mongodb/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SERVER-111072 Auto-generated SBOM files [master] (#53579)

Browse Source 
Co-authored-by: Jason Hills <jason.hills@mongodb.com>
Co-authored-by: mongo-pr-bot[bot] <230616009+mongo-pr-bot[bot]@users.noreply.github.com>
GitOrigin-RevId: 43e342269a65eb9e1996148037204906c760f1f7
This commit is contained in:
mongo-pr-bot[bot] 2026-05-14 10:09:18 -04:00 committed by MongoDB Bot
parent 4ecfef6a14
commit 46c3673973
4 changed files with 118 additions and 310 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
buildscripts/sbom/generate_sbom.py
View File

@ -35,6 +35,7 @@ from buildscripts.sbom.sbom_utils import (
check_metadata_sbom,
convert_sbom_to_public,
read_sbom_json_file,
reconcile_dependency_refs,
remove_sbom_component,
sbom_components_to_dict,
set_component_version,
@ -587,7 +588,17 @@ def main() -> None:
# add_component_property(component, "Endor Labs purl", component["purl"])
component["purl"] = component["purl"].replace(old, new)
logger.info("Endor Labs SBOM pre-processed with %s components", len(endor_bom["components"]))
logger.info(
"Endor Labs SBOM pre-processed with %s components and %s dependencies",
len(endor_bom["components"]),
len(endor_bom.get("dependencies", [])),
)
reconcile_dependency_refs(endor_bom)
logger.info(
"Endor Labs SBOM with %s components and %s dependencies after reconciling dependency refs",
len(endor_bom["components"]),
len(endor_bom.get("dependencies", [])),
)
# endregion Pre-process Endor Labs SBOM
@ -597,6 +608,17 @@ def main() -> None:
if os.path.exists(sbom_metadata_path):
meta_bom = read_sbom_json_file(sbom_metadata_path)
logger.info(
"METADATA: pre-processed with %s components and %s dependencies",
len(meta_bom["components"]),
len(meta_bom.get("dependencies", [])),
)
reconcile_dependency_refs(meta_bom)
logger.info(
"METADATA: %s components and %s dependencies after reconciling dependency refs",
len(meta_bom["components"]),
len(meta_bom.get("dependencies", [])),
)
check_components_and_dependencies(meta_bom, sbom_metadata_path)
else:
logger.error("No SBOM metadata file at '%s'. This is fatal.", sbom_metadata_path)

240
buildscripts/sbom/metadata.cdx.json
View File

@ -3452,42 +3452,6 @@
}
],
"dependencies": [
{
"ref": "pkg:deb/debian/firefox-esr@{{VERSION}}-1?arch=source",
"dependsOn": []
},
{
"ref": "pkg:generic/gnome/libxml2@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:generic/intel/IntelRDFPMathLib@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:generic/unicode-org/unicode@8.0.0",
"dependsOn": []
},
{
"ref": "pkg:generic/valgrind/valgrind@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
"dependsOn": []
},
{
"ref": "pkg:github/abseil/abseil-cpp@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3",
"dependsOn": []
},
{
"ref": "pkg:github/apache/arrow-nanoarrow@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/apache/arrow@{{VERSION}}",
"dependsOn": [
@ -3497,152 +3461,12 @@
"pkg:github/xtensor-stack/xsimd@{{VERSION}}"
]
},
{
"ref": "pkg:github/apache/avro@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/apache/iceberg-cpp@{{VERSION}}",
"dependsOn": [
"pkg:github/apache/arrow-nanoarrow@{{VERSION}}"
]
},
{
"ref": "pkg:github/arximboldi/immer@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/aws/aws-sdk-cpp@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/azure/azure-sdk-for-cpp@azure-storage-blobs_{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/boostorg/boost@boost-{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/c-ares/c-ares@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/chriskohlhoff/asio@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/confluentinc/librdkafka@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/davea42/libdwarf-code@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/dcleblanc/safeint@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/derickr/timelib@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/facebook/folly@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/facebook/zstd@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/fmtlib/fmt@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/benchmark@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/flatbuffers@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/fuzztest@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/googletest@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/re2@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/s2geometry@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/snappy@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/google/tcmalloc@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/gperftools/gperftools@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/grpc/grpc@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/jbeder/yaml-cpp@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/jeremy-rifkin/cpptrace@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/json-c/json-c@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0",
"dependsOn": []
},
{
"ref": "pkg:github/jupp0r/prometheus-cpp@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/libarchive/bzip2@bzip2-{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/libtom/libtomcrypt@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/libunwind/libunwind@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/madler/zlib@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/mongodb/libmongocrypt@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/mongodb/mongo-c-driver@{{VERSION}}",
"dependsOn": [
@ -3719,76 +3543,12 @@
"pkg:pypi/ocspresponder@0.5.0"
]
},
{
"ref": "pkg:github/nlohmann/json@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc",
"dependsOn": []
},
{
"ref": "pkg:github/open-telemetry/opentelemetry-cpp@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/open-telemetry/opentelemetry-proto@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/pcre2project/pcre2@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/protocolbuffers/protobuf@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/rnpgp/rnp@{{VERSION}}",
"dependsOn": [
"pkg:github/json-c/json-c@{{VERSION}}",
"pkg:github/libarchive/bzip2@bzip2-{{VERSION}}"
]
},
{
"ref": "pkg:github/roaringbitmap/croaring@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408",
"dependsOn": []
},
{
"ref": "pkg:github/snowballstem/snowball@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/tencent/rapidjson@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/unicode-org/icu@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/veorq/siphash@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/wiredtiger/wiredtiger@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:github/xtensor-stack/xsimd@{{VERSION}}",
"dependsOn": []
},
{
"ref": "pkg:pypi/ocspbuilder@0.10.2",
"dependsOn": []
},
{
"ref": "pkg:pypi/ocspresponder@0.5.0",
"dependsOn": []
}
]
}

26
buildscripts/sbom/sbom_utils.py
View File

@ -117,6 +117,8 @@ def check_components_and_dependencies(sbom: dict, label: str = "") -> None:
"""Warn if .components[].bom-ref and .dependencies[].ref are not in one-to-one correspondence."""
prefix = f"{label}: " if label else ""
component_refs = {c["bom-ref"] for c in sbom.get("components", [])}
if primary_ref := sbom.get("metadata", {}).get("component", {}).get("bom-ref"):
component_refs.add(primary_ref)
dependency_refs = {d["ref"] for d in sbom.get("dependencies", [])}
in_components_not_deps = component_refs - dependency_refs
@ -136,6 +138,30 @@ def check_components_and_dependencies(sbom: dict, label: str = "") -> None:
)
def reconcile_dependency_refs(sbom: dict) -> None:
"""Add stub dependency entries for missing component refs; remove and warn about orphaned refs."""
component_refs = {c["bom-ref"] for c in sbom.get("components", [])}
if primary_ref := sbom.get("metadata", {}).get("component", {}).get("bom-ref"):
component_refs.add(primary_ref)
dependency_refs = {d["ref"] for d in sbom.get("dependencies", [])}
missing = component_refs - dependency_refs
if missing:
if "dependencies" not in sbom:
sbom["dependencies"] = []
for ref in sorted(missing):
sbom["dependencies"].append({"ref": ref, "dependsOn": []})
logger.debug("reconcile_dependency_refs: added missing dependency ref '%s'", ref)
orphaned = dependency_refs - component_refs
if orphaned:
logger.warning(
"COMPONENTS/DEPENDENCIES MISMATCH: removing orphaned dependency refs with no matching component: %s",
sorted(orphaned),
)
sbom["dependencies"] = [d for d in sbom["dependencies"] if d["ref"] not in orphaned]
def convert_sbom_to_public(sbom_dict: dict):
"""Remove internal-only properties and components from SBOM"""

138
sbom.json
View File

@ -63,7 +63,7 @@
"services": [
{
"name": "Endor Labs Inc",
"version": "v1.7.957"
"version": "v1.7.968"
}
]
}
@ -2562,6 +2562,73 @@
}
],
"dependencies": [
{
"ref": "pkg:github/mongodb/mongo-c-driver@1.28.1",
"dependsOn": [
"pkg:github/madler/zlib@1.3.2"
]
},
{
"ref": "pkg:github/mongodb/mongo@master",
"dependsOn": [
"pkg:deb/debian/firefox-esr@140.9.0esr-1?arch=source",
"pkg:generic/intel/IntelRDFPMathLib@2.0.1",
"pkg:generic/unicode-org/unicode@8.0.0",
"pkg:generic/valgrind/valgrind@093bef43d69236287ccc748591c9560a71181b0a",
"pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
"pkg:github/abseil/abseil-cpp@20250512.1",
"pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3",
"pkg:github/arximboldi/immer@v0.9.1",
"pkg:github/boostorg/boost@boost-1.88.0",
"pkg:github/c-ares/c-ares@cares-1_27_0",
"pkg:github/chriskohlhoff/asio@asio-1-34-2",
"pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-2.1.28",
"pkg:github/davea42/libdwarf-code@libdwarf-2.1.0",
"pkg:github/dcleblanc/safeint@3.0.28a",
"pkg:github/derickr/timelib@2022.13",
"pkg:github/facebook/folly@v2025.04.21.00",
"pkg:github/facebook/zstd@v1.5.5",
"pkg:github/fmtlib/fmt@11.2.0",
"pkg:github/google/benchmark@v1.5.2",
"pkg:github/google/fuzztest@2025-07-28",
"pkg:github/google/googletest@v1.17.0",
"pkg:github/google/re2@2025-08-05",
"pkg:github/google/s2geometry@a25c502bda9d7e0274b9e2b7825fbddf13cc0306",
"pkg:github/google/snappy@1.1.10",
"pkg:github/google/tcmalloc@f3b20f9a07e175c5d897df7b49d9830d4efa6110",
"pkg:github/gperftools/gperftools@2.9.1",
"pkg:github/grpc/grpc@v1.74.1",
"pkg:github/jbeder/yaml-cpp@yaml-cpp-0.6.3",
"pkg:github/jeremy-rifkin/cpptrace@v1.0.3",
"pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0",
"pkg:github/libtom/libtomcrypt@v1.18.2",
"pkg:github/libunwind/libunwind@v1.8.1",
"pkg:github/madler/zlib@1.3.2",
"pkg:github/mongodb/libmongocrypt@1.17.0",
"pkg:github/nlohmann/json@v3.11.3",
"pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc",
"pkg:github/open-telemetry/opentelemetry-cpp@v1.24.0",
"pkg:github/open-telemetry/opentelemetry-proto@1.3.2",
"pkg:github/pcre2project/pcre2@pcre2-10.40",
"pkg:github/protocolbuffers/protobuf@v6.31.1",
"pkg:github/rnpgp/rnp@v0.18.1",
"pkg:github/roaringbitmap/croaring@v3.0.1",
"pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408",
"pkg:github/snowballstem/snowball@1.0.0",
"pkg:github/unicode-org/icu@icu-release-57-1",
"pkg:github/veorq/siphash@32d067603b93b47828700880649198e0bfbbcffa",
"pkg:github/wiredtiger/wiredtiger@12.0.0",
"pkg:pypi/ocspbuilder@0.10.2",
"pkg:pypi/ocspresponder@0.5.0"
]
},
{
"ref": "pkg:github/rnpgp/rnp@v0.18.1",
"dependsOn": [
"pkg:github/json-c/json-c@0.17",
"pkg:github/libarchive/bzip2@bzip2-1.0.8"
]
},
{
"ref": "pkg:deb/debian/firefox-esr@140.9.0esr-1?arch=source",
"dependsOn": []
@ -2710,66 +2777,6 @@
"ref": "pkg:github/mongodb/libmongocrypt@1.17.0",
"dependsOn": []
},
{
"ref": "pkg:github/mongodb/mongo-c-driver@1.28.1",
"dependsOn": [
"pkg:github/madler/zlib@1.3.2"
]
},
{
"ref": "pkg:github/mongodb/mongo@master",
"dependsOn": [
"pkg:deb/debian/firefox-esr@140.9.0esr-1?arch=source",
"pkg:generic/intel/IntelRDFPMathLib@2.0.1",
"pkg:generic/unicode-org/unicode@8.0.0",
"pkg:generic/valgrind/valgrind@093bef43d69236287ccc748591c9560a71181b0a",
"pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
"pkg:github/abseil/abseil-cpp@20250512.1",
"pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3",
"pkg:github/arximboldi/immer@v0.9.1",
"pkg:github/boostorg/boost@boost-1.88.0",
"pkg:github/c-ares/c-ares@cares-1_27_0",
"pkg:github/chriskohlhoff/asio@asio-1-34-2",
"pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-2.1.28",
"pkg:github/davea42/libdwarf-code@libdwarf-2.1.0",
"pkg:github/dcleblanc/safeint@3.0.28a",
"pkg:github/derickr/timelib@2022.13",
"pkg:github/facebook/folly@v2025.04.21.00",
"pkg:github/facebook/zstd@v1.5.5",
"pkg:github/fmtlib/fmt@11.2.0",
"pkg:github/google/benchmark@v1.5.2",
"pkg:github/google/fuzztest@2025-07-28",
"pkg:github/google/googletest@v1.17.0",
"pkg:github/google/re2@2025-08-05",
"pkg:github/google/s2geometry@a25c502bda9d7e0274b9e2b7825fbddf13cc0306",
"pkg:github/google/snappy@1.1.10",
"pkg:github/google/tcmalloc@f3b20f9a07e175c5d897df7b49d9830d4efa6110",
"pkg:github/gperftools/gperftools@2.9.1",
"pkg:github/grpc/grpc@v1.74.1",
"pkg:github/jbeder/yaml-cpp@yaml-cpp-0.6.3",
"pkg:github/jeremy-rifkin/cpptrace@v1.0.3",
"pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0",
"pkg:github/libtom/libtomcrypt@v1.18.2",
"pkg:github/libunwind/libunwind@v1.8.1",
"pkg:github/madler/zlib@1.3.2",
"pkg:github/mongodb/libmongocrypt@1.17.0",
"pkg:github/nlohmann/json@v3.11.3",
"pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc",
"pkg:github/open-telemetry/opentelemetry-cpp@v1.24.0",
"pkg:github/open-telemetry/opentelemetry-proto@1.3.2",
"pkg:github/pcre2project/pcre2@pcre2-10.40",
"pkg:github/protocolbuffers/protobuf@v6.31.1",
"pkg:github/rnpgp/rnp@v0.18.1",
"pkg:github/roaringbitmap/croaring@v3.0.1",
"pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408",
"pkg:github/snowballstem/snowball@1.0.0",
"pkg:github/unicode-org/icu@icu-release-57-1",
"pkg:github/veorq/siphash@32d067603b93b47828700880649198e0bfbbcffa",
"pkg:github/wiredtiger/wiredtiger@12.0.0",
"pkg:pypi/ocspbuilder@0.10.2",
"pkg:pypi/ocspresponder@0.5.0"
]
},
{
"ref": "pkg:github/nlohmann/json@v3.11.3",
"dependsOn": []
@ -2794,13 +2801,6 @@
"ref": "pkg:github/protocolbuffers/protobuf@v6.31.1",
"dependsOn": []
},
{
"ref": "pkg:github/rnpgp/rnp@v0.18.1",
"dependsOn": [
"pkg:github/json-c/json-c@0.17",
"pkg:github/libarchive/bzip2@bzip2-1.0.8"
]
},
{
"ref": "pkg:github/roaringbitmap/croaring@v3.0.1",
"dependsOn": []
@ -2834,4 +2834,4 @@
"dependsOn": []
}
]
}
}