From a0af51a9b80c2b8c93a4f2fd8589a569e8b30507 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Mon, 4 Aug 2025 16:22:24 -0400 Subject: [PATCH 01/14] GODRIVER-3599 Add task script to generate CycloneDX SBOM The GODRIVER SBOM (sbom.json) does not contain the direct and transitive dependencies defined in go.mod. Added code to generate a CycloneDX SBOM in order to better meet NITA Minimum Elements for Software Bill of Materials, OWASP Software Component Verification Standard (SCVS) Level 1, as well as include the necessary component identifiers for vulnerability discovery and VEX responses. Added a task, etc/script, and pre-commit hook for generating a CycloneDX SBOM using a pinned version of the cyclonedx-gomod tool. The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. The task (generate-sbom) is added to the default tasks and will run only when go.mod is newer than sbom.cdx.json. The pre-commit hook (sbom-currency) ensures that if go.mod is staged for commit, that an updated sbom.json is also staged. Future TODO: Add libmongocrypt as an optional component once the libmongocrypt SBOM is updated with newer automation --- .evergreen/config.yml | 8 + .pre-commit-config.yaml | 7 + Taskfile.yml | 13 +- etc/generate-sbom.sh | 32 ++++ sbom.json | 387 ++++++++++++++++++++++++++++++++++++++-- 5 files changed, 436 insertions(+), 11 deletions(-) create mode 100755 etc/generate-sbom.sh diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 2a7778d026..4a7ab2d10b 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -643,6 +643,14 @@ tasks: binary: bash args: [*task-runner, govulncheck] + - name: generate-sbom + tags: ["ssdlc"] + commands: + - command: subprocess.exec + params: + binary: bash + args: [*task-runner, generate-sbom] + - name: pull-request-helpers allowed_requesters: ["patch", "github_pr"] commands: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 27f3bd3147..62a1a625c7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -71,3 +71,10 @@ repos: language: system types: [go] entry: etc/check_license.sh + + - id: sbom-currency + name: sbom-currency + language: system + types: [json] + require_serial: true + entry: etc/generate-sbom.sh -c diff --git a/Taskfile.yml b/Taskfile.yml index a4c6f405bf..9f0074424d 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -11,7 +11,7 @@ tasks: ### Utility tasks. ### default: - deps: [build, check-license, check-fmt, check-modules, lint, test-short] + deps: [build, check-license, check-fmt, check-modules, lint, test-short, generate-sbom] add-license: bash etc/check_license.sh -a @@ -87,6 +87,17 @@ tasks: govulncheck: bash etc/govulncheck.sh + generate-sbom: + desc: Generate a CycloneDX SBOM + summary: | + Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand + The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. + Task will run only when go.mod is newer than sbom.cdx.json. + method: timestamp + sources: [go.mod] + generates: [sbom.json] + cmd: bash etc/generate-sbom.sh + update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES ### Local testing tasks. ### diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh new file mode 100755 index 0000000000..ef13f378c2 --- /dev/null +++ b/etc/generate-sbom.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +set -e + +CHECK_CURRENCY="false" + +# Options are: +# -c : check currency of staged sbom.json versus go.mod. +while getopts "c" opt; do + case $opt in + c) + CHECK_CURRENCY="true" + ;; + *) + echo "usage: $0 [-c]" >&2 + echo " -c : (optional) check currency of staged sbom.json versus go.mod." >&2 + exit 1 + ;; + esac +done +#shift $((OPTIND - 1)) + +if ! $CHECK_CURRENCY; then + # The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code. + # TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation + + ## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662. + ## When resolved, bump version and replace with commented line below. + # GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json . + GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.9.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json +elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then + echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1 +fi diff --git a/sbom.json b/sbom.json index 3f3df0c7cc..149c64e914 100644 --- a/sbom.json +++ b/sbom.json @@ -1,11 +1,378 @@ { - "metadata": { - "timestamp": "2024-05-02T17:36:29.429171+00:00" - }, - "components": [], - "serialNumber": "urn:uuid:06a59521-ad52-420b-aee6-7d9ed15e1fd9", - "version": 1, - "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", - "bomFormat": "CycloneDX", - "specVersion": "1.5" - } \ No newline at end of file + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:03582aab-e289-4eb8-9a85-eebdc4b8bf8a", + "version": 1, + "metadata": { + "timestamp": "2025-08-04T16:09:43-04:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-gomod", + "version": "v1.9.0", + "hashes": [ + { + "alg": "MD5", + "content": "56b744e437c1ba4bb7f443b5846a21d2" + }, + { + "alg": "SHA-1", + "content": "10ec58662be68ba3dfba7b2488d6585632f0a5c0" + }, + { + "alg": "SHA-256", + "content": "0102cf3082192b20c8e8c99c12ad54808eb0dbeb6627ea8ea5e2df117732f134" + }, + { + "alg": "SHA-384", + "content": "1e2c8756c2d4facfd910c938f68b5635626413a56b2aeefe0c6b8e79182ec0974242c3a38fcee85ccb3e227aa4adfbce" + }, + { + "alg": "SHA-512", + "content": "afffbed84e1bbc5320974be54df7bf58165ef40c4ba6d87f02494bdf2b6f19a1e3ccdc873dcd993c00eab29920ee94d8c6ee5f3fb09d4915b33e276260f8661a" + } + ], + "externalReferences": [ + { + "url": "https://github.com/CycloneDX/cyclonedx-gomod", + "type": "vcs" + }, + { + "url": "https://cyclonedx.org", + "type": "website" + } + ] + } + ], + "component": { + "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.2.3-0.20250605220432-a0f897bda6ce?type=module", + "type": "library", + "name": "go.mongodb.org/mongo-driver/v2", + "version": "v2.2.3-0.20250605220432-a0f897bda6ce", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.2.3-0.20250605220432-a0f897bda6ce" + } + }, + "components": [ + { + "bom-ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", + "type": "library", + "name": "github.com/davecgh/go-spew", + "version": "v1.1.1", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "be3f63feed5baa7bc211f24ec1486d94e011aacdfeae41d8635de36164d4f7b7" + } + ], + "licenses": [ + { + "license": { + "id": "0BSD" + } + } + ], + "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "externalReferences": [ + { + "url": "https://github.com/davecgh/go-spew", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/golang/snappy@v1.0.0?type=module", + "type": "library", + "name": "github.com/golang/snappy", + "version": "v1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "3b2eb4ec65571eced1b5b820b4f067af64660c0ac8b0079f0f0beb756bd1846b" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-3-Clause" + } + } + ], + "purl": "pkg:golang/github.com/golang/snappy@v1.0.0", + "externalReferences": [ + { + "url": "https://github.com/golang/snappy", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/klauspost/compress@v1.16.7?type=module", + "type": "library", + "name": "github.com/klauspost/compress", + "version": "v1.16.7", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "da693730f18dccacb112b030f186a885887af7ea5ae2c210482d1f3c608547d2" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/klauspost/compress@v1.16.7", + "externalReferences": [ + { + "url": "https://github.com/klauspost/compress", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module", + "type": "library", + "name": "github.com/xdg-go/pbkdf2", + "version": "v1.0.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "4aeec33eee3cc173300b76ececc08d1becf816173212ecf9765bdc85bab40747" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0", + "externalReferences": [ + { + "url": "https://github.com/xdg-go/pbkdf2", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/xdg-go/scram@v1.1.2?type=module", + "type": "library", + "name": "github.com/xdg-go/scram", + "version": "v1.1.2", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "1475f92390788b884a455441085471ab589045e8fb58ede1841b897fe514c926" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/xdg-go/scram@v1.1.2", + "externalReferences": [ + { + "url": "https://github.com/xdg-go/scram", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "type": "library", + "name": "github.com/xdg-go/stringprep", + "version": "v1.0.4", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "5cb23f360dced40b73ab4a01b374d69bee5956092ad9aa9d96f3fd26da19e9cf" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "purl": "pkg:golang/github.com/xdg-go/stringprep@v1.0.4", + "externalReferences": [ + { + "url": "https://github.com/xdg-go/stringprep", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", + "type": "library", + "name": "github.com/youmark/pkcs8", + "version": "v0.0.0-20240726163527-a2c0da244d78", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "8a5415d61cf38aef8b2ccdf3513274b6b473b5fc208ea2a705636d49191b9b03" + } + ], + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "purl": "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78", + "externalReferences": [ + { + "url": "https://github.com/youmark/pkcs8", + "type": "vcs" + } + ] + }, + { + "bom-ref": "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", + "type": "library", + "name": "golang.org/x/crypto", + "version": "v0.33.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "20e04fb24922e8bcac8b4968f6a42f6f1890f85bec082fd858e79c087022c6eb" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-Source-Code" + } + } + ], + "purl": "pkg:golang/golang.org/x/crypto@v0.33.0" + }, + { + "bom-ref": "pkg:golang/golang.org/x/sync@v0.11.0?type=module", + "type": "library", + "name": "golang.org/x/sync", + "version": "v0.11.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "186cfcf9740fe05bd34eb8d93f334a4cc16d4971fcd110331bee608453e02bdc" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-Source-Code" + } + } + ], + "purl": "pkg:golang/golang.org/x/sync@v0.11.0" + }, + { + "bom-ref": "pkg:golang/golang.org/x/text@v0.22.0?type=module", + "type": "library", + "name": "golang.org/x/text", + "version": "v0.22.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-256", + "content": "6e87eaee6dff1c016f6c5e758f3dd0f702e0de392f48fba266efe90f55f082d3" + } + ], + "licenses": [ + { + "license": { + "id": "BSD-Source-Code" + } + } + ], + "purl": "pkg:golang/golang.org/x/text@v0.22.0" + } + ], + "dependencies": [ + { + "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.2.3-0.20250605220432-a0f897bda6ce?type=module", + "dependsOn": [ + "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", + "pkg:golang/github.com/golang/snappy@v1.0.0?type=module", + "pkg:golang/github.com/klauspost/compress@v1.16.7?type=module", + "pkg:golang/github.com/xdg-go/scram@v1.1.2?type=module", + "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", + "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", + "pkg:golang/golang.org/x/sync@v0.11.0?type=module" + ] + }, + { + "ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module" + }, + { + "ref": "pkg:golang/github.com/golang/snappy@v1.0.0?type=module" + }, + { + "ref": "pkg:golang/github.com/klauspost/compress@v1.16.7?type=module" + }, + { + "ref": "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module" + }, + { + "ref": "pkg:golang/github.com/xdg-go/scram@v1.1.2?type=module", + "dependsOn": [ + "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module", + "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module" + ] + }, + { + "ref": "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/text@v0.22.0?type=module" + ] + }, + { + "ref": "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/crypto@v0.33.0?type=module" + ] + }, + { + "ref": "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/text@v0.22.0?type=module" + ] + }, + { + "ref": "pkg:golang/golang.org/x/sync@v0.11.0?type=module" + }, + { + "ref": "pkg:golang/golang.org/x/text@v0.22.0?type=module", + "dependsOn": [ + "pkg:golang/golang.org/x/sync@v0.11.0?type=module" + ] + } + ] +} From 4e522154723f1e9bda3f0a69da73ec6e27b28c51 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Thu, 14 Aug 2025 23:05:05 +0100 Subject: [PATCH 02/14] Update .evergreen/config.yml Co-authored-by: Preston Vasquez --- .evergreen/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 4a7ab2d10b..8032b61299 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -644,7 +644,7 @@ tasks: args: [*task-runner, govulncheck] - name: generate-sbom - tags: ["ssdlc"] + tags: ["ssdlc", "static-analysis"] commands: - command: subprocess.exec params: From 8d5d80f7134741616a84e5dbd9a3c4b83a062d0e Mon Sep 17 00:00:00 2001 From: Matt Dale <9760375+matthewdale@users.noreply.github.com> Date: Thu, 4 Dec 2025 18:34:39 -0800 Subject: [PATCH 03/14] Use correct file for pre-commit and correct comment in Taskfile. --- .pre-commit-config.yaml | 2 +- Taskfile.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1ba432aa53..cb34e7a31c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -78,6 +78,6 @@ repos: - id: sbom-currency name: sbom-currency language: system - types: [json] + files: ^(go\.mod)$ require_serial: true entry: etc/generate-sbom.sh -c diff --git a/Taskfile.yml b/Taskfile.yml index 4cc6fe4f76..fa489e810b 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -92,7 +92,7 @@ tasks: summary: | Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. - Task will run only when go.mod is newer than sbom.cdx.json. + Task will run only when go.mod is newer than sbom.json. method: timestamp sources: [go.mod] generates: [sbom.json] From 3aa5972cf673fad25596f115b0d34b4386c6daec Mon Sep 17 00:00:00 2001 From: Matt Dale <9760375+matthewdale@users.noreply.github.com> Date: Thu, 4 Dec 2025 18:42:44 -0800 Subject: [PATCH 04/14] Add updated SBOM file. --- sbom.json | 49 +++++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/sbom.json b/sbom.json index 149c64e914..dccf370247 100644 --- a/sbom.json +++ b/sbom.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:03582aab-e289-4eb8-9a85-eebdc4b8bf8a", + "serialNumber": "urn:uuid:e425de21-e2e7-462f-9e9e-8717ba68514e", "version": 1, "metadata": { - "timestamp": "2025-08-04T16:09:43-04:00", + "timestamp": "2025-12-04T18:42:32-08:00", "tools": [ { "vendor": "CycloneDX", @@ -14,23 +14,23 @@ "hashes": [ { "alg": "MD5", - "content": "56b744e437c1ba4bb7f443b5846a21d2" + "content": "a87d4648b958d7e04c61971d2df2b020" }, { "alg": "SHA-1", - "content": "10ec58662be68ba3dfba7b2488d6585632f0a5c0" + "content": "b742b751dba5c90d13996a46302a7605142f5e54" }, { "alg": "SHA-256", - "content": "0102cf3082192b20c8e8c99c12ad54808eb0dbeb6627ea8ea5e2df117732f134" + "content": "2e1cba54adc4999b6e023f937d9e7d809a49d3f1fe928e44915d7930e26787e7" }, { "alg": "SHA-384", - "content": "1e2c8756c2d4facfd910c938f68b5635626413a56b2aeefe0c6b8e79182ec0974242c3a38fcee85ccb3e227aa4adfbce" + "content": "75c49bc565c88d862b55d6c0bef098b1a7d4d9b12ed248157079385931652b7e8df0d8e93f8355f075c3cbadb9039f45" }, { "alg": "SHA-512", - "content": "afffbed84e1bbc5320974be54df7bf58165ef40c4ba6d87f02494bdf2b6f19a1e3ccdc873dcd993c00eab29920ee94d8c6ee5f3fb09d4915b33e276260f8661a" + "content": "c543586507ca06db1d728cc1daaf09f6ce18e6ba0b6d77f80c05b87c5bb4a9c5065ddc51637efe69dea6c0f6f9e9a8fd3bb5cb873369b9d414d6eb97b4fe2023" } ], "externalReferences": [ @@ -46,10 +46,10 @@ } ], "component": { - "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.2.3-0.20250605220432-a0f897bda6ce?type=module", + "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.4.1-0.20251028034235-9bd07db1ed8f?type=module", "type": "library", "name": "go.mongodb.org/mongo-driver/v2", - "version": "v2.2.3-0.20250605220432-a0f897bda6ce", + "version": "v2.4.1-0.20251028034235-9bd07db1ed8f", "licenses": [ { "license": { @@ -57,7 +57,7 @@ } } ], - "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.2.3-0.20250605220432-a0f897bda6ce" + "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.4.1-0.20251028034235-9bd07db1ed8f" } }, "components": [ @@ -116,15 +116,15 @@ ] }, { - "bom-ref": "pkg:golang/github.com/klauspost/compress@v1.16.7?type=module", + "bom-ref": "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module", "type": "library", "name": "github.com/klauspost/compress", - "version": "v1.16.7", + "version": "v1.17.6", "scope": "required", "hashes": [ { "alg": "SHA-256", - "content": "da693730f18dccacb112b030f186a885887af7ea5ae2c210482d1f3c608547d2" + "content": "eb47aad84fe395fc105edbd911e0546000ecf81c0a056511218f868f67911a32" } ], "licenses": [ @@ -134,7 +134,7 @@ } } ], - "purl": "pkg:golang/github.com/klauspost/compress@v1.16.7", + "purl": "pkg:golang/github.com/klauspost/compress@v1.17.6", "externalReferences": [ { "url": "https://github.com/klauspost/compress", @@ -170,15 +170,15 @@ ] }, { - "bom-ref": "pkg:golang/github.com/xdg-go/scram@v1.1.2?type=module", + "bom-ref": "pkg:golang/github.com/xdg-go/scram@v1.2.0?type=module", "type": "library", "name": "github.com/xdg-go/scram", - "version": "v1.1.2", + "version": "v1.2.0", "scope": "required", "hashes": [ { "alg": "SHA-256", - "content": "1475f92390788b884a455441085471ab589045e8fb58ede1841b897fe514c926" + "content": "6d8285d801301b9aea77506e993e20027bf053f33d9c1a76a534b1799c3b5afb" } ], "licenses": [ @@ -188,7 +188,7 @@ } } ], - "purl": "pkg:golang/github.com/xdg-go/scram@v1.1.2", + "purl": "pkg:golang/github.com/xdg-go/scram@v1.2.0", "externalReferences": [ { "url": "https://github.com/xdg-go/scram", @@ -316,12 +316,12 @@ ], "dependencies": [ { - "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.2.3-0.20250605220432-a0f897bda6ce?type=module", + "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.4.1-0.20251028034235-9bd07db1ed8f?type=module", "dependsOn": [ "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", "pkg:golang/github.com/golang/snappy@v1.0.0?type=module", - "pkg:golang/github.com/klauspost/compress@v1.16.7?type=module", - "pkg:golang/github.com/xdg-go/scram@v1.1.2?type=module", + "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module", + "pkg:golang/github.com/xdg-go/scram@v1.2.0?type=module", "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", @@ -335,16 +335,17 @@ "ref": "pkg:golang/github.com/golang/snappy@v1.0.0?type=module" }, { - "ref": "pkg:golang/github.com/klauspost/compress@v1.16.7?type=module" + "ref": "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module" }, { "ref": "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module" }, { - "ref": "pkg:golang/github.com/xdg-go/scram@v1.1.2?type=module", + "ref": "pkg:golang/github.com/xdg-go/scram@v1.2.0?type=module", "dependsOn": [ "pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0?type=module", - "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module" + "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", + "pkg:golang/golang.org/x/text@v0.22.0?type=module" ] }, { From be7bf18647b1e2982c45c822df5e986de5b114ee Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 18:32:17 -0400 Subject: [PATCH 05/14] Apply yamlfmt formatting --- .evergreen/config.yml | 4 +--- .github/workflows/sbom.yml | 15 +-------------- Taskfile.yml | 2 -- 3 files changed, 2 insertions(+), 19 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index c1457ffaca..23fe25560c 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -550,7 +550,6 @@ tasks: params: binary: bash args: [*task-runner, govulncheck] - - name: upload-sbom tags: ["ssdlc"] allowed_requesters: ["commit"] @@ -560,7 +559,7 @@ tasks: - command: expansions.update params: updates: - - { key: DOCKER_CONFIG, value: "${workdir}/.docker" } + - {key: DOCKER_CONFIG, value: "${workdir}/.docker"} - command: ec2.assume_role display_name: Assume ECR readonly IAM role params: @@ -628,7 +627,6 @@ tasks: local_file: src/go.mongodb.org/mongo-driver/diff.txt permissions: public-read remote_file: mongo-go-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt - - name: pull-request-helpers allowed_requesters: ["patch", "github_pr"] commands: diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 56d400cee6..516c383d33 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -1,9 +1,7 @@ name: Generate SBOM - # Generates sbom.json using cyclonedx-gomod and opens a PR if it has changed. # Triggered when go.mod changes on master, or manually. # Internal documentation: go/sbom-scope - on: workflow_dispatch: {} push: @@ -11,57 +9,46 @@ on: - master paths: - go.mod - permissions: contents: write pull-requests: write - jobs: sbom: name: Generate SBOM and Create PR runs-on: ubuntu-latest - concurrency: group: sbom-${{ github.ref }} cancel-in-progress: false - steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Set up Go uses: actions/setup-go@v5 with: go-version-file: go.mod - - name: Stash existing SBOM run: | # Strip nondeterministic fields before diffing jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.existing.json - - name: Generate SBOM run: bash etc/generate-sbom.sh - - name: Download CycloneDX CLI run: | curl -L -s -o ${{ runner.temp }}/cyclonedx \ "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.32.0/cyclonedx-linux-x64" echo "454879e6a4a405c8a13bff49b8982adcb0596f3019b26b0811c66e4d7f0783e1 ${{ runner.temp }}/cyclonedx" | sha256sum --check chmod +x ${{ runner.temp }}/cyclonedx - - name: Validate SBOM run: ${{ runner.temp }}/cyclonedx validate --input-file sbom.json --fail-on-errors - - name: Check for SBOM changes id: sbom_diff run: | jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.generated.json RESULT=$(diff --brief ${{ runner.temp }}/sbom.existing.json ${{ runner.temp }}/sbom.generated.json || true) echo "result=$RESULT" | tee -a $GITHUB_OUTPUT - - name: Open Pull Request if SBOM has changed if: steps.sbom_diff.outputs.result - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: add-paths: sbom.json branch: auto-update-sbom-${{ github.ref_name }} diff --git a/Taskfile.yml b/Taskfile.yml index 055fb5163b..c1378faf1d 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -60,7 +60,6 @@ tasks: - GOOS=linux GOARCH=ppc64le etc/golangci-lint.sh - GOOS=linux GOARCH=s390x etc/golangci-lint.sh govulncheck: bash etc/govulncheck.sh - generate-sbom: desc: Generate a CycloneDX SBOM summary: | @@ -71,7 +70,6 @@ tasks: sources: [go.mod] generates: [sbom.json] cmd: bash etc/generate-sbom.sh - update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES ### Local testing tasks. ### test: go test ${BUILD_TAGS} -timeout {{.TEST_TIMEOUT}}s -p 1 ./... From 332ea9da94d2aa55f9f53326b2dbb21cb49e71d4 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 18:46:14 -0400 Subject: [PATCH 06/14] Add libmongocrypt as optional component to SBOM Derives the version from etc/install-libmongocrypt.sh and injects the component into sbom.json after cyclonedx-gomod generation, including the dependency relationship on the main module. --- etc/generate-sbom.sh | 29 +++++++++++++- sbom.json | 94 +++++++++++++++++++++++--------------------- 2 files changed, 78 insertions(+), 45 deletions(-) diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh index 69b9f5f1b0..022892234f 100755 --- a/etc/generate-sbom.sh +++ b/etc/generate-sbom.sh @@ -21,12 +21,39 @@ done if ! $CHECK_CURRENCY; then # The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code. - # TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation ## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662. ## When resolved, bump version and replace with commented line below. # GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json . GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json + + # Derive the libmongocrypt version from the install script and inject it as an optional component. + SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + LIBMONGOCRYPT_VERSION=$(grep 'LIBMONGOCRYPT_TAG=' "${SCRIPT_DIR}/install-libmongocrypt.sh" | head -1 | cut -d'"' -f2) + LIBMONGOCRYPT_PURL="pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" + + jq --arg version "$LIBMONGOCRYPT_VERSION" --arg purl "$LIBMONGOCRYPT_PURL" ' + .metadata.component."bom-ref" as $main_ref | + .components += [{ + "type": "library", + "bom-ref": $purl, + "supplier": {"name": "MongoDB, Inc.", "url": ["https://mongodb.com"]}, + "author": "MongoDB, Inc.", + "group": "mongodb", + "name": "libmongocrypt", + "version": $version, + "description": "Required C library for Client Side and Queryable Encryption in MongoDB", + "scope": "optional", + "licenses": [{"license": {"id": "Apache-2.0"}}], + "copyright": "Copyright 2019-present MongoDB, Inc.", + "cpe": ("cpe:2.3:a:mongodb:libmongocrypt:" + $version + ":*:*:*:*:*:*:*"), + "purl": $purl, + "externalReferences": [{"url": "https://github.com/mongodb/libmongocrypt.git", "type": "distribution"}] + }] | + (.dependencies[] | select(.ref == $main_ref) | .dependsOn) += [$purl] | + .dependencies += [{"ref": $purl, "dependsOn": []}] + ' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json + elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1 fi diff --git a/sbom.json b/sbom.json index dccf370247..e9037e612c 100644 --- a/sbom.json +++ b/sbom.json @@ -2,35 +2,35 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:e425de21-e2e7-462f-9e9e-8717ba68514e", + "serialNumber": "urn:uuid:6a83c52b-4231-49e8-9eee-ee711d247b2d", "version": 1, "metadata": { - "timestamp": "2025-12-04T18:42:32-08:00", + "timestamp": "2026-06-09T18:45:53-04:00", "tools": [ { "vendor": "CycloneDX", "name": "cyclonedx-gomod", - "version": "v1.9.0", + "version": "v1.10.0", "hashes": [ { "alg": "MD5", - "content": "a87d4648b958d7e04c61971d2df2b020" + "content": "1ddd6c22ff742805b4e9b3d4e5e278dd" }, { "alg": "SHA-1", - "content": "b742b751dba5c90d13996a46302a7605142f5e54" + "content": "4aacbda15585b9e08ac96932e57713c313ae7eb9" }, { "alg": "SHA-256", - "content": "2e1cba54adc4999b6e023f937d9e7d809a49d3f1fe928e44915d7930e26787e7" + "content": "e9f54943f02770bb1c5438b15e66912b11caf93cf77e029011a6639cd6d5d73d" }, { "alg": "SHA-384", - "content": "75c49bc565c88d862b55d6c0bef098b1a7d4d9b12ed248157079385931652b7e8df0d8e93f8355f075c3cbadb9039f45" + "content": "598061ab44a6035242616e046b4a26bcf54ef34e914fd033381e89006ab54c05456cb3e16ff80735801af0257c609094" }, { "alg": "SHA-512", - "content": "c543586507ca06db1d728cc1daaf09f6ce18e6ba0b6d77f80c05b87c5bb4a9c5065ddc51637efe69dea6c0f6f9e9a8fd3bb5cb873369b9d414d6eb97b4fe2023" + "content": "f805f6cf6d42214e856edafc307b618069390246e2d0e2808fb61ff3f39ae374c1240db6762478c3e12b094328cfd9a0356aa64a4f802afb6aa0ff0ff8d7ca97" } ], "externalReferences": [ @@ -46,10 +46,10 @@ } ], "component": { - "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.4.1-0.20251028034235-9bd07db1ed8f?type=module", + "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", "type": "library", "name": "go.mongodb.org/mongo-driver/v2", - "version": "v2.4.1-0.20251028034235-9bd07db1ed8f", + "version": "v2.6.1-0.20260427225553-fd85a834c40e", "licenses": [ { "license": { @@ -57,7 +57,7 @@ } } ], - "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.4.1-0.20251028034235-9bd07db1ed8f" + "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e" } }, "components": [ @@ -88,33 +88,6 @@ } ] }, - { - "bom-ref": "pkg:golang/github.com/golang/snappy@v1.0.0?type=module", - "type": "library", - "name": "github.com/golang/snappy", - "version": "v1.0.0", - "scope": "required", - "hashes": [ - { - "alg": "SHA-256", - "content": "3b2eb4ec65571eced1b5b820b4f067af64660c0ac8b0079f0f0beb756bd1846b" - } - ], - "licenses": [ - { - "license": { - "id": "BSD-3-Clause" - } - } - ], - "purl": "pkg:golang/github.com/golang/snappy@v1.0.0", - "externalReferences": [ - { - "url": "https://github.com/golang/snappy", - "type": "vcs" - } - ] - }, { "bom-ref": "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module", "type": "library", @@ -312,28 +285,57 @@ } ], "purl": "pkg:golang/golang.org/x/text@v0.22.0" + }, + { + "type": "library", + "bom-ref": "pkg:github/mongodb/libmongocrypt@1.15.1", + "supplier": { + "name": "MongoDB, Inc.", + "url": [ + "https://mongodb.com" + ] + }, + "author": "MongoDB, Inc.", + "group": "mongodb", + "name": "libmongocrypt", + "version": "1.15.1", + "description": "Required C library for Client Side and Queryable Encryption in MongoDB", + "scope": "optional", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "copyright": "Copyright 2019-present MongoDB, Inc.", + "cpe": "cpe:2.3:a:mongodb:libmongocrypt:1.15.1:*:*:*:*:*:*:*", + "purl": "pkg:github/mongodb/libmongocrypt@1.15.1", + "externalReferences": [ + { + "url": "https://github.com/mongodb/libmongocrypt.git", + "type": "distribution" + } + ] } ], "dependencies": [ { - "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.4.1-0.20251028034235-9bd07db1ed8f?type=module", + "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", "dependsOn": [ "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", - "pkg:golang/github.com/golang/snappy@v1.0.0?type=module", "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module", "pkg:golang/github.com/xdg-go/scram@v1.2.0?type=module", "pkg:golang/github.com/xdg-go/stringprep@v1.0.4?type=module", "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", - "pkg:golang/golang.org/x/sync@v0.11.0?type=module" + "pkg:golang/golang.org/x/sync@v0.11.0?type=module", + "pkg:github/mongodb/libmongocrypt@1.15.1" ] }, { "ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module" }, - { - "ref": "pkg:golang/github.com/golang/snappy@v1.0.0?type=module" - }, { "ref": "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module" }, @@ -374,6 +376,10 @@ "dependsOn": [ "pkg:golang/golang.org/x/sync@v0.11.0?type=module" ] + }, + { + "ref": "pkg:github/mongodb/libmongocrypt@1.15.1", + "dependsOn": [] } ] } From 248537cce691fd05dfc9c59a6dc9136056ae20af Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 22:53:18 -0400 Subject: [PATCH 07/14] Address code review feedback on generate-sbom.sh and sbom workflow - Use set -eo pipefail to catch pipeline failures in generate-sbom.sh - Replace curl -L -s with curl -fsSL for clearer HTTP error reporting - Remove stale CHECK_CURRENCY/-c scaffolding (pre-commit hook removed) --- .github/workflows/sbom.yml | 2 +- etc/generate-sbom.sh | 85 ++++++++++++++------------------------ sbom.json | 4 +- 3 files changed, 34 insertions(+), 57 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 516c383d33..79adc67856 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -34,7 +34,7 @@ jobs: run: bash etc/generate-sbom.sh - name: Download CycloneDX CLI run: | - curl -L -s -o ${{ runner.temp }}/cyclonedx \ + curl -fsSL -o ${{ runner.temp }}/cyclonedx \ "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.32.0/cyclonedx-linux-x64" echo "454879e6a4a405c8a13bff49b8982adcb0596f3019b26b0811c66e4d7f0783e1 ${{ runner.temp }}/cyclonedx" | sha256sum --check chmod +x ${{ runner.temp }}/cyclonedx diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh index 022892234f..c8809a2a78 100755 --- a/etc/generate-sbom.sh +++ b/etc/generate-sbom.sh @@ -1,59 +1,36 @@ #!/usr/bin/env bash -set -e +set -eo pipefail -CHECK_CURRENCY="false" +# The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code. -# Options are: -# -c : check currency of staged sbom.json versus go.mod. -while getopts "c" opt; do - case $opt in - c) - CHECK_CURRENCY="true" - ;; - *) - echo "usage: $0 [-c]" >&2 - echo " -c : (optional) check currency of staged sbom.json versus go.mod." >&2 - exit 1 - ;; - esac -done -#shift $((OPTIND - 1)) +## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662. +## When resolved, bump version and replace with commented line below. +# GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json . +GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json -if ! $CHECK_CURRENCY; then - # The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code. +# Derive the libmongocrypt version from the install script and inject it as an optional component. +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +LIBMONGOCRYPT_VERSION=$(grep 'LIBMONGOCRYPT_TAG=' "${SCRIPT_DIR}/install-libmongocrypt.sh" | head -1 | cut -d'"' -f2) +LIBMONGOCRYPT_PURL="pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" - ## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662. - ## When resolved, bump version and replace with commented line below. - # GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json . - GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json - - # Derive the libmongocrypt version from the install script and inject it as an optional component. - SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - LIBMONGOCRYPT_VERSION=$(grep 'LIBMONGOCRYPT_TAG=' "${SCRIPT_DIR}/install-libmongocrypt.sh" | head -1 | cut -d'"' -f2) - LIBMONGOCRYPT_PURL="pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" - - jq --arg version "$LIBMONGOCRYPT_VERSION" --arg purl "$LIBMONGOCRYPT_PURL" ' - .metadata.component."bom-ref" as $main_ref | - .components += [{ - "type": "library", - "bom-ref": $purl, - "supplier": {"name": "MongoDB, Inc.", "url": ["https://mongodb.com"]}, - "author": "MongoDB, Inc.", - "group": "mongodb", - "name": "libmongocrypt", - "version": $version, - "description": "Required C library for Client Side and Queryable Encryption in MongoDB", - "scope": "optional", - "licenses": [{"license": {"id": "Apache-2.0"}}], - "copyright": "Copyright 2019-present MongoDB, Inc.", - "cpe": ("cpe:2.3:a:mongodb:libmongocrypt:" + $version + ":*:*:*:*:*:*:*"), - "purl": $purl, - "externalReferences": [{"url": "https://github.com/mongodb/libmongocrypt.git", "type": "distribution"}] - }] | - (.dependencies[] | select(.ref == $main_ref) | .dependsOn) += [$purl] | - .dependencies += [{"ref": $purl, "dependsOn": []}] - ' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json - -elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then - echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1 -fi +jq --arg version "$LIBMONGOCRYPT_VERSION" --arg purl "$LIBMONGOCRYPT_PURL" ' + .metadata.component."bom-ref" as $main_ref | + .components += [{ + "type": "library", + "bom-ref": $purl, + "supplier": {"name": "MongoDB, Inc.", "url": ["https://mongodb.com"]}, + "author": "MongoDB, Inc.", + "group": "mongodb", + "name": "libmongocrypt", + "version": $version, + "description": "Required C library for Client Side and Queryable Encryption in MongoDB", + "scope": "optional", + "licenses": [{"license": {"id": "Apache-2.0"}}], + "copyright": "Copyright 2019-present MongoDB, Inc.", + "cpe": ("cpe:2.3:a:mongodb:libmongocrypt:" + $version + ":*:*:*:*:*:*:*"), + "purl": $purl, + "externalReferences": [{"url": "https://github.com/mongodb/libmongocrypt.git", "type": "distribution"}] + }] | + (.dependencies[] | select(.ref == $main_ref) | .dependsOn) += [$purl] | + .dependencies += [{"ref": $purl, "dependsOn": []}] +' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json diff --git a/sbom.json b/sbom.json index e9037e612c..f1c8a2a6b3 100644 --- a/sbom.json +++ b/sbom.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:6a83c52b-4231-49e8-9eee-ee711d247b2d", + "serialNumber": "urn:uuid:b7adcdf8-bafc-43c5-a529-a73130697171", "version": 1, "metadata": { - "timestamp": "2026-06-09T18:45:53-04:00", + "timestamp": "2026-06-09T22:53:12-04:00", "tools": [ { "vendor": "CycloneDX", From ec3acc841c7d246134a1476c155d2962933a6cbb Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 23:07:41 -0400 Subject: [PATCH 08/14] Improve SBOM generation and address Copilot review feedback - Use cyclonedx-gomod -serial, -std=true, -short-purls=true flags; -short-purls replaces the jq PURL-stripping workaround - Hardcode serialNumber; increment .version only on meaningful content change - Workflow diff strips only .metadata.timestamp (not .version) - Add AWS_SESSION_TOKEN to etc/sbom.sh and Evergreen upload-sbom task - Drop -it from podman run in etc/sbom.sh - Add go.sum and etc/install-libmongocrypt.sh to Taskfile generate-sbom sources --- .evergreen/config.yml | 1 + .github/workflows/sbom.yml | 4 ++-- Taskfile.yml | 2 +- etc/generate-sbom.sh | 32 ++++++++++++++++++++++++-------- etc/sbom.sh | 4 +++- sbom.json | 16 ++++++++++++++-- 6 files changed, 45 insertions(+), 14 deletions(-) diff --git a/.evergreen/config.yml b/.evergreen/config.yml index 23fe25560c..d105fc5aa7 100644 --- a/.evergreen/config.yml +++ b/.evergreen/config.yml @@ -592,6 +592,7 @@ tasks: - DOCKER_CONFIG - AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN args: - etc/sbom.sh - command: s3.put diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 79adc67856..cb6a342f23 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -29,7 +29,7 @@ jobs: - name: Stash existing SBOM run: | # Strip nondeterministic fields before diffing - jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.existing.json + jq 'del(.metadata.timestamp)' sbom.json > ${{ runner.temp }}/sbom.existing.json - name: Generate SBOM run: bash etc/generate-sbom.sh - name: Download CycloneDX CLI @@ -43,7 +43,7 @@ jobs: - name: Check for SBOM changes id: sbom_diff run: | - jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.generated.json + jq 'del(.metadata.timestamp)' sbom.json > ${{ runner.temp }}/sbom.generated.json RESULT=$(diff --brief ${{ runner.temp }}/sbom.existing.json ${{ runner.temp }}/sbom.generated.json || true) echo "result=$RESULT" | tee -a $GITHUB_OUTPUT - name: Open Pull Request if SBOM has changed diff --git a/Taskfile.yml b/Taskfile.yml index c1378faf1d..72843b4fa1 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -67,7 +67,7 @@ tasks: The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages. Task will run only when go.mod is newer than sbom.json. method: timestamp - sources: [go.mod] + sources: [go.mod, go.sum, etc/install-libmongocrypt.sh] generates: [sbom.json] cmd: bash etc/generate-sbom.sh update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh index c8809a2a78..9958f18098 100755 --- a/etc/generate-sbom.sh +++ b/etc/generate-sbom.sh @@ -1,15 +1,16 @@ #!/usr/bin/env bash set -eo pipefail -# The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code. +SERIAL_NUMBER="urn:uuid:b7adcdf8-bafc-43c5-a529-a73130697171" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662. -## When resolved, bump version and replace with commented line below. -# GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json . -GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json +# Generate the base SBOM. -short-purls strips ?type=module query strings from PURLs, +# resolving https://github.com/CycloneDX/cyclonedx-gomod/issues/662. +GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10.0 \ + mod -type library -licenses -assert-licenses -output-version 1.5 -json \ + -serial "$SERIAL_NUMBER" -std=true -short-purls=true . > sbom.tmp.json -# Derive the libmongocrypt version from the install script and inject it as an optional component. -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +# Inject libmongocrypt as an optional component. LIBMONGOCRYPT_VERSION=$(grep 'LIBMONGOCRYPT_TAG=' "${SCRIPT_DIR}/install-libmongocrypt.sh" | head -1 | cut -d'"' -f2) LIBMONGOCRYPT_PURL="pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" @@ -33,4 +34,19 @@ jq --arg version "$LIBMONGOCRYPT_VERSION" --arg purl "$LIBMONGOCRYPT_PURL" ' }] | (.dependencies[] | select(.ref == $main_ref) | .dependsOn) += [$purl] | .dependencies += [{"ref": $purl, "dependsOn": []}] -' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json +' sbom.tmp.json > sbom.new.json +rm sbom.tmp.json + +# Increment .version only when meaningful content has changed. +CURRENT_VERSION=$(jq -r '.version // 0' sbom.json 2>/dev/null || echo 0) +NEW_CONTENT=$(jq -S 'del(.version, .metadata.timestamp)' sbom.new.json) +OLD_CONTENT=$(jq -S 'del(.version, .metadata.timestamp)' sbom.json 2>/dev/null || echo '{}') + +if [ "$NEW_CONTENT" = "$OLD_CONTENT" ]; then + NEW_VERSION=$CURRENT_VERSION +else + NEW_VERSION=$((CURRENT_VERSION + 1)) +fi + +jq --argjson v "$NEW_VERSION" '.version = $v' sbom.new.json > sbom.json +rm sbom.new.json diff --git a/etc/sbom.sh b/etc/sbom.sh index d1bb95f0bf..c8b38a8d66 100755 --- a/etc/sbom.sh +++ b/etc/sbom.sh @@ -7,6 +7,7 @@ set -o pipefail : "${DOCKER_CONFIG:?}" : "${AWS_ACCESS_KEY_ID:?}" : "${AWS_SECRET_ACCESS_KEY:?}" +: "${AWS_SESSION_TOKEN:?}" command -v podman >/dev/null || { echo "missing required program podman" 1>&2 @@ -33,7 +34,8 @@ silkbomb_augment_flags=( --no-update-sbom-version ) -podman run -it --rm -v "$(pwd):/pwd" --env 'AWS_ACCESS_KEY_ID' --env 'AWS_SECRET_ACCESS_KEY' \ +podman run --rm -v "$(pwd):/pwd" \ + --env 'AWS_ACCESS_KEY_ID' --env 'AWS_SECRET_ACCESS_KEY' --env 'AWS_SESSION_TOKEN' \ "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" [[ -f ./augmented.sbom.json.new ]] || { diff --git a/sbom.json b/sbom.json index f1c8a2a6b3..fef257f9aa 100644 --- a/sbom.json +++ b/sbom.json @@ -3,9 +3,9 @@ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:b7adcdf8-bafc-43c5-a529-a73130697171", - "version": 1, + "version": 2, "metadata": { - "timestamp": "2026-06-09T22:53:12-04:00", + "timestamp": "2026-06-09T23:07:32-04:00", "tools": [ { "vendor": "CycloneDX", @@ -286,6 +286,14 @@ ], "purl": "pkg:golang/golang.org/x/text@v0.22.0" }, + { + "bom-ref": "pkg:golang/std@go1.26.3?type=module", + "type": "library", + "name": "std", + "version": "go1.26.3", + "scope": "required", + "purl": "pkg:golang/std@go1.26.3" + }, { "type": "library", "bom-ref": "pkg:github/mongodb/libmongocrypt@1.15.1", @@ -330,6 +338,7 @@ "pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78?type=module", "pkg:golang/golang.org/x/crypto@v0.33.0?type=module", "pkg:golang/golang.org/x/sync@v0.11.0?type=module", + "pkg:golang/std@go1.26.3?type=module", "pkg:github/mongodb/libmongocrypt@1.15.1" ] }, @@ -377,6 +386,9 @@ "pkg:golang/golang.org/x/sync@v0.11.0?type=module" ] }, + { + "ref": "pkg:golang/std@go1.26.3?type=module" + }, { "ref": "pkg:github/mongodb/libmongocrypt@1.15.1", "dependsOn": [] From 717200dd349447160824c5740bf651afd6db81b2 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 23:09:10 -0400 Subject: [PATCH 09/14] Strip .version from workflow SBOM diff --- .github/workflows/sbom.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index cb6a342f23..79adc67856 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -29,7 +29,7 @@ jobs: - name: Stash existing SBOM run: | # Strip nondeterministic fields before diffing - jq 'del(.metadata.timestamp)' sbom.json > ${{ runner.temp }}/sbom.existing.json + jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.existing.json - name: Generate SBOM run: bash etc/generate-sbom.sh - name: Download CycloneDX CLI @@ -43,7 +43,7 @@ jobs: - name: Check for SBOM changes id: sbom_diff run: | - jq 'del(.metadata.timestamp)' sbom.json > ${{ runner.temp }}/sbom.generated.json + jq 'del(.metadata.timestamp, .version)' sbom.json > ${{ runner.temp }}/sbom.generated.json RESULT=$(diff --brief ${{ runner.temp }}/sbom.existing.json ${{ runner.temp }}/sbom.generated.json || true) echo "result=$RESULT" | tee -a $GITHUB_OUTPUT - name: Open Pull Request if SBOM has changed From c9c732b0ef25be0c10ddd24c4aa1af2c43b7191c Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 23:21:48 -0400 Subject: [PATCH 10/14] Add go.sum to SBOM workflow paths trigger --- .github/workflows/sbom.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 79adc67856..f628c5bbfe 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -9,6 +9,7 @@ on: - master paths: - go.mod + - go.sum permissions: contents: write pull-requests: write From dc9a947744bd1d304c1eaafb571d9f5ea3d8bcce Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 23:23:10 -0400 Subject: [PATCH 11/14] Add etc/install-libmongocrypt.sh to SBOM workflow paths trigger --- .github/workflows/sbom.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index f628c5bbfe..e3b51b2da7 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -10,6 +10,7 @@ on: paths: - go.mod - go.sum + - etc/install-libmongocrypt.sh permissions: contents: write pull-requests: write From e8daade727c2b3a3d95dfe72ba7a62820525373b Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Tue, 9 Jun 2026 23:29:59 -0400 Subject: [PATCH 12/14] Improve SBOM PR description and add SBOM section to CONTRIBUTING.md - Expand automated PR body to describe what changed and why - Add SBOM section to CONTRIBUTING.md explaining the automated workflow --- .github/workflows/sbom.yml | 10 +++++++++- docs/CONTRIBUTING.md | 12 ++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index e3b51b2da7..5b9ff5e95f 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -61,7 +61,15 @@ jobs: body: | ## Automated SBOM Update - This PR was automatically generated because `go.mod` changed. + This PR was automatically generated because a change to `go.mod`, `go.sum`, or + `etc/install-libmongocrypt.sh` was merged into `${{ github.ref_name }}`. + + `sbom.json` has been regenerated to reflect the current module dependency graph + and `libmongocrypt` version. The SBOM serial number is stable; the `.version` + field has been incremented to reflect this update. + + Once merged, an Evergreen CI task will upload the updated SBOM to the internal + tracking system. ### Triggered by - Commit: ${{ github.sha }} diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 26f76fb3fe..8f09636102 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -361,6 +361,18 @@ using enterprise auth, run: TOPOLOGY=sharded_cluster task run-docker -- evg-test-enterprise-auth ``` +## Software Bill of Materials (SBOM) + +The repository maintains a CycloneDX SBOM at `sbom.json` in the repository root. It captures the full module dependency graph along with `libmongocrypt` as an optional component. + +**You do not need to update `sbom.json` manually.** When a pull request that changes `go.mod`, `go.sum`, or `etc/install-libmongocrypt.sh` is merged into `master`, the "Generate SBOM" GitHub Actions workflow will automatically regenerate `sbom.json` and open a follow-up pull request with the updated file. Simply review and merge that PR. + +To regenerate the SBOM locally (e.g. to preview changes), run: + +```bash +task generate-sbom +``` + ## Talk To Us If you want to work on the driver, write documentation, or have questions/complaints, please reach out to us either via [MongoDB Community Forums](https://www.mongodb.com/community/forums/tag/go-driver) or by creating a Question issue in [Jira](https://jira.mongodb.org/secure/CreateIssue!default.jspa). From 556bd8ed160b8941edaabde7c2c1f765cb33ea89 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Wed, 10 Jun 2026 13:05:03 -0400 Subject: [PATCH 13/14] GODRIVER-3599: Normalize SBOM main component version to latest release tag cyclonedx-gomod auto-detects a pseudo-version from the current branch commit, which changes on every commit and is meaningless outside the branch. Use git describe --tags --abbrev=0 to pin to the latest release tag (currently v2.6.0) so the SBOM reflects the actual module version. --- etc/generate-sbom.sh | 19 +++++++++++++++++++ sbom.json | 12 ++++++------ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh index 9958f18098..4761c35706 100755 --- a/etc/generate-sbom.sh +++ b/etc/generate-sbom.sh @@ -10,6 +10,25 @@ GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10 mod -type library -licenses -assert-licenses -output-version 1.5 -json \ -serial "$SERIAL_NUMBER" -std=true -short-purls=true . > sbom.tmp.json +# Normalize main component version to the latest release tag so the SBOM does not +# carry a pseudo-version derived from the current branch's commit hash. +MODULE_VERSION=$(git describe --tags --abbrev=0) +OLD_REF=$(jq -r '.metadata.component."bom-ref"' sbom.tmp.json) +MODULE_PATH=$(jq -r '.metadata.component.purl' sbom.tmp.json | cut -d'@' -f1 | sed 's|^pkg:golang/||') +NEW_PURL="pkg:golang/${MODULE_PATH}@${MODULE_VERSION}" +NEW_REF="${NEW_PURL}?type=module" + +jq --arg old_ref "$OLD_REF" \ + --arg new_ref "$NEW_REF" \ + --arg new_purl "$NEW_PURL" \ + --arg version "$MODULE_VERSION" \ + '.metadata.component.version = $version | + .metadata.component."bom-ref" = $new_ref | + .metadata.component.purl = $new_purl | + .dependencies |= map(if .ref == $old_ref then .ref = $new_ref else . end)' \ + sbom.tmp.json > sbom.tmp2.json +mv sbom.tmp2.json sbom.tmp.json + # Inject libmongocrypt as an optional component. LIBMONGOCRYPT_VERSION=$(grep 'LIBMONGOCRYPT_TAG=' "${SCRIPT_DIR}/install-libmongocrypt.sh" | head -1 | cut -d'"' -f2) LIBMONGOCRYPT_PURL="pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" diff --git a/sbom.json b/sbom.json index fef257f9aa..78cc45ca41 100644 --- a/sbom.json +++ b/sbom.json @@ -3,9 +3,9 @@ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:b7adcdf8-bafc-43c5-a529-a73130697171", - "version": 2, + "version": 3, "metadata": { - "timestamp": "2026-06-09T23:07:32-04:00", + "timestamp": "2026-06-10T13:04:52-04:00", "tools": [ { "vendor": "CycloneDX", @@ -46,10 +46,10 @@ } ], "component": { - "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", + "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.0?type=module", "type": "library", "name": "go.mongodb.org/mongo-driver/v2", - "version": "v2.6.1-0.20260427225553-fd85a834c40e", + "version": "v2.6.0", "licenses": [ { "license": { @@ -57,7 +57,7 @@ } } ], - "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e" + "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.0" } }, "components": [ @@ -329,7 +329,7 @@ ], "dependencies": [ { - "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", + "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.0?type=module", "dependsOn": [ "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module", From 6153ece07d6357e868287c370f444e679bb107f0 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Wed, 10 Jun 2026 13:10:06 -0400 Subject: [PATCH 14/14] Revert "GODRIVER-3599: Normalize SBOM main component version to latest release tag" This reverts commit 556bd8ed160b8941edaabde7c2c1f765cb33ea89. --- etc/generate-sbom.sh | 19 ------------------- sbom.json | 12 ++++++------ 2 files changed, 6 insertions(+), 25 deletions(-) diff --git a/etc/generate-sbom.sh b/etc/generate-sbom.sh index 4761c35706..9958f18098 100755 --- a/etc/generate-sbom.sh +++ b/etc/generate-sbom.sh @@ -10,25 +10,6 @@ GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.10 mod -type library -licenses -assert-licenses -output-version 1.5 -json \ -serial "$SERIAL_NUMBER" -std=true -short-purls=true . > sbom.tmp.json -# Normalize main component version to the latest release tag so the SBOM does not -# carry a pseudo-version derived from the current branch's commit hash. -MODULE_VERSION=$(git describe --tags --abbrev=0) -OLD_REF=$(jq -r '.metadata.component."bom-ref"' sbom.tmp.json) -MODULE_PATH=$(jq -r '.metadata.component.purl' sbom.tmp.json | cut -d'@' -f1 | sed 's|^pkg:golang/||') -NEW_PURL="pkg:golang/${MODULE_PATH}@${MODULE_VERSION}" -NEW_REF="${NEW_PURL}?type=module" - -jq --arg old_ref "$OLD_REF" \ - --arg new_ref "$NEW_REF" \ - --arg new_purl "$NEW_PURL" \ - --arg version "$MODULE_VERSION" \ - '.metadata.component.version = $version | - .metadata.component."bom-ref" = $new_ref | - .metadata.component.purl = $new_purl | - .dependencies |= map(if .ref == $old_ref then .ref = $new_ref else . end)' \ - sbom.tmp.json > sbom.tmp2.json -mv sbom.tmp2.json sbom.tmp.json - # Inject libmongocrypt as an optional component. LIBMONGOCRYPT_VERSION=$(grep 'LIBMONGOCRYPT_TAG=' "${SCRIPT_DIR}/install-libmongocrypt.sh" | head -1 | cut -d'"' -f2) LIBMONGOCRYPT_PURL="pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" diff --git a/sbom.json b/sbom.json index 78cc45ca41..fef257f9aa 100644 --- a/sbom.json +++ b/sbom.json @@ -3,9 +3,9 @@ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:b7adcdf8-bafc-43c5-a529-a73130697171", - "version": 3, + "version": 2, "metadata": { - "timestamp": "2026-06-10T13:04:52-04:00", + "timestamp": "2026-06-09T23:07:32-04:00", "tools": [ { "vendor": "CycloneDX", @@ -46,10 +46,10 @@ } ], "component": { - "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.0?type=module", + "bom-ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", "type": "library", "name": "go.mongodb.org/mongo-driver/v2", - "version": "v2.6.0", + "version": "v2.6.1-0.20260427225553-fd85a834c40e", "licenses": [ { "license": { @@ -57,7 +57,7 @@ } } ], - "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.0" + "purl": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e" } }, "components": [ @@ -329,7 +329,7 @@ ], "dependencies": [ { - "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.0?type=module", + "ref": "pkg:golang/go.mongodb.org/mongo-driver/v2@v2.6.1-0.20260427225553-fd85a834c40e?type=module", "dependsOn": [ "pkg:golang/github.com/davecgh/go-spew@v1.1.1?type=module", "pkg:golang/github.com/klauspost/compress@v1.17.6?type=module",