diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 4b3459bac..d105fc5aa 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -550,6 +550,84 @@ tasks: params: binary: bash args: [*task-runner, govulncheck] + - name: upload-sbom + tags: ["ssdlc"] + allowed_requesters: ["commit"] + exec_timeout_secs: 600 + commands: + - func: setup-system + - command: expansions.update + params: + updates: + - {key: DOCKER_CONFIG, value: "${workdir}/.docker"} + - command: ec2.assume_role + display_name: Assume ECR readonly IAM role + params: + role_arn: arn:aws:iam::901841024863:role/ecr-role-evergreen-ro + - command: subprocess.exec + type: setup + display_name: Log in to ECR + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + - DOCKER_CONFIG + args: + - -c + - aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com + - command: ec2.assume_role + display_name: Assume Silkbomb IAM role + params: + role_arn: arn:aws:iam::901841024863:role/silkbomb + - command: subprocess.exec + type: test + display_name: Upload SBOM via Silkbomb + params: + binary: bash + working_dir: src/go.mongodb.org/mongo-driver + include_expansions_in_env: + - branch_name + - DOCKER_CONFIG + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - etc/sbom.sh + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Old) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json + local_file: src/go.mongodb.org/mongo-driver/old.json + permissions: public-read + remote_file: mongo-go-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json + - command: s3.put + type: system + params: + display_name: Augmented SBOM (New) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json + local_file: src/go.mongodb.org/mongo-driver/new.json + permissions: public-read + remote_file: mongo-go-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Diff) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json + local_file: src/go.mongodb.org/mongo-driver/diff.txt + permissions: public-read + remote_file: mongo-go-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt - name: pull-request-helpers allowed_requesters: ["patch", "github_pr"] commands: @@ -2100,3 +2178,13 @@ buildvariants: - name: testazureoidc_task_group - name: testgcpoidc_task_group - name: testk8soidc_task_group + - name: sbom + display_name: "SBOM" + allowed_requesters: ["commit"] + stepback: false + paths: + - sbom.json + run_on: + - rhel8.7-small + tasks: + - name: upload-sbom diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 000000000..5b9ff5e95 --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,76 @@ +name: Generate SBOM +# Generates sbom.json using cyclonedx-gomod and opens a PR if it has changed. +# Triggered when go.mod changes on master, or manually. +# Internal documentation: go/sbom-scope +on: + workflow_dispatch: {} + push: + branches: + - master + paths: + - go.mod + - go.sum + - etc/install-libmongocrypt.sh +permissions: + contents: write + pull-requests: write +jobs: + sbom: + name: Generate SBOM and Create PR + runs-on: ubuntu-latest + concurrency: + group: sbom-${{ github.ref }} + cancel-in-progress: false + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + - name: Stash existing SBOM + run: | + # Strip nondeterministic fields before diffing + jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.existing.json + - name: Generate SBOM + run: bash etc/generate-sbom.sh + - name: Download CycloneDX CLI + run: | + curl -fsSL -o ${{ runner.temp }}/cyclonedx \ + "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.32.0/cyclonedx-linux-x64" + echo "454879e6a4a405c8a13bff49b8982adcb0596f3019b26b0811c66e4d7f0783e1 ${{ runner.temp }}/cyclonedx" | sha256sum --check + chmod +x ${{ runner.temp }}/cyclonedx + - name: Validate SBOM + run: ${{ runner.temp }}/cyclonedx validate --input-file sbom.json --fail-on-errors + - name: Check for SBOM changes + id: sbom_diff + run: | + jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.generated.json + RESULT=$(diff --brief ${{ runner.temp }}/sbom.existing.json ${{ runner.temp }}/sbom.generated.json || true) + echo "result=$RESULT" | tee -a $GITHUB_OUTPUT + - name: Open Pull Request if SBOM has changed + if: steps.sbom_diff.outputs.result + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 + with: + add-paths: sbom.json + branch: auto-update-sbom-${{ github.ref_name }} + commit-message: "chore: Update SBOM after dependency changes" + delete-branch: true + labels: sbom + title: "Automation: Update SBOM [${{ github.ref_name }}]" + body: | + ## Automated SBOM Update + + This PR was automatically generated because a change to `go.mod`, `go.sum`, or + `etc/install-libmongocrypt.sh` was merged into `${{ github.ref_name }}`. + + `sbom.json` has been regenerated to reflect the current module dependency graph + and `libmongocrypt` version. The SBOM serial number is stable; the `.version` + field has been incremented to reflect this update. + + Once merged, an Evergreen CI task will upload the updated SBOM to the internal + tracking system. + + ### Triggered by + - Commit: ${{ github.sha }} + - Workflow run: [${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) diff --git a/Taskfile.yml b/Taskfile.yml index 17fff5874..a1c8184d6 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -60,6 +60,16 @@ tasks: - GOOS=linux GOARCH=ppc64le etc/golangci-lint.sh - GOOS=linux GOARCH=s390x etc/golangci-lint.sh govulncheck: bash etc/govulncheck.sh + generate-sbom: + desc: Generate a CycloneDX SBOM + summary: | + Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand + The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. + Task will run only when go.mod is newer than sbom.json. + method: timestamp + sources: [go.mod, go.sum, etc/install-libmongocrypt.sh] + generates: [sbom.json] + cmd: bash etc/generate-sbom.sh update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES ### Local testing tasks. ### test: go test ${BUILD_TAGS} -timeout {{.TEST_TIMEOUT}}s -p 1 ./... diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 6164c4e58..708f0c71e 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -412,6 +412,18 @@ using enterprise auth, run: TOPOLOGY=sharded_cluster task run-docker -- evg-test-enterprise-auth ``` +## Software Bill of Materials (SBOM) + +The repository maintains a CycloneDX SBOM at `sbom.json` in the repository root. It captures the full module dependency graph along with `libmongocrypt` as an optional component. + +**You do not need to update `sbom.json` manually.** When a pull request that changes `go.mod`, `go.sum`, or `etc/install-libmongocrypt.sh` is merged into `master`, the "Generate SBOM" GitHub Actions workflow will automatically regenerate `sbom.json` and open a follow-up pull request with the updated file. Simply review and merge that PR. + +To regenerate the SBOM locally (e.g. to preview changes), run: + +```bash +task generate-sbom +``` + ## Talk To Us If you want to work on the driver, write documentation, or have questions/complaints, please reach out to us either via [MongoDB Community Forums](https://www.mongodb.com/community/forums/tag/go-driver) or by creating a Question issue in [Jira](https://jira.mongodb.org/secure/CreateIssue!default.jspa). diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh new file mode 100755 index 000000000..9958f1809 --- /dev/null +++ b/etc/generate-sbom.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash +set -eo pipefail + +SERIAL_NUMBER="urn:uuid:b7adcdf8-bafc-43c5-a529-a73130697171" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +# Generate the base SBOM. -short-purls strips ?type=module query strings from PURLs, +# resolving https://github.com/CycloneDX/cyclonedx-gomod/issues/662. +GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10.0 \ + mod -type library -licenses -assert-licenses -output-version 1.5 -json \ + -serial "$SERIAL_NUMBER" -std=true -short-purls=true . > sbom.tmp.json + +# Inject libmongocrypt as an optional component. +LIBMONGOCRYPT_VERSION=$(grep 'LIBMONGOCRYPT_TAG=' "${SCRIPT_DIR}/install-libmongocrypt.sh" | head -1 | cut -d'"' -f2) +LIBMONGOCRYPT_PURL="pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" + +jq --arg version "$LIBMONGOCRYPT_VERSION" --arg purl "$LIBMONGOCRYPT_PURL" ' + .metadata.component."bom-ref" as $main_ref | + .components += [{ + "type": "library", + "bom-ref": $purl, + "supplier": {"name": "MongoDB, Inc.", "url": ["https://mongodb.com"]}, + "author": "MongoDB, Inc.", + "group": "mongodb", + "name": "libmongocrypt", + "version": $version, + "description": "Required C library for Client Side and Queryable Encryption in MongoDB", + "scope": "optional", + "licenses": [{"license": {"id": "Apache-2.0"}}], + "copyright": "Copyright 2019-present MongoDB, Inc.", + "cpe": ("cpe:2.3:a:mongodb:libmongocrypt:" + $version + ":*:*:*:*:*:*:*"), + "purl": $purl, + "externalReferences": [{"url": "https://github.com/mongodb/libmongocrypt.git", "type": "distribution"}] + }] | + (.dependencies[] | select(.ref == $main_ref) | .dependsOn) += [$purl] | + .dependencies += [{"ref": $purl, "dependsOn": []}] +' sbom.tmp.json > sbom.new.json +rm sbom.tmp.json + +# Increment .version only when meaningful content has changed. +CURRENT_VERSION=$(jq -r '.version // 0' sbom.json 2>/dev/null || echo 0) +NEW_CONTENT=$(jq -S 'del(.version, .metadata.timestamp)' sbom.new.json) +OLD_CONTENT=$(jq -S 'del(.version, .metadata.timestamp)' sbom.json 2>/dev/null || echo '{}') + +if [ "$NEW_CONTENT" = "$OLD_CONTENT" ]; then + NEW_VERSION=$CURRENT_VERSION +else + NEW_VERSION=$((CURRENT_VERSION + 1)) +fi + +jq --argjson v "$NEW_VERSION" '.version = $v' sbom.new.json > sbom.json +rm sbom.new.json diff --git a/etc/sbom.sh b/etc/sbom.sh new file mode 100755 index 000000000..c8b38a8d6 --- /dev/null +++ b/etc/sbom.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${branch_name:?}" +: "${DOCKER_CONFIG:?}" +: "${AWS_ACCESS_KEY_ID:?}" +: "${AWS_SECRET_ACCESS_KEY:?}" +: "${AWS_SESSION_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +command -v jq >/dev/null || { + echo "missing required program jq" 1>&2 + exit 1 +} + +silkbomb="901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0" + +podman pull "${silkbomb:?}" + +silkbomb_augment_flags=( + --repo mongodb/mongo-go-driver + --branch "${branch_name:?}" + --sbom-in /pwd/sbom.json + --sbom-out /pwd/augmented.sbom.json.new + + # Any notable updates to the Augmented SBOM version should be done manually after careful inspection. + # Otherwise, it should be equal to the existing SBOM version. + --no-update-sbom-version +) + +podman run --rm -v "$(pwd):/pwd" \ + --env 'AWS_ACCESS_KEY_ID' --env 'AWS_SECRET_ACCESS_KEY' --env 'AWS_SESSION_TOKEN' \ + "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" + +[[ -f ./augmented.sbom.json.new ]] || { + echo "failed to download Augmented SBOM" 1>&2 + exit 1 +} + +echo "Comparing Augmented SBOM..." + +jq -S 'del(.metadata.timestamp)' ./augmented.sbom.json >|old.json +jq -S 'del(.metadata.timestamp)' ./augmented.sbom.json.new >|new.json + +if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then + declare status + status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' + curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true +fi + +cat diff.txt + +echo "Comparing Augmented SBOM... done." diff --git a/sbom.json b/sbom.json index 3f3df0c7c..fef257f9a 100644 --- a/sbom.json +++ b/sbom.json @@ -1,11 +1,397 @@ { - "metadata": { - "timestamp": "2024-05-02T17:36:29.429171+00:00" - }, - "components": [], - "serialNumber": "urn:uuid:06a59521-ad52-420b-aee6-7d9ed15e1fd9", - "version": 1, - "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", - "bomFormat": "CycloneDX", - "specVersion": "1.5" - } \ No newline at end of file + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:b7adcdf8-bafc-43c5-a529-a73130697171", + "version": 2, + "metadata": { + "timestamp": "2026-06-09T23:07:32-04:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-gomod", + "version": "v1.10.0", + "hashes": [ + { + "alg": "MD5", + "content": "1ddd6c22ff742805b4e9b3d4e5e278dd" + }, + { + "alg": "SHA-1", + "content": "4aacbda15585b9e08ac96932e57713c313ae7eb9" + }, + { + "alg": "SHA-256", + "content": "e9f54943f02770bb1c5438b15e66912b11caf93cf77e029011a6639cd6d5d73d" + }, + { + "alg": "SHA-384", + "content": "598061ab44a6035242616e046b4a26bcf54ef34e914fd033381e89006ab54c05456cb3e16ff80735801af0257c609094" + }, + { + "alg": "SHA-512", + "content": "f805f6cf6d42214e856edafc307b618069390246e2d0e2808fb61ff3f39ae374c1240db6762478c3e12b094328cfd9a0356aa64a4f802afb6aa0ff0ff8d7ca97" + } + ], + "externalReferences": [ + { + "url": "https://github.com/CycloneDX/cyclonedx-gomod", + "type": "vcs" + }, + { + "url": "https://cyclonedx.org", + "type": "website" + } + ] + } + ], + "component": { + "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", + "type": "library", + "name": "go.mongodb.org/mongo-driver/v2", + "version": "v2.6.1-0.20260427225553-fd85a834c40e", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e" + } + }, + "components": [ + { + "bom-ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", + "type": "library", + "name": "github.com/davecgh/go-spew", + "version": "v1.1.1", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "be3f63feed5baa7bc211f24ec1486d94e011aacdfeae41d8635de36164d4f7b7" + } + ], + "licenses": [ + { + "license": { + "id": "0BSD" + } + } + ], + "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "externalReferences": [ + { + "url": "https://github.com/davecgh/go-spew", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module", + "type": "library", + "name": "github.com/klauspost/compress", + "version": "v1.17.6", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "eb47aad84fe395fc105edbd911e0546000ecf81c0a056511218f868f67911a32" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/klauspost/compress@v1.17.6", + "externalReferences": [ + { + "url": "https://github.com/klauspost/compress", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module", + "type": "library", + "name": "github.com/xdg-go/pbkdf2", + "version": "v1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "4aeec33eee3cc173300b76ececc08d1becf816173212ecf9765bdc85bab40747" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0", + "externalReferences": [ + { + "url": "https://github.com/xdg-go/pbkdf2", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/xdg-go/scram@v1.2.0?type=module", + "type": "library", + "name": "github.com/xdg-go/scram", + "version": "v1.2.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "6d8285d801301b9aea77506e993e20027bf053f33d9c1a76a534b1799c3b5afb" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/xdg-go/scram@v1.2.0", + "externalReferences": [ + { + "url": "https://github.com/xdg-go/scram", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "type": "library", + "name": "github.com/xdg-go/stringprep", + "version": "v1.0.4", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "5cb23f360dced40b73ab4a01b374d69bee5956092ad9aa9d96f3fd26da19e9cf" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/xdg-go/stringprep@v1.0.4", + "externalReferences": [ + { + "url": "https://github.com/xdg-go/stringprep", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", + "type": "library", + "name": "github.com/youmark/pkcs8", + "version": "v0.0.0-20240726163527-a2c0da244d78", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "8a5415d61cf38aef8b2ccdf3513274b6b473b5fc208ea2a705636d49191b9b03" + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "purl": "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78", + "externalReferences": [ + { + "url": "https://github.com/youmark/pkcs8", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", + "type": "library", + "name": "golang.org/x/crypto", + "version": "v0.33.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "20e04fb24922e8bcac8b4968f6a42f6f1890f85bec082fd858e79c087022c6eb" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-Source-Code" + } + } + ], + "purl": "pkg:golang/golang.org/x/crypto@v0.33.0" + }, + { + "bom-ref": "pkg:golang/golang.org/x/sync@v0.11.0?type=module", + "type": "library", + "name": "golang.org/x/sync", + "version": "v0.11.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "186cfcf9740fe05bd34eb8d93f334a4cc16d4971fcd110331bee608453e02bdc" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-Source-Code" + } + } + ], + "purl": "pkg:golang/golang.org/x/sync@v0.11.0" + }, + { + "bom-ref": "pkg:golang/golang.org/x/text@v0.22.0?type=module", + "type": "library", + "name": "golang.org/x/text", + "version": "v0.22.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "6e87eaee6dff1c016f6c5e758f3dd0f702e0de392f48fba266efe90f55f082d3" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-Source-Code" + } + } + ], + "purl": "pkg:golang/golang.org/x/text@v0.22.0" + }, + { + "bom-ref": "pkg:golang/std@go1.26.3?type=module", + "type": "library", + "name": "std", + "version": "go1.26.3", + "scope": "required", + "purl": "pkg:golang/std@go1.26.3" + }, + { + "type": "library", + "bom-ref": "pkg:github/mongodb/libmongocrypt@1.15.1", + "supplier": { + "name": "MongoDB, Inc.", + "url": [ + "https://mongodb.com" + ] + }, + "author": "MongoDB, Inc.", + "group": "mongodb", + "name": "libmongocrypt", + "version": "1.15.1", + "description": "Required C library for Client Side and Queryable Encryption in MongoDB", + "scope": "optional", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "copyright": "Copyright 2019-present MongoDB, Inc.", + "cpe": "cpe:2.3:a:mongodb:libmongocrypt:1.15.1:*:*:*:*:*:*:*", + "purl": "pkg:github/mongodb/libmongocrypt@1.15.1", + "externalReferences": [ + { + "url": "https://github.com/mongodb/libmongocrypt.git", + "type": "distribution" + } + ] + } + ], + "dependencies": [ + { + "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", + "dependsOn": [ + "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", + "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module", + "pkg:golang/github.com/xdg-go/scram@v1.2.0?type=module", + "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", + "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", + "pkg:golang/golang.org/x/sync@v0.11.0?type=module", + "pkg:golang/std@go1.26.3?type=module", + "pkg:github/mongodb/libmongocrypt@1.15.1" + ] + }, + { + "ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module" + }, + { + "ref": "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module" + }, + { + "ref": "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module" + }, + { + "ref": "pkg:golang/github.com/xdg-go/scram@v1.2.0?type=module", + "dependsOn": [ + "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module", + "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "pkg:golang/golang.org/x/text@v0.22.0?type=module" + ] + }, + { + "ref": "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/text@v0.22.0?type=module" + ] + }, + { + "ref": "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/crypto@v0.33.0?type=module" + ] + }, + { + "ref": "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/text@v0.22.0?type=module" + ] + }, + { + "ref": "pkg:golang/golang.org/x/sync@v0.11.0?type=module" + }, + { + "ref": "pkg:golang/golang.org/x/text@v0.22.0?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/sync@v0.11.0?type=module" + ] + }, + { + "ref": "pkg:golang/std@go1.26.3?type=module" + }, + { + "ref": "pkg:github/mongodb/libmongocrypt@1.15.1", + "dependsOn": [] + } + ] +}