbom.json in Evergreen CI, that indicates that the repository files are out-of-sync and the Evergreen "static-analysis" task should fail. I will account for this and strengthen the check with a schema validation step.

# The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code.
# TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need a followup GODRIVER ticket?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just went ahead and added the libmongocrypt component rather then leaving it as a TODO.


## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662.
## When resolved, bump version and replace with commented line below.
# GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json .
GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected] mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json
elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then
echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1
fi
Loading