-
Notifications
You must be signed in to change notification settings - Fork 915
GODRIVER-3599 Add task and script to generate CycloneDX SBOM #2154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,7 +11,7 @@ tasks: | |
|
||
### Utility tasks. ### | ||
default: | ||
deps: [build, check-license, check-fmt, check-modules, lint, test-short] | ||
deps: [build, check-license, check-fmt, check-modules, lint, test-short, generate-sbom] | ||
|
||
add-license: bash etc/check_license.sh -a | ||
|
||
|
@@ -87,6 +87,17 @@ tasks: | |
|
||
govulncheck: bash etc/govulncheck.sh | ||
|
||
generate-sbom: | ||
desc: Generate a CycloneDX SBOM | ||
summary: | | ||
Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand | ||
The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. | ||
Task will run only when go.mod is newer than sbom.cdx.json. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this be sbom.json and not sbom.cdx.json? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, good catch. That is a typo leftover from when I was naming the file |
||
method: timestamp | ||
sources: [go.mod] | ||
generates: [sbom.json] | ||
cmd: bash etc/generate-sbom.sh | ||
|
||
update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES | ||
|
||
### Local testing tasks. ### | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/usr/bin/env bash | ||
set -e | ||
|
||
CHECK_CURRENCY="false" | ||
|
||
# Options are: | ||
# -c : check currency of staged sbom.json versus go.mod. | ||
while getopts "c" opt; do | ||
case $opt in | ||
c) | ||
CHECK_CURRENCY="true" | ||
;; | ||
*) | ||
echo "usage: $0 [-c]" >&2 | ||
echo " -c : (optional) check currency of staged sbom.json versus go.mod." >&2 | ||
exit 1 | ||
;; | ||
esac | ||
done | ||
#shift $((OPTIND - 1)) | ||
|
||
if ! $CHECK_CURRENCY; then | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this script fail under certain conditions? For example, if it's being (1) called from the Evergreen CI and (2) calling results in a change to sbom.json? In such cases, I would expect the "Static Analysis" task to fail. Running directly: EXPECT_ERROR=1 bash etc/generate-sbon.sh # -> if sbom.json updates, exit 1 In the associated task: - name: generate-sbom
tags: ["ssdlc", "static-analysis"]
commands:
- command: subprocess.exec
params:
binary: bash
env:
EXPECT_ERROR: 1
args: [*task-runner, generate-sbom] |
||
# The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code. | ||
# TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Does this need a followup GODRIVER ticket? |
||
|
||
## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662. | ||
## When resolved, bump version and replace with commented line below. | ||
# GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json . | ||
GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected] mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json | ||
elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then | ||
echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1 | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This hook won't run if a commit changes
go.mod
. Is that intentional?