SERVER-111072 Auto-generated SBOM files [master] (#54314)

Co-authored-by: mongo-pr-bot[bot] <230616009+mongo-pr-bot[bot]@users.noreply.github.com> Co-authored-by: Jason Hills <jason.hills@mongodb.com> GitOrigin-RevId: b8ba75da724800391249ed4266928c96bd537875
2026-05-22 12:38:16 -05:00 · 2026-05-22 12:38:16 -05:00 · 650d9f458c
commit 650d9f458c
parent dcefbaa865
7 changed files with 96 additions and 15 deletions
--- a/buildscripts/sbom/generate_sbom.py
+++ b/buildscripts/sbom/generate_sbom.py
@ -553,12 +553,6 @@ def main() -> None:
        component = endor_bom["components"][i]
        removed = False
        for remove in endor_components_remove:
-            if "components" in endor_bom["metadata"]["component"]:
-                endor_bom["metadata"]["component"]["components"] = [
-                    c
-                    for c in endor_bom["metadata"]["component"]["components"]
-                    if not c.get("bom-ref", "").startswith(remove)
-                ]
            if component["bom-ref"].startswith(remove):
                logger.info("ENDOR SBOM PRE-PROCESS: removing %s", component["bom-ref"])
                del endor_bom["components"][i]
--- a/buildscripts/sbom/metadata.cdx.json
+++ b/buildscripts/sbom/metadata.cdx.json
@ -25,6 +25,21 @@
      "group": "mongodb",
      "name": "mongodb/mongo",
      "version": "{{VERSION}}",
+      "description": "The MongoDB Database",
+      "licenses": [
+        {
+          "license": {
+            "id": "SSPL-1.0",
+            "url": "https://www.mongodb.com/legal/licensing/community-edition"
+          }
+        },
+        {
+          "license": {
+            "name": "MongoDB Enterprise Advanced License",
+            "url": "https://www.mongodb.com/products/self-managed/enterprise-advanced"
+          }
+        }
+      ],
      "cpe": "cpe:2.3:a:mongodb:mongodb:{{VERSION}}:*:*:*:*:*:*:*",
      "purl": "pkg:github/mongodb/mongo@{{VERSION}}",
      "externalReferences": [
--- a/buildscripts/sbom/sbom_utils.py
+++ b/buildscripts/sbom/sbom_utils.py
@ -141,8 +141,12 @@ def check_components_and_dependencies(sbom: dict, label: str = "") -> None:
 def reconcile_dependency_refs(sbom: dict) -> None:
    """Add stub dependency entries for missing component refs; remove and warn about orphaned refs."""
    component_refs = {c["bom-ref"] for c in sbom.get("components", [])}
-    if primary_ref := sbom.get("metadata", {}).get("component", {}).get("bom-ref"):
+    meta_component = sbom.get("metadata", {}).get("component", {})
+    if primary_ref := meta_component.get("bom-ref"):
        component_refs.add(primary_ref)
+    for sub in meta_component.get("components", []):
+        if sub_ref := sub.get("bom-ref"):
+            component_refs.add(sub_ref)
    dependency_refs = {d["ref"] for d in sbom.get("dependencies", [])}

    missing = component_refs - dependency_refs
--- a/buildscripts/sbom_linter.py
+++ b/buildscripts/sbom_linter.py
@ -129,13 +129,14 @@ def validate_license(component: dict, error_manager: ErrorManager) -> None:

        if not valid_license:
            licensing_validate = get_spdx_licensing().validate(expression, validate=True)
-            # ExpressionInfo(
-            #   original_expression='',
-            #   normalized_expression='',
-            #   errors=[],
-            #   invalid_symbols=[]
-            # )
-            valid_license = not licensing_validate.errors or not licensing_validate.invalid_symbols
+            # LicenseRef- prefixed identifiers are valid per the SPDX/CycloneDX spec for custom
+            # or proprietary licenses not in the SPDX catalog; exclude them before checking.
+            non_licenseref_invalid = [
+                s
+                for s in licensing_validate.invalid_symbols
+                if not str(s).lower().startswith("licenseref-")
+            ]
+            valid_license = not licensing_validate.errors or not non_licenseref_invalid
            if not valid_license:
                error_manager.append_full_error_message(licensing_validate)
                return
--- a/buildscripts/tests/sbom_linter/inputs/sbom_licenseref.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_licenseref.json
@ -0,0 +1,44 @@
+{
+  "properties": [
+    {
+      "name": "comment",
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+    }
+  ],
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
+      "supplier": {
+        "name": "Austin Appleby"
+      },
+      "author": "Austin Appleby",
+      "group": "aappleby",
+      "name": "MurmurHash3",
+      "version": "a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
+      "licenses": [
+        {
+          "expression": "LicenseRef-custom-proprietary"
+        }
+      ],
+      "purl": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
+      "properties": [
+        {
+          "name": "internal:team_responsible",
+          "value": "Storage Execution"
+        }
+      ],
+      "evidence": {
+        "occurrences": [
+          {
+            "location": "src/third_party/murmurhash3"
+          }
+        ]
+      },
+      "scope": "required"
+    }
+  ]
+}
--- a/buildscripts/tests/sbom_linter/test_sbom.py
+++ b/buildscripts/tests/sbom_linter/test_sbom.py
@ -142,6 +142,14 @@ class TestSbom(unittest.TestCase):
            error_manager.print_errors()
        self.assertTrue(error_manager.zero_error())

+    def test_licenseref_license(self):
+        test_file = os.path.join(self.input_dir, "sbom_licenseref.json")
+        third_party_libs = {"murmurhash3"}
+        error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
+        if not error_manager.zero_error():
+            error_manager.print_errors()
+        self.assertTrue(error_manager.zero_error())
+

 if __name__ == "__main__":
    unittest.main()
--- a/sbom.json
+++ b/sbom.json
@ -25,6 +25,21 @@
      "group": "mongodb",
      "name": "mongodb/mongo",
      "version": "master",
+      "description": "The MongoDB Database",
+      "licenses": [
+        {
+          "license": {
+            "id": "SSPL-1.0",
+            "url": "https://www.mongodb.com/legal/licensing/community-edition"
+          }
+        },
+        {
+          "license": {
+            "name": "MongoDB Enterprise Advanced License",
+            "url": "https://www.mongodb.com/products/self-managed/enterprise-advanced"
+          }
+        }
+      ],
      "cpe": "cpe:2.3:a:mongodb:mongodb:master:*:*:*:*:*:*:*",
      "purl": "pkg:github/mongodb/mongo@master",
      "externalReferences": [
@ -63,7 +78,7 @@
      "services": [
        {
          "name": "Endor Labs Inc",
-          "version": "v1.7.968"
+          "version": "v1.7.973"
        }
      ]
    }