Skip to content

GODRIVER-3599 Add task and script to generate CycloneDX SBOM #2154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

GODRIVER-3599 Add task and script to generate CycloneDX SBOM #2154

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a0af51a
GODRIVER-3599 Add task script to generate CycloneDX SBOM
jasonhills-mongodb Aug 4, 2025
4e52215
Update .evergreen/config.yml
jasonhills-mongodb Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .evergreen/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,14 @@ tasks:
binary: bash
args: [*task-runner, govulncheck]

- name: generate-sbom
tags: ["ssdlc", "static-analysis"]
commands:
- command: subprocess.exec
params:
binary: bash
args: [*task-runner, generate-sbom]

- name: pull-request-helpers
allowed_requesters: ["patch", "github_pr"]
commands:
Expand Down
7 changes: 7 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,10 @@ repos:
language: system
types: [go]
entry: etc/check_license.sh

- id: sbom-currency
name: sbom-currency
language: system
types: [json]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This hook won't run if a commit changes go.mod. Is that intentional?

Copy link
Author

@jasonhills-mongodb jasonhills-mongodb Aug 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, thanks for the catch. Accidental undo before commit. Corrected to files: ^(go\.mod)$.

require_serial: true
entry: etc/generate-sbom.sh -c
13 changes: 12 additions & 1 deletion Taskfile.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ tasks:

### Utility tasks. ###
default:
deps: [build, check-license, check-fmt, check-modules, lint, test-short]
deps: [build, check-license, check-fmt, check-modules, lint, test-short, generate-sbom]

add-license: bash etc/check_license.sh -a

Expand Down Expand Up @@ -87,6 +87,17 @@ tasks:

govulncheck: bash etc/govulncheck.sh

generate-sbom:
desc: Generate a CycloneDX SBOM
summary: |
Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand
The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages.
Task will run only when go.mod is newer than sbom.cdx.json.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be sbom.json and not sbom.cdx.json?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good catch. That is a typo leftover from when I was naming the file sbom.cdx.json. Will fix.

method: timestamp
sources: [go.mod]
generates: [sbom.json]
cmd: bash etc/generate-sbom.sh

update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES

### Local testing tasks. ###
Expand Down
32 changes: 32 additions & 0 deletions etc/generate-sbom.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
#!/usr/bin/env bash
set -e

CHECK_CURRENCY="false"

# Options are:
# -c : check currency of staged sbom.json versus go.mod.
while getopts "c" opt; do
case $opt in
c)
CHECK_CURRENCY="true"
;;
*)
echo "usage: $0 [-c]" >&2
echo " -c : (optional) check currency of staged sbom.json versus go.mod." >&2
exit 1
;;
esac
done
#shift $((OPTIND - 1))

if ! $CHECK_CURRENCY; then
Copy link
Member

@prestonvasquez prestonvasquez Aug 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this script fail under certain conditions? For example, if it's being (1) called from the Evergreen CI and (2) calling results in a change to sbom.json? In such cases, I would expect the "Static Analysis" task to fail.

Running directly:

EXPECT_ERROR=1 bash etc/generate-sbon.sh # -> if sbom.json updates, exit 1

In the associated task:

  - name: generate-sbom
    tags: ["ssdlc", "static-analysis"]
    commands:
      - command: subprocess.exec
        params:
          binary: bash
          env:
            EXPECT_ERROR: 1
          args: [*task-runner, generate-sbom]

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. The expected workflow is that upon changing the go.mod file the contributor will also commit an updated sbom.json, which is enforced with the pre-commit check. But, this is not guaranteed and if the go.mod is newer than sbom.json in Evergreen CI, that indicates that the repository files are out-of-sync and the Evergreen "static-analysis" task should fail. I will account for this and strengthen the check with a schema validation step.

# The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code.
# TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need a followup GODRIVER ticket?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just went ahead and added the libmongocrypt component rather then leaving it as a TODO.


## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662.
## When resolved, bump version and replace with commented line below.
# GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json .
GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected] mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json
elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then
echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1
fi
Loading