Skip to content

GODRIVER-3599: Add task script to generate CycloneDX SBOM #2119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

GODRIVER-3599: Add task script to generate CycloneDX SBOM #2119

wants to merge 2 commits into from

Conversation

jasonhills-mongodb
Copy link

Added a task and etc bash script to generate a build lifecycle
CycloneDX SBOM using a pinned version of the cyclonedx-gomod tool. The
SBOM includes the aggregate of modules required by packages in the
mongo-go-driver library, excluding examples, tests and test packages.

The task will run only when go.mod is newer than sbom.cdx.json.

The file is saved as sbom.cdx.json (as opposed to the current sbom.json)
which is the preferred file extension for CycloneDX files. There is not
yet any code to commit the new SBOM to the repo. This is to allow for
evaluation of the new SBOM first without interfering with the current
workflow to upload the static sbom.json file to Kondukto.

TODOs:

  • Once the SBOM generation process has been approved, the GitHub Action
    in mongodb-labs/drivers-github-tools can be called with the updated
    SBOM file name.
  • Add libmongocrypt as an optional component via a merge once the
    libmongocrypt SBOM is updated with newer automation

task generate-sbom

@jasonhills-mongodb
GODRIVER-3599: Add task script to generate CycloneDX SBOM
748367c 
Added a `task` and `etc` bash script to generate a build lifecycle
CycloneDX SBOM using a pinned version of the `cyclonedx-gomod` tool. The
SBOM includes the aggregate of modules required by packages in the
mongo-go-driver library, excluding examples, tests and test packages.

The task will run only when go.mod is newer than sbom.cdx.json.

The file is saved as sbom.cdx.json (as opposed to the current sbom.json)
which is the preferred file extension for CycloneDX files. There is not
yet any code to commit the new SBOM to the repo. This is to allow for
evaluation of the new SBOM first without interfering with the current
workflow to upload the static sbom.json file to Kondukto.

TODOs:
- Once the SBOM generation process has been approved, the GitHub Action
in `mongodb-labs/drivers-github-tools` can be called with the updated
SBOM file name.
- Add libmongocrypt as an optional component via a merge once the
libmongocrypt SBOM is updated with newer automation

`task generate-sbom`
@jasonhills-mongodb
Create etc/generate-sbom.sh
b30df05
@jasonhills-mongodb jasonhills-mongodb requested a review from a team as a code owner July 7, 2025 16:59
@mongodb-drivers-pr-bot mongodb-drivers-pr-bot bot added the priority-3-low Low Priority PR for Review label Jul 7, 2025
@mongodb-drivers-pr-bot mongodb-drivers-pr-bot
Copy link
Contributor

API Change Report

No changes found!

@alcaeus alcaeus requested review from alcaeus and removed request for zhouselena July 8, 2025 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alcaeus alcaeus Awaiting requested review from alcaeus

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
priority-3-low Low Priority PR for Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jasonhills-mongodb