GODRIVER-3599 Add task script to generate CycloneDX SBOM

jasonhills-mongodb · jasonhills-mongodb · commit 2ca839d63655 · 2025-08-04T16:22:24.000-04:00
The GODRIVER SBOM (sbom.json) does not contain the direct and transitive dependencies defined in go.mod. Added code to generate a CycloneDX SBOM in order to better meet NITA Minimum Elements for Software Bill of Materials, OWASP Software Component Verification Standard (SCVS) Level 1, as well as include the necessary component identifiers for vulnerability discovery and VEX responses.

Added a task, etc/script, and pre-commit hook for generating a CycloneDX SBOM using a pinned version of the cyclonedx-gomod tool. The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages.

The task (generate-sbom) is added to the default tasks and will run only when go.mod is newer than sbom.cdx.json.

The pre-commit hook (sbom-currency) ensures that if go.mod is staged for commit, that an updated sbom.json is also staged.

Future TODO: Add libmongocrypt as an optional component once the libmongocrypt SBOM is updated with newer automation
diff --git a/.evergreen/config.yml b/.evergreen/config.yml
@@ -665,6 +665,14 @@ tasks:
           binary: bash
           args: [*task-runner, govulncheck]
 
+  - name: generate-sbom
+    tags: ["ssdlc"]
+    commands:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args: [*task-runner, generate-sbom]
+
   - name: pull-request-helpers
     allowed_requesters: ["patch", "github_pr"]
     commands:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -71,3 +71,10 @@ repos:
     language: system
     types: [go]
     entry: etc/check_license.sh
+
+  - id: sbom-currency
+    name: sbom-currency
+    language: system
+    types: [json]
+    require_serial: true
+    entry: etc/generate-sbom.sh -c
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -11,7 +11,7 @@ tasks:
 
   ### Utility tasks. ###
   default: 
-    deps: [build, check-license, check-fmt, check-modules, lint, test-short]
+    deps: [build, check-license, check-fmt, check-modules, lint, test-short, generate-sbom]
 
   add-license: bash etc/check_license.sh -a
 
@@ -87,6 +87,17 @@ tasks:
 
   govulncheck: bash etc/govulncheck.sh
 
+  generate-sbom:
+    desc: Generate a CycloneDX SBOM
+    summary: |
+      Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand
+      The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages.
+      Task will run only when go.mod is newer than sbom.cdx.json.
+    method: timestamp
+    sources: [go.mod]
+    generates: [sbom.json]
+    cmd: bash etc/generate-sbom.sh
+
   update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES
 
   ### Local testing tasks. ###
diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -e
+
+CHECK_CURRENCY="false"
+
+# Options are:
+# -c : check currency of staged sbom.json versus go.mod.
+while getopts "c" opt; do
+    case $opt in
+        c)
+            CHECK_CURRENCY="true"
+            ;;
+        *)
+            echo "usage: $0 [-c]" >&2
+            echo " -c : (optional) check currency of staged sbom.json versus go.mod." >&2
+            exit 1
+            ;;
+    esac
+done
+#shift $((OPTIND - 1))
+
+if  ! $CHECK_CURRENCY; then
+    # The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code.
+    # TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation
+
+    ## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662.
+    ## When resolved, bump version and replace with commented line below.
+    # GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json .
+    GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.9.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json
+elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then
+    echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1
+fi
diff --git a/sbom.json b/sbom.json
