mongodb/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SERVER-111072 Auto-generated SBOM files [master] (#54314)

Browse Source 
Co-authored-by: mongo-pr-bot[bot] <230616009+mongo-pr-bot[bot]@users.noreply.github.com>
Co-authored-by: Jason Hills <jason.hills@mongodb.com>
GitOrigin-RevId: b8ba75da724800391249ed4266928c96bd537875
This commit is contained in:
mongo-pr-bot[bot] 2026-05-22 12:38:16 -05:00 committed by MongoDB Bot
parent dcefbaa865
commit 650d9f458c
7 changed files with 96 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
buildscripts/sbom/generate_sbom.py
View File

@ -553,12 +553,6 @@ def main() -> None:
component = endor_bom["components"][i] component = endor_bom["components"][i]
removed = False removed = False
for remove in endor_components_remove: for remove in endor_components_remove:
if "components" in endor_bom["metadata"]["component"]:
endor_bom["metadata"]["component"]["components"] = [
c
for c in endor_bom["metadata"]["component"]["components"]
if not c.get("bom-ref", "").startswith(remove)
]
if component["bom-ref"].startswith(remove): if component["bom-ref"].startswith(remove):
logger.info("ENDOR SBOM PRE-PROCESS: removing %s", component["bom-ref"]) logger.info("ENDOR SBOM PRE-PROCESS: removing %s", component["bom-ref"])
del endor_bom["components"][i] del endor_bom["components"][i]

15
buildscripts/sbom/metadata.cdx.json
View File

@ -25,6 +25,21 @@
"group": "mongodb", "group": "mongodb",
"name": "mongodb/mongo", "name": "mongodb/mongo",
"version": "{{VERSION}}", "version": "{{VERSION}}",
"description": "The MongoDB Database",
"licenses": [
{
"license": {
"id": "SSPL-1.0",
"url": "https://www.mongodb.com/legal/licensing/community-edition"
}
},
{
"license": {
"name": "MongoDB Enterprise Advanced License",
"url": "https://www.mongodb.com/products/self-managed/enterprise-advanced"
}
}
],
"cpe": "cpe:2.3:a:mongodb:mongodb:{{VERSION}}:*:*:*:*:*:*:*", "cpe": "cpe:2.3:a:mongodb:mongodb:{{VERSION}}:*:*:*:*:*:*:*",
"purl": "pkg:github/mongodb/mongo@{{VERSION}}", "purl": "pkg:github/mongodb/mongo@{{VERSION}}",
"externalReferences": [ "externalReferences": [

6
buildscripts/sbom/sbom_utils.py
View File

@ -141,8 +141,12 @@ def check_components_and_dependencies(sbom: dict, label: str = "") -> None:
def reconcile_dependency_refs(sbom: dict) -> None: def reconcile_dependency_refs(sbom: dict) -> None:
"""Add stub dependency entries for missing component refs; remove and warn about orphaned refs.""" """Add stub dependency entries for missing component refs; remove and warn about orphaned refs."""
component_refs = {c["bom-ref"] for c in sbom.get("components", [])} component_refs = {c["bom-ref"] for c in sbom.get("components", [])}
if primary_ref := sbom.get("metadata", {}).get("component", {}).get("bom-ref"): meta_component = sbom.get("metadata", {}).get("component", {})
if primary_ref := meta_component.get("bom-ref"):
component_refs.add(primary_ref) component_refs.add(primary_ref)
for sub in meta_component.get("components", []):
if sub_ref := sub.get("bom-ref"):
component_refs.add(sub_ref)
dependency_refs = {d["ref"] for d in sbom.get("dependencies", [])} dependency_refs = {d["ref"] for d in sbom.get("dependencies", [])}
missing = component_refs - dependency_refs missing = component_refs - dependency_refs

15
buildscripts/sbom_linter.py
View File

@ -129,13 +129,14 @@ def validate_license(component: dict, error_manager: ErrorManager) -> None:
if not valid_license: if not valid_license:
licensing_validate = get_spdx_licensing().validate(expression, validate=True) licensing_validate = get_spdx_licensing().validate(expression, validate=True)
# ExpressionInfo( # LicenseRef- prefixed identifiers are valid per the SPDX/CycloneDX spec for custom
# original_expression='', # or proprietary licenses not in the SPDX catalog; exclude them before checking.
# normalized_expression='', non_licenseref_invalid = [
# errors=[], s
# invalid_symbols=[] for s in licensing_validate.invalid_symbols
# ) if not str(s).lower().startswith("licenseref-")
valid_license = not licensing_validate.errors or not licensing_validate.invalid_symbols ]
valid_license = not licensing_validate.errors or not non_licenseref_invalid
if not valid_license: if not valid_license:
error_manager.append_full_error_message(licensing_validate) error_manager.append_full_error_message(licensing_validate)
return return

44
buildscripts/tests/sbom_linter/inputs/sbom_licenseref.json Normal file
View File

@ -0,0 +1,44 @@
{
"properties": [
{
"name": "comment",
"value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
}
],
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"components": [
{
"type": "library",
"bom-ref": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
"supplier": {
"name": "Austin Appleby"
},
"author": "Austin Appleby",
"group": "aappleby",
"name": "MurmurHash3",
"version": "a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
"licenses": [
{
"expression": "LicenseRef-custom-proprietary"
}
],
"purl": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
"properties": [
{
"name": "internal:team_responsible",
"value": "Storage Execution"
}
],
"evidence": {
"occurrences": [
{
"location": "src/third_party/murmurhash3"
}
]
},
"scope": "required"
}
]
}

8
buildscripts/tests/sbom_linter/test_sbom.py
View File

@ -142,6 +142,14 @@ class TestSbom(unittest.TestCase):
error_manager.print_errors() error_manager.print_errors()
self.assertTrue(error_manager.zero_error()) self.assertTrue(error_manager.zero_error())
def test_licenseref_license(self):
test_file = os.path.join(self.input_dir, "sbom_licenseref.json")
third_party_libs = {"murmurhash3"}
error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
if not error_manager.zero_error():
error_manager.print_errors()
self.assertTrue(error_manager.zero_error())
if __name__ == "__main__": if __name__ == "__main__":
unittest.main() unittest.main()

17
sbom.json
View File

@ -25,6 +25,21 @@
"group": "mongodb", "group": "mongodb",
"name": "mongodb/mongo", "name": "mongodb/mongo",
"version": "master", "version": "master",
"description": "The MongoDB Database",
"licenses": [
{
"license": {
"id": "SSPL-1.0",
"url": "https://www.mongodb.com/legal/licensing/community-edition"
}
},
{
"license": {
"name": "MongoDB Enterprise Advanced License",
"url": "https://www.mongodb.com/products/self-managed/enterprise-advanced"
}
}
],
"cpe": "cpe:2.3:a:mongodb:mongodb:master:*:*:*:*:*:*:*", "cpe": "cpe:2.3:a:mongodb:mongodb:master:*:*:*:*:*:*:*",
"purl": "pkg:github/mongodb/mongo@master", "purl": "pkg:github/mongodb/mongo@master",
"externalReferences": [ "externalReferences": [
@ -63,7 +78,7 @@
"services": [ "services": [
{ {
"name": "Endor Labs Inc", "name": "Endor Labs Inc",
"version": "v1.7.968" "version": "v1.7.973"
} }
] ]
} }