Skip to content

GODRIVER-3599 Add task and script to generate CycloneDX SBOM#2154

Open
jasonhills-mongodb wants to merge 19 commits into
mongodb:masterfrom
jasonhills-mongodb:GODRIVER-3599/sbom_generation_using_cyclonedx-gomod
Open

GODRIVER-3599 Add task and script to generate CycloneDX SBOM#2154
jasonhills-mongodb wants to merge 19 commits into
mongodb:masterfrom
jasonhills-mongodb:GODRIVER-3599/sbom_generation_using_cyclonedx-gomod

Conversation

@jasonhills-mongodb

@jasonhills-mongodb jasonhills-mongodb commented Aug 4, 2025

Copy link
Copy Markdown

GODRIVER-3599

Background & Motivation

The GODRIVER SBOM (sbom.json) does not contain the direct and transitive dependencies defined in go.mod. Added code to generate a CycloneDX SBOM in order to better meet NITA Minimum Elements for Software Bill of Materials, OWASP Software Component Verification Standard (SCVS) Level 1, as well as include the necessary component identifiers for vulnerability discovery and VEX responses.

Summary

Implements a two-stage CI pipeline for SBOM generation and upload, and adds libmongocrypt as an optional SBOM component.

GitHub Actions (.github/workflows/sbom.yml): triggers on push to master when go.mod, go.sum, or etc/install-libmongocrypt.sh changes, or via workflow_dispatch. Generates sbom.json with cyclonedx-gomod v1.10.0, validates it with CycloneDX CLI v0.32.0 (hash-verified download), and opens a follow-up PR with the updated file only if substantive content has changed (timestamps and version excluded from diff).

Evergreen (generate-sbom + upload-sbom tasks, sbom build variant): generate-sbom runs in the static-analysis build variant on every commit with EXPECT_ERROR=1 — it fails if sbom.json is out of date, catching cases where a developer merged a go.mod change without running task generate-sbom. upload-sbom triggers only when sbom.json changes on master (via paths: on the build variant); it uses ec2.assume_role + silkbomb to augment and upload the SBOM to the Dependency-Track backend. Evergreen is used for the upload because GitHub Actions does not have IP access to the Dependency-Track backend. Comparison artifacts (old/new/diff) are uploaded to S3.

libmongocrypt is injected as an optional component after SBOM generation: the version is derived from etc/install-libmongocrypt.sh and the component plus its dependency relationship are added via jq.

Files changed

File Change
.github/workflows/sbom.yml New — generates SBOM on go.mod changes and opens a PR
etc/generate-sbom.sh New — generates CycloneDX SBOM with cyclonedx-gomod v1.10.0, injects libmongocrypt; fails with EXPECT_ERROR=1 if sbom.json is stale
etc/sbom.sh New — silkbomb augment/upload script for Evergreen
.evergreen/config.yml Add generate-sbom task (static-analysis tag, EXPECT_ERROR=1) and upload-sbom task + sbom build variant; docker instead of podman
Taskfile.yml Add generate-sbom task for local developer use
docs/CONTRIBUTING.md Add SBOM section documenting the automated workflow and local task
sbom.json Regenerated with libmongocrypt as optional component

@mongodb-drivers-pr-bot

Copy link
Copy Markdown
Contributor

API Change Report

No changes found!

The GODRIVER SBOM (sbom.json) does not contain the direct and transitive dependencies defined in go.mod. Added code to generate a CycloneDX SBOM in order to better meet NITA Minimum Elements for Software Bill of Materials, OWASP Software Component Verification Standard (SCVS) Level 1, as well as include the necessary component identifiers for vulnerability discovery and VEX responses.

Added a task, etc/script, and pre-commit hook for generating a CycloneDX SBOM using a pinned version of the cyclonedx-gomod tool. The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages.

The task (generate-sbom) is added to the default tasks and will run only when go.mod is newer than sbom.cdx.json.

The pre-commit hook (sbom-currency) ensures that if go.mod is staged for commit, that an updated sbom.json is also staged.

Future TODO: Add libmongocrypt as an optional component once the libmongocrypt SBOM is updated with newer automation
@jasonhills-mongodb jasonhills-mongodb force-pushed the GODRIVER-3599/sbom_generation_using_cyclonedx-gomod branch from 7c63b31 to a0af51a Compare August 5, 2025 22:41
@jasonhills-mongodb jasonhills-mongodb marked this pull request as ready for review August 5, 2025 22:41
@jasonhills-mongodb jasonhills-mongodb requested a review from a team as a code owner August 5, 2025 22:41
@prestonvasquez prestonvasquez added the review-priority-low Low Priority PR for Review: within 3 business days label Aug 14, 2025
Comment thread .pre-commit-config.yaml Outdated
Comment thread Taskfile.yml Outdated
Comment thread etc/generate-sbom.sh Outdated
Comment thread .evergreen/config.yml
Co-authored-by: Preston Vasquez <prestonvasquez@icloud.com>
@github-actions github-actions Bot added the review-priority-normal Medium Priority PR for Review: within 1 business day label Aug 14, 2025
@prestonvasquez prestonvasquez removed the review-priority-low Low Priority PR for Review: within 3 business days label Aug 15, 2025
Comment thread etc/generate-sbom.sh Outdated
@mongodb-drivers-pr-bot

mongodb-drivers-pr-bot Bot commented Dec 5, 2025

Copy link
Copy Markdown
Contributor

🧪 Performance Results

Commit SHA: e1810f1

The following benchmark tests for version 6a32e3d89ddf40000726ce4e had statistically significant changes (i.e., |z-score| > 1.96):

Benchmark Measurement % Change Patch Value Stable Region H-Score Z-Score
BenchmarkMultiInsertSmallDocument total_mem_allocs -18.4721 2207725.0000 Avg: 2707936.5000
Med: 2707936.5000
Stdev: 96222.3837
0.9320 -5.1985
BenchmarkMultiInsertSmallDocument total_time_seconds -15.3859 1.0203 Avg: 1.2058
Med: 1.2058
Stdev: 0.0533
0.8984 -3.4808
BenchmarkMultiInsertSmallDocument total_bytes_allocated -12.6299 443808312.0000 Avg: 507963740.0000
Med: 507963740.0000
Stdev: 12328440.6711
0.9321 -5.2039
BenchmarkLargeDocInsertOne total_mem_allocs -12.5701 425980.0000 Avg: 487224.3529
Med: 490380.0000
Stdev: 14249.4877
0.8689 -4.2980
BenchmarkLargeDocInsertOne total_bytes_allocated -12.4956 33156360.0000 Avg: 37891098.6667
Med: 38137288.0000
Stdev: 1100888.8545
0.8690 -4.3008
BenchmarkLargeDocInsertOne total_time_seconds -11.6983 1.0443 Avg: 1.1827
Med: 1.1825
Stdev: 0.0239
0.9065 -5.7878
BenchmarkBSONFullDocumentEncoding ops_per_second_max -3.6486 46063.8445 Avg: 47808.1960
Med: 47728.1405
Stdev: 625.7677
0.8120 -2.7875
BenchmarkBSONFullDocumentEncoding ops_per_second_med -3.0335 45075.5015 Avg: 46485.6222
Med: 46461.9245
Stdev: 695.7282
0.7329 -2.0268
BenchmarkBSONFlatDocumentDecoding total_time_seconds 1.8498 1.2145 Avg: 1.1925
Med: 1.1928
Stdev: 0.0062
0.8506 3.5702

For a comprehensive view of all microbenchmark results for this PR's commit, please check out the Evergreen perf task for this patch.

@alcaeus alcaeus marked this pull request as draft February 17, 2026 18:59
@dariakp dariakp added ci/cd and removed enhancement labels Mar 9, 2026
…edx-gomod

Resolves merge conflicts and redesigns SBOM automation:
- Add GitHub Actions workflow to generate sbom.json and open a PR when go.mod changes
- Add Evergreen upload-sbom task + build variant (paths: sbom.json) to upload via silkbomb
- Add etc/sbom.sh for silkbomb augment invocation
- Remove sbom-currency pre-commit hook (CI now owns generation)
- Remove generate-sbom from Taskfile default deps
- Update cyclonedx-gomod to v1.10.0 and cyclonedx-cli to v0.32.0
Derives the version from etc/install-libmongocrypt.sh and injects the
component into sbom.json after cyclonedx-gomod generation, including
the dependency relationship on the main module.
@jasonhills-mongodb jasonhills-mongodb marked this pull request as ready for review June 9, 2026 22:48
Copilot AI review requested due to automatic review settings June 9, 2026 22:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds tooling and CI automation to generate, validate, and upload a CycloneDX SBOM for the Go driver, including Evergreen integration and a GitHub Actions workflow to auto-open SBOM update PRs.

Changes:

  • Generate sbom.json via cyclonedx-gomod and inject libmongocrypt as an optional component.
  • Add GitHub Actions workflow to regenerate/validate SBOM on go.mod changes and open PRs when it differs.
  • Add Evergreen task and helper script to upload/compare augmented SBOMs via Silkbomb.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
sbom.json Replaces placeholder SBOM with a populated CycloneDX 1.5 SBOM including dependencies and libmongocrypt.
etc/sbom.sh Adds Silkbomb-based augmented SBOM generation/comparison logic for CI uploads.
etc/generate-sbom.sh Adds a generator script using cyclonedx-gomod plus post-processing with jq.
Taskfile.yml Adds a generate-sbom task to produce sbom.json based on timestamps.
.github/workflows/sbom.yml Adds workflow to regenerate/validate SBOM and open PRs automatically.
.evergreen/config.yml Adds upload-sbom task and an sbom buildvariant to run it on sbom.json changes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/sbom.yml
Comment thread .github/workflows/sbom.yml
Comment thread etc/generate-sbom.sh Outdated
Comment thread etc/generate-sbom.sh Outdated
Comment thread Taskfile.yml
Comment thread etc/sbom.sh Outdated
Comment thread .evergreen/config.yml
Comment thread etc/sbom.sh
Comment thread etc/sbom.sh
Comment thread etc/sbom.sh Outdated
- Use set -eo pipefail to catch pipeline failures in generate-sbom.sh
- Replace curl -L -s with curl -fsSL for clearer HTTP error reporting
- Remove stale CHECK_CURRENCY/-c scaffolding (pre-commit hook removed)
- Use cyclonedx-gomod -serial, -std=true, -short-purls=true flags;
  -short-purls replaces the jq PURL-stripping workaround
- Hardcode serialNumber; increment .version only on meaningful content change
- Workflow diff strips only .metadata.timestamp (not .version)
- Add AWS_SESSION_TOKEN to etc/sbom.sh and Evergreen upload-sbom task
- Drop -it from podman run in etc/sbom.sh
- Add go.sum and etc/install-libmongocrypt.sh to Taskfile generate-sbom sources
- Expand automated PR body to describe what changed and why
- Add SBOM section to CONTRIBUTING.md explaining the automated workflow
@github-actions github-actions Bot added the documentation Pull requests that update documentation or examples label Jun 10, 2026
…e tag

cyclonedx-gomod auto-detects a pseudo-version from the current branch
commit, which changes on every commit and is meaningless outside the
branch. Use git describe --tags --abbrev=0 to pin to the latest release
tag (currently v2.6.0) so the SBOM reflects the actual module version.
Comment thread etc/sbom.sh

silkbomb="901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0"

podman pull "${silkbomb:?}"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[blocking] Is there a reason we use podman over docker? Docker is preferred by the team. If it needs to be agnostic, we should make this an env variable. E.g.

Comment thread etc/generate-sbom.sh
@@ -0,0 +1,52 @@
#!/usr/bin/env bash

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[blocking] CycloneDX notes that you can use as a library ( > v1.2.0). We should opt for this to avoid a CLI dependency in local dev and VM CI and convert etc/generate-sbom.sh to a go script at internal/cmd/generate-sbom/. Despite being more LoC, it's easier for the team to read, update, and bump.

Here is a gist: https://gist.github.com/prestonvasquez/04a194f2f0aff1ba010754e5e9057eb5

Typically, we would defer this work to a followup ticket, but I'm concerned that we could easily miss something with a de facto re-write. Let me know if this would work better if we wrote the Go code and you reviewed for correctness.

Comment thread etc/sbom.sh
@@ -0,0 +1,59 @@
#!/usr/bin/env bash

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[blocking] Same with generate-sbom.sh, this could be a Go script that leverages the docker API. Here is a gist: https://gist.github.com/prestonvasquez/7d83b6bd919fbcb133bcbcc053e4a2ed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci/cd documentation Pull requests that update documentation or examples review-priority-normal Medium Priority PR for Review: within 1 business day

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants