mongodb/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SERVER-111072 Auto-generated SBOM files [master] (#49906)

Browse Source 
Co-authored-by: Jason Hills <jason.hills@mongodb.com>
GitOrigin-RevId: 20870d19d52b8d61564555df2204419dfd496a23
This commit is contained in:
mongo-pr-bot[bot] 2026-03-23 18:19:08 +00:00 committed by MongoDB Bot
parent 75959b89b0
commit 5ce24b8805
5 changed files with 213 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
buildscripts/sbom/config.py
View File

@ -60,6 +60,7 @@ endor_components_rename = [
["pkg:c/git.openldap.org/openldap/openldap", "pkg:generic/openldap/openldap"],
["pkg:generic/gitlab.gnome.org/gnome/libxml2", "pkg:generic/gnome/libxml2"],
["pkg:generic/gitlab.com/bzip2/bzip2", "pkg:github/libarchive/bzip2"],
["pkg:generic/gitlab.com/federicomenaquintero/bzip2", "pkg:github/libarchive/bzip2"],
]
# ################ Version Transformation ################

17
buildscripts/sbom/generate_sbom.py
View File

@ -350,7 +350,7 @@ def main() -> None:
"--target",
help="Target for generated SBOM. Commit: results from running/completed PR scan, Branch: results from latest monitoring scan, Project: results from latest monitoring scan of the 'default' branch (default: commit)",
choices=["commit", "branch", "project"],
default="commit",
default="project",
type=str,
)
endor.add_argument(
@ -792,7 +792,7 @@ def main() -> None:
)
)
logger.warning(
"VERSION MISMATCH: %s: Endor version %s does not match import script version %s. 'priority_version_source' from metadata: %s",
"VERSION MISMATCH: %s: Endor version %s; Import script version %s. 'priority_version_source' from metadata: %s",
component_key,
versions["endor"],
versions["import_script"],
@ -950,11 +950,18 @@ def main() -> None:
"LICENSES: %s does not have a 'licenses' field. Adding empty list to component.",
endor_components[component]["bom-ref"],
)
add_component_property(endor_components[component], "internal:as-is_component", "true")
meta_bom["components"].append(endor_components[component])
meta_bom["dependencies"].append(
{"ref": endor_components[component]["bom-ref"], "dependsOn": []}
meta_bom["dependencies"].extend(
[
d
for d in endor_bom["dependencies"]
if d.get("ref") == endor_components[component]["bom-ref"]
]
)
logger.warning("SBOM AS-IS COMPONENT: Added %s", component)
if component.startswith(("pkg:github/", "pkg:generic/")):
logger.warning("SBOM AS-IS COMPONENT: Added %s", component)
# endregion Parse unmatched Endor Labs components

8
buildscripts/sbom/metadata.cdx.json
View File

@ -2038,6 +2038,10 @@
{
"name": "import_script_path",
"value": "src/third_party/json-c/scripts/import.sh"
},
{
"name": "internal:generate_sbom:priority_version_source",
"value": "import_script"
}
]
},
@ -2212,6 +2216,10 @@
{
"name": "import_script_path",
"value": "src/third_party/bzip2/scripts/import.sh"
},
{
"name": "internal:generate_sbom:priority_version_source",
"value": "import_script"
}
]
},

4
buildscripts/sbom/sbom_utils.py
View File

@ -113,6 +113,10 @@ def convert_sbom_to_public(sbom_dict: dict):
occurence.get("location", "").startswith("src/third_party/private")
for occurence in c.get("evidence", {}).get("occurrences", [])
)
or any(
property.get("name", "") == "internal:as-is_component"
for property in c.get("properties", [])
)
]
# Remove internal components and any dependencies on them from the SBOM

206
sbom.json
View File

@ -3,14 +3,22 @@
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:71d980f0-95c5-4dfa-8987-307eb8880ce2",
"version": 5,
"version": 6,
"metadata": {
"timestamp": "2026-03-17T06:09:16Z",
"timestamp": "2026-03-23T17:40:57Z",
"lifecycles": [
{
"phase": "pre-build"
}
],
"tools": {
"services": [
{
"name": "Endor Labs Inc",
"version": "v1.7.870"
}
]
},
"component": {
"type": "application",
"bom-ref": "pkg:github/mongodb/mongo@master",
@ -58,14 +66,6 @@
"url": [
"https://mongodb.com"
]
},
"tools": {
"services": [
{
"name": "Endor Labs Inc",
"version": "v1.7.870"
}
]
}
},
"components": [
@ -1433,6 +1433,54 @@
}
]
},
{
"type": "library",
"bom-ref": "pkg:github/json-c/json-c@0.17",
"supplier": {
"name": "json-c project",
"url": [
"https://github.com/json-c/json-c"
]
},
"author": "Eric Haszlakiewicz",
"group": "json-c",
"name": "json-c",
"version": "0.17",
"description": "A JSON implementation in C.",
"scope": "required",
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "Copyright (c) 2009-2012 Eric Haszlakiewicz; Copyright (c) 2004, 2005 Metaparadigm Pte Ltd",
"purl": "pkg:github/json-c/json-c@0.17",
"externalReferences": [
{
"url": "https://github.com/json-c/json-c",
"type": "distribution"
}
],
"evidence": {
"occurrences": [
{
"location": "src/third_party/json-c"
}
]
},
"properties": [
{
"name": "emits_persisted_data",
"value": "false"
},
{
"name": "import_script_path",
"value": "src/third_party/json-c/scripts/import.sh"
}
]
},
{
"type": "library",
"bom-ref": "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0",
@ -1515,6 +1563,54 @@
}
]
},
{
"type": "library",
"bom-ref": "pkg:github/libarchive/bzip2@bzip2-1.0.8",
"supplier": {
"name": "bzip2 project",
"url": [
"https://sourceware.org/bzip2/"
]
},
"author": "Julian Seward",
"group": "libarchive",
"name": "bzip2",
"version": "1.0.8",
"description": "A high-quality data compression program and library.",
"scope": "required",
"licenses": [
{
"license": {
"id": "bzip2-1.0.6"
}
}
],
"copyright": "Copyright (C) 1996-2010 Julian Seward <jseward@acm.org>; Copyright (C) 2019-2020 Federico Mena Quintero <federico@gnome.org>; Copyright (C) 2021 Micah Snyder.",
"purl": "pkg:github/libarchive/bzip2@bzip2-1.0.8",
"externalReferences": [
{
"url": "https://github.com/libarchive/bzip2",
"type": "distribution"
}
],
"evidence": {
"occurrences": [
{
"location": "src/third_party/bzip2"
}
]
},
"properties": [
{
"name": "emits_persisted_data",
"value": "false"
},
{
"name": "import_script_path",
"value": "src/third_party/bzip2/scripts/import.sh"
}
]
},
{
"type": "library",
"bom-ref": "pkg:github/libtom/libtomcrypt@v1.18.2",
@ -1615,7 +1711,7 @@
},
{
"type": "library",
"bom-ref": "pkg:github/madler/zlib@1.3",
"bom-ref": "pkg:github/madler/zlib@1.3.2",
"supplier": {
"name": "zlib",
"url": [
@ -1625,7 +1721,7 @@
"author": "Jean-loup Gailly, Mark Adler",
"group": "madler",
"name": "zlib",
"version": "1.3",
"version": "1.3.2",
"description": "zlib is a general purpose data compression library.",
"scope": "required",
"licenses": [
@ -1636,8 +1732,8 @@
}
],
"copyright": "Copyright \u00a9 1995-2024 Jean-loup Gailly and Mark Adler.",
"cpe": "cpe:2.3:a:zlib:zlib:1.3:*:*:*:*:*:*:*",
"purl": "pkg:github/madler/zlib@1.3",
"cpe": "cpe:2.3:a:zlib:zlib:1.3.2:*:*:*:*:*:*:*",
"purl": "pkg:github/madler/zlib@1.3.2",
"externalReferences": [
{
"url": "https://zlib.net/fossils/",
@ -2033,6 +2129,64 @@
}
]
},
{
"type": "library",
"bom-ref": "pkg:github/rnpgp/rnp@v0.18.1",
"supplier": {
"name": "Ribose Group Inc.",
"url": [
"https://www.rnpgp.org/"
]
},
"author": "Ribose Group Inc.",
"group": "rnpgp",
"name": "rnp",
"version": "0.18.1",
"description": "A high performance C++ OpenPGP library, fully compliant to RFC 4880.",
"scope": "required",
"licenses": [
{
"license": {
"id": "BSD-2-Clause"
}
},
{
"license": {
"id": "Apache-2.0"
}
},
{
"license": {
"id": "MIT"
}
}
],
"copyright": "Copyright (c) 2017-2024, Ribose Inc. All rights reserved.",
"purl": "pkg:github/rnpgp/rnp@v0.18.1",
"externalReferences": [
{
"url": "https://github.com/rnpgp/rnp",
"type": "distribution"
}
],
"evidence": {
"occurrences": [
{
"location": "src/third_party/rnp"
}
]
},
"properties": [
{
"name": "emits_persisted_data",
"value": "false"
},
{
"name": "import_script_path",
"value": "src/third_party/rnp/scripts/import.sh"
}
]
},
{
"type": "library",
"bom-ref": "pkg:github/roaringbitmap/croaring@v3.0.1",
@ -2512,6 +2666,10 @@
"ref": "pkg:github/jeremy-rifkin/cpptrace@v1.0.3",
"dependsOn": []
},
{
"ref": "pkg:github/json-c/json-c@0.17",
"dependsOn": []
},
{
"ref": "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0",
"dependsOn": []
@ -2520,6 +2678,10 @@
"ref": "pkg:github/jupp0r/prometheus-cpp@v1.2.2",
"dependsOn": []
},
{
"ref": "pkg:github/libarchive/bzip2@bzip2-1.0.8",
"dependsOn": []
},
{
"ref": "pkg:github/libtom/libtomcrypt@v1.18.2",
"dependsOn": []
@ -2529,7 +2691,7 @@
"dependsOn": []
},
{
"ref": "pkg:github/madler/zlib@1.3",
"ref": "pkg:github/madler/zlib@1.3.2",
"dependsOn": []
},
{
@ -2539,7 +2701,7 @@
{
"ref": "pkg:github/mongodb/mongo-c-driver@1.28.1",
"dependsOn": [
"pkg:github/madler/zlib@1.3"
"pkg:github/madler/zlib@1.3.2"
]
},
{
@ -2577,7 +2739,7 @@
"pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0",
"pkg:github/libtom/libtomcrypt@v1.18.2",
"pkg:github/libunwind/libunwind@v1.8.1",
"pkg:github/madler/zlib@1.3",
"pkg:github/madler/zlib@1.3.2",
"pkg:github/mongodb/libmongocrypt@1.15.0",
"pkg:github/nlohmann/json@v3.11.3",
"pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc",
@ -2585,6 +2747,7 @@
"pkg:github/open-telemetry/opentelemetry-proto@1.3.2",
"pkg:github/pcre2project/pcre2@pcre2-10.40",
"pkg:github/protocolbuffers/protobuf@v6.31.1",
"pkg:github/rnpgp/rnp@v0.18.1",
"pkg:github/roaringbitmap/croaring@v3.0.1",
"pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408",
"pkg:github/snowballstem/snowball@1.0.0",
@ -2619,6 +2782,13 @@
"ref": "pkg:github/protocolbuffers/protobuf@v6.31.1",
"dependsOn": []
},
{
"ref": "pkg:github/rnpgp/rnp@v0.18.1",
"dependsOn": [
"pkg:github/json-c/json-c@0.17",
"pkg:github/libarchive/bzip2@bzip2-1.0.8"
]
},
{
"ref": "pkg:github/roaringbitmap/croaring@v3.0.1",
"dependsOn": []
@ -2652,4 +2822,4 @@
"dependsOn": []
}
]
}
}