From c3e45333645ecb8e841065b8e47e803c5a7a59a6 Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Thu, 5 Mar 2026 10:50:28 -0500 Subject: [PATCH] SERVER-116213, SERVER-117626, SERVER-117790: Enhance SBOM automation with private folder support, team automation and branch filtering (#48555) Co-authored-by: Mathias Stearn GitOrigin-RevId: 0ed281764f145dc335b24cc49112f018a921f94b --- OWNERS.yml | 2 +- README.third_party.md | 16 +- bazel/wrapper_hook/lint.py | 2 +- buildscripts/sbom/BUILD.bazel | 6 + buildscripts/sbom/config.py | 11 +- buildscripts/sbom/generate_sbom.py | 498 ++-- buildscripts/sbom/metadata.cdx.json | 2153 ++++++++++++----- buildscripts/sbom/sbom_files_pr.py | 136 +- buildscripts/sbom/sbom_utils.py | 261 ++ buildscripts/sbom_linter.py | 6 +- buildscripts/tests/test_generate_sbom.py | 24 +- buildscripts/util/co_jira_map.yml | 6 + buildscripts/util/codeowners_utils.py | 4 +- .../tasks/misc_tasks.yml | 5 +- .../tasks/release_tasks.yml | 4 +- .../variants/misc/misc.yml | 16 + .../variants/rhel/test_dev.yml | 13 - .../functions/upload_sbom_via_silkbomb.py | 27 +- sbom.json | 1557 ++++++------ src/third_party/OWNERS.yml | 3 - src/third_party/README.md | 89 +- 21 files changed, 2950 insertions(+), 1889 deletions(-) create mode 100644 buildscripts/sbom/sbom_utils.py diff --git a/OWNERS.yml b/OWNERS.yml index d74818cccdf..9f9822dca48 100644 --- a/OWNERS.yml +++ b/OWNERS.yml @@ -92,7 +92,7 @@ filters: - "README.third_party.md": approvers: - 10gen/code-review-team-ssdlc - - "sbom.json": + - "sbom.*": approvers: - 10gen/code-review-team-ssdlc - "MODULE.bazel*": diff --git a/README.third_party.md b/README.third_party.md index 52eb306c842..0d024c1f0fd 100644 --- a/README.third_party.md +++ b/README.third_party.md @@ -24,9 +24,7 @@ a notice will be included in | Name | License | Vendored Version | Emits persisted data | Distributed in Release Binaries | | ---------------------------------------------------- | ---------------------------------------------- | ---------------------------------------- | -------------------- | ------------------------------- | | [Abseil Common Libraries (C++)] | Apache-2.0 | 20250512.1 | | ✗ | -| [Apache Avro C++] | Apache-2.0 | 1.12.0 | | ✗ | | [Asio C++ Library] | BSL-1.0 | 1.34.2 | | ✗ | -| [AWS SDK for C++] | Apache-2.0 | 1.11.471 | | ✗ | | [benchmark] | Apache-2.0 | 1.5.2 | | | | [Boost C++ Libraries] | BSL-1.0 | 1.88.0 | | ✗ | | [c-ares] | MIT | 1.27.0 | | ✗ | @@ -35,17 +33,17 @@ a notice will be included in | [Cyrus SASL] | BSD-Attribution-HPND-disclaimer | 2.1.28 | | | | [fmt] | MIT | 11.2.0 | | ✗ | | [folly] | Apache-2.0 | 2023.12.25.00 | | ✗ | +| [fuzztest] | BSD-3-Clause, Apache-2.0, HPND | 2025-07-28 | | | | [googletest] | BSD-3-Clause | 1.17.0 | | | | [gperftools] | BSD-3-Clause | 2.9.1 | | ✗ | | [gRPC (C++)] | Apache-2.0 | 1.74.1 | | ✗ | | [ICU4C - International Components for Unicode C/C++] | Unicode-3.0 | 57.1 | ✗ | ✗ | -| [immer] | BSL-1.0 | 0b3aaf699b9d6f2e89f8e2b6d1221c307e02bda3 | | ✗ | +| [immer] | BSL-1.0 | 0.9.1 | | ✗ | | [Intel® Decimal Floating-Point Math Library] | BSD-3-Clause | 2.0.1 | | ✗ | | [JSON Schema Store] | Apache-2.0 | 6847cfc3a17a04a7664474212db50c627e1e3408 | | | | [JSON-Schema-Test-Suite] | MIT | 728066f9c5c258ba3b1804a22a5b998f2ec77ec0 | | | | [libdwarf] | LGPL-2.1-or-later, BSD-3-Clause, Public Domain | 2.1.0 | | | | [libmongocrypt] | Apache-2.0 | 1.15.0 | ✗ | ✗ | -| [librdkafka - The Apache Kafka C/C++ library] | BSD-2-Clause | 2.6.0 | | ✗ | | [LibTomCrypt] | Unlicense | 1.18.2 | ✗ | ✗ | | [libunwind] | MIT | 1.8.1 | | ✗ | | [linenoise] | BSD-2-Clause | 6cdc775807e57b2c3fd64bd207814f8ee1fe35f3 | | ✗ | @@ -57,12 +55,14 @@ a notice will be included in | [opentelemetry-cpp] | Apache-2.0 | 1.24.0 | ✗ | | | [opentelemetry-proto] | Apache-2.0 | 1.3.2 | ✗ | | | [PCRE2 - Perl-Compatible Regular Expressions] | BSD-3-Clause WITH PCRE2-exception | 10.40 | | ✗ | +| [Prometheus Client Library for Modern C++] | MIT | 1.2.2 | | | | [Protobuf] | BSD-3-Clause | 6.31.1 | | ✗ | | [pypi/ocspbuilder] | MIT | 0.10.2 | | | | [pypi/ocspresponder] | Apache-2.0 | 0.5.0 | | | | [re2] | BSD-3-Clause | 2025-08-05 | | ✗ | | [S2 Geometry Library] | Apache-2.0 | a25c502bda9d7e0274b9e2b7825fbddf13cc0306 | ✗ | ✗ | | [SafeInt] | MIT | 3.0.28a | | ✗ | +| [siphash] | CC0-1.0, MIT, Apache 2.0 with LLVM exception | eee7d0d84dc7731df2359b243aa5e75d85f6eaef | | ✗ | | [snappy] | BSD-3-Clause | 1.1.10 | ✗ | ✗ | | [Snowball Stemming Algorithms (libstemmer)] | BSD-3-Clause | 1.0.0 | ✗ | ✗ | | [tcmalloc] | Apache-2.0 | f3b20f9a07e175c5d897df7b49d9830d4efa6110 | | ✗ | @@ -73,11 +73,8 @@ a notice will be included in | [yaml-cpp] | MIT | 0.6.3 | | ✗ | | [zlib] | Zlib | 1.3.1 | ✗ | ✗ | | [Zstandard (zstd)] | BSD-3-Clause OR GPL-2.0-only | 1.5.5 | ✗ | ✗ | -| [siphash] | MIT | f26d35e964c6290ffe23d9043475ad3129f409e0 | | ✗ | -[AWS SDK for C++]: https://github.com/aws/aws-sdk-cpp.git [Abseil Common Libraries (C++)]: https://github.com/abseil/abseil-cpp.git -[Apache Avro C++]: https://github.com/apache/avro.git [Asio C++ Library]: https://github.com/chriskohlhoff/asio.git [Boost C++ Libraries]: https://github.com/boostorg/boost.git [CRoaring]: https://github.com/roaringbitmap/croaring.git @@ -91,6 +88,7 @@ a notice will be included in [Mozilla Firefox ESR]: https://github.com/mozilla-firefox/firefox.git [MurmurHash3]: https://github.com/aappleby/smhasher/blob/a6bd3ce/ [PCRE2 - Perl-Compatible Regular Expressions]: https://github.com/pcre2project/pcre2.git +[Prometheus Client Library for Modern C++]: https://github.com/jupp0r/prometheus-cpp.git [Protobuf]: https://github.com/protocolbuffers/protobuf.git [S2 Geometry Library]: https://github.com/google/s2geometry.git [SafeInt]: https://github.com/dcleblanc/safeint.git @@ -103,13 +101,13 @@ a notice will be included in [cpptrace]: https://github.com/jeremy-rifkin/cpptrace.git [fmt]: https://github.com/fmtlib/fmt.git [folly]: https://github.com/facebook/folly.git +[fuzztest]: https://github.com/google/fuzztest.git [gRPC (C++)]: https://github.com/grpc/grpc.git [googletest]: https://github.com/google/googletest.git [gperftools]: https://github.com/gperftools/gperftools.git [immer]: https://github.com/arximboldi/immer.git [libdwarf]: https://github.com/davea42/libdwarf-code.git [libmongocrypt]: https://github.com/mongodb/libmongocrypt.git -[librdkafka - The Apache Kafka C/C++ library]: https://github.com/confluentinc/librdkafka.git [libunwind]: https://github.com/libunwind/libunwind.git [linenoise]: https://github.com/antirez/linenoise [nlohmann/json]: https://github.com/nlohmann/json.git @@ -119,13 +117,13 @@ a notice will be included in [pypi/ocspbuilder]: https://pypi.org/project/ocspbuilder/ [pypi/ocspresponder]: https://pypi.org/project/ocspresponder/ [re2]: https://github.com/google/re2.git +[siphash]: https://github.com/veorq/siphash/ [snappy]: https://github.com/google/tcmalloc.git [tcmalloc]: https://github.com/google/tcmalloc.git [timelib]: https://github.com/derickr/timelib.git [valgrind.h]: https://sourceware.org/git/valgrind.git [yaml-cpp]: https://github.com/jbeder/yaml-cpp.git [zlib]: https://zlib.net/fossils/ -[siphash]: https://github.com/veorq/SipHash ## Dynamically Linked Libraries diff --git a/bazel/wrapper_hook/lint.py b/bazel/wrapper_hook/lint.py index 0b00524461b..1b56f4fc18b 100644 --- a/bazel/wrapper_hook/lint.py +++ b/bazel/wrapper_hook/lint.py @@ -434,7 +434,7 @@ def run_rules_lint(bazel_bin: str, args: list[str]): if file.endswith((SUPPORTED_EXTENSIONS)) ] - if lint_all or "sbom.json" in files_to_lint: + if lint_all or "sbom.private.json" in files_to_lint: lr.run_bazel("//buildscripts:sbom_linter") if lint_all or any(file.endswith((".h", ".cpp")) for file in files_to_lint): diff --git a/buildscripts/sbom/BUILD.bazel b/buildscripts/sbom/BUILD.bazel index d69badbff64..52936b518a8 100644 --- a/buildscripts/sbom/BUILD.bazel +++ b/buildscripts/sbom/BUILD.bazel @@ -27,3 +27,9 @@ py_binary( srcs = ["sbom_files_pr.py"], visibility = ["//visibility:public"], ) + +py_library( + name = "sbom_utils", + srcs = ["sbom_utils.py"], + visibility = ["//visibility:public"], +) diff --git a/buildscripts/sbom/config.py b/buildscripts/sbom/config.py index 4fc3aea90c2..8e80ad97a68 100644 --- a/buildscripts/sbom/config.py +++ b/buildscripts/sbom/config.py @@ -38,8 +38,10 @@ for component in components_remove: # List of folders in src/third_party to exclude from SBOM generation warnings third_party_folders_remove = [ - "scripts", - "boringssl_replacement", # this is an alias folder + "src/third_party/scripts", # this folder contains scripts related to the import process, but does not contain SBOM components itself + "src/third_party/private", # this is not a real third-party folder, but rather a place for MongoDB to store private forks of third-party code. The actual SBOM components in this folder are still included. + "src/third_party/boringssl_replacement", # this is an alias folder + "src/third_party/wasmtime", # currently no targets depend on this ] # ################ Component Renaming ################ @@ -49,14 +51,13 @@ third_party_folders_remove = [ # Valid: pkg:github/abseil/abseil-cpp@20250512.1 # Run string replacements to correct for this: endor_components_rename = [ - ["pkg:c/sourceware.org/git/valgrind", "pkg:generic/valgrind/valgrind"], ["pkg:generic/sourceware.org/git/valgrind", "pkg:generic/valgrind/valgrind"], ["pkg:generic/zlib", "pkg:github/madler/zlib"], ["pkg:generic/libstemmer", "pkg:github/snowballstem/snowball"], ["pkg:generic/intel-dfp-math", "pkg:generic/intel/IntelRDFPMathLib"], ["pkg:c/git.openldap.org/openldap/openldap", "pkg:generic/openldap/openldap"], - ["pkg:generic/github.com/", "pkg:github/"], - ["pkg:c/github.com/", "pkg:github/"], + ["pkg:generic/gitlab.gnome.org/gnome/libxml2", "pkg:generic/gnome/libxml2"], + ["pkg:generic/gitlab.com/bzip2/bzip2", "pkg:github/libarchive/bzip2"], ] # ################ Version Transformation ################ diff --git a/buildscripts/sbom/generate_sbom.py b/buildscripts/sbom/generate_sbom.py index 98a4c846be3..58eeb880df5 100755 --- a/buildscripts/sbom/generate_sbom.py +++ b/buildscripts/sbom/generate_sbom.py @@ -8,13 +8,11 @@ Invoke with ---help or -h for help message. """ import argparse -import json import logging import os import re import subprocess import sys -import urllib.parse import uuid from datetime import datetime, timezone from pathlib import Path @@ -29,6 +27,19 @@ from config import ( from endorctl_utils import EndorCtl from git import Commit, Repo +from buildscripts.sbom.sbom_utils import ( + add_component_property, + check_metadata_sbom, + convert_sbom_to_public, + read_sbom_json_file, + remove_sbom_component, + sbom_components_to_dict, + set_component_version, + set_dependency_version, + write_sbom_json_file, +) +from buildscripts.util.codeowners_utils import Owners + # region init @@ -65,65 +76,6 @@ REGEX_GITHUB_URL = r"^(https://github.com/)([a-zA-Z0-9-]{1,39}/[a-zA-Z0-9-_.]{1, REGEX_RELEASE_BRANCH = r"^v\d\.\d$" REGEX_RELEASE_TAG = r"^r\d\.\d.\d(-\w*)?$" -# ################ PURL Validation ################ -REGEX_STR_PURL_OPTIONAL = ( # Optional Version (any chars except ? @ #) - r"(?:@[^?@#]*)?" - # Optional Qualifiers (any chars except @ #) - r"(?:\?[^@#]*)?" - # Optional Subpath (any chars) - r"(?:#.*)?$" -) - -REGEX_PURL = { - # deb PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/deb-definition.md - "deb": re.compile( - r"^pkg:deb/" # Scheme and type - # Namespace (organization/user), letters must be lowercase - r"(debian|ubuntu)+" - r"/" - r"[a-z0-9._-]+" + REGEX_STR_PURL_OPTIONAL # Name - ), - # Generic PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/generic-definition.md - "generic": re.compile( - r"^pkg:generic/" # Scheme and type - r"([a-zA-Z0-9._-]+/)?" # Optional namespace segment - r"[a-zA-Z0-9._-]+" + REGEX_STR_PURL_OPTIONAL # Name (required) - ), - # GitHub PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/github-definition.md - "github": re.compile( - r"^pkg:github/" # Scheme and type - # Namespace (organization/user), letters must be lowercase - r"[a-z0-9-]+" - r"/" - r"[a-z0-9._-]+" + REGEX_STR_PURL_OPTIONAL # Name (repository) - ), - # PyPI PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/pypi-definition.md - "pypi": re.compile( - r"^pkg:pypi/" # Scheme and type - r"[a-z0-9_-]+" # Name, letters must be lowercase, dashes, underscore - + REGEX_STR_PURL_OPTIONAL - ), -} - - -# Metadata SBOM requirements -METADATA_FIELDS_REQUIRED = [ - "type", - "bom-ref", - "group", - "name", - "version", - "description", - "licenses", - "copyright", - "externalReferences", - "scope", -] -METADATA_FIELDS_ONE_OF = [ - ["author", "supplier"], - ["purl", "cpe"], -] - # endregion init @@ -146,7 +98,7 @@ class GitInfo: ).stdout.strip() ) self._repo = Repo(self.repo_root) - except Exception as e: + except (OSError, subprocess.CalledProcessError, AttributeError, TypeError) as e: logger.warning( "Unable to read git repo information. All necessary script arguments must be provided." ) @@ -168,7 +120,7 @@ class GitInfo: filtered_tags = [ tag for tag in self._repo.tags if re.fullmatch(REGEX_RELEASE_TAG, tag.name) ] - logging.info(f"GIT: Parsing {len(filtered_tags)} release tags for match to commit") + logging.info("GIT: Parsing %d release tags for match to commit", len(filtered_tags)) for tag in filtered_tags: if tag.commit == self.commit: release_tags.append(tag.name) @@ -176,10 +128,10 @@ class GitInfo: self.release_tag = release_tags[-1] else: self.release_tag = None - logging.debug(f"GitInfo->release_tag(): {self.release_tag}") + logging.debug("GitInfo->release_tag(): %s", self.release_tag) - logging.debug(f"GitInfo->__init__: {self}") - except Exception as e: + logging.debug("GitInfo->__init__: %s", self) + except (AttributeError, IndexError, ValueError, TypeError) as e: logger.warning("Unable to fully parse git info.") logger.warning(e) @@ -232,76 +184,6 @@ def extract_repo_from_git_url(git_url: str) -> dict: } -def is_valid_purl(purl: str) -> bool: - """Validate a GitHub or Generic PURL""" - for purl_type, regex in REGEX_PURL.items(): - if regex.match(purl): - logger.debug(f"PURL: {purl} matched PURL type '{purl_type}' regex '{regex.pattern}'") - return True - return False - - -def sbom_components_to_dict(sbom: dict, with_version: bool = False) -> dict: - """Create a dict of SBOM components with a version-less PURL as the key""" - components = sbom["components"] - if with_version: - components_dict = { - urllib.parse.unquote(component["bom-ref"]): component for component in components - } - else: - components_dict = { - urllib.parse.unquote(component["bom-ref"]).split("@")[0]: component - for component in components - } - return components_dict - - -def check_metadata_sbom(meta_bom: dict) -> None: - """Run checks on SBOM component metadata for expected fields.""" - for component in meta_bom["components"]: - for field in METADATA_FIELDS_REQUIRED: - if field not in component: - logger.warning( - f"METADATA: '{component['bom-ref'] or component['name']} is missing required field '{field}'." - ) - for fields in METADATA_FIELDS_ONE_OF: - found = False - for field in fields: - found = found or field in component - if not found: - logger.warning( - f"METADATA: '{component['bom-ref'] or component['name']} is missing one of fields '{fields}'." - ) - - -def read_sbom_json_file(file_path: str) -> dict: - """Load a JSON SBOM file (schema is not validated)""" - try: - with open(file_path, "r", encoding="utf-8") as input_json: - sbom_json = input_json.read() - result = json.loads(sbom_json) - except Exception as e: - logger.error(f"Error loading SBOM file from {file_path}") - logger.error(e) - else: - logger.info(f"SBOM loaded from {file_path} with {len(result['components'])} components") - return result - - -def write_sbom_json_file(sbom_dict: dict, file_path: str) -> None: - """Save a JSON SBOM file (schema is not validated)""" - try: - file_path = os.path.abspath(file_path) - with open(file_path, "w", encoding="utf-8") as output_json: - formatted_sbom = json.dumps(sbom_dict, indent=2) + "\n" - output_json.write(formatted_sbom) - except Exception as e: - logger.error(f"Error writing SBOM file to {file_path}") - logger.error(e) - else: - logger.info(f"SBOM file saved to {file_path}") - - def write_list_to_text_file(str_list: list, file_path: str) -> None: """Save a list of strings to a text file""" try: @@ -309,79 +191,48 @@ def write_list_to_text_file(str_list: list, file_path: str) -> None: with open(file_path, "w", encoding="utf-8") as output_txt: for item in str_list: output_txt.write(f"{item}\n") - except Exception as e: - logger.error(f"Error writing text file to {file_path}") + except OSError as e: + logger.error("Error writing text file to %s", file_path) logger.error(e) else: - logger.info(f"Text file saved to {file_path}") + logger.info("Text file saved to %s", file_path) -def set_component_version( - component: dict, version: str, purl_version: str = None, cpe_version: str = None -) -> None: - """Update the appropriate version fields in a component from the metadata SBOM""" - if not purl_version: - purl_version = version +def get_subfolders_list(repo_root: str, base_folder_path: str = ".", subfolders=None) -> list: + """Get list of all directories in the specified path and subfolders""" - if not cpe_version: - cpe_version = version + if subfolders is None: + subfolders = set() + subfolders.add( + "" + ) # Ensure set includes blank to cover search of base folder without a subfolder + folders = [] - component["bom-ref"] = component["bom-ref"].replace("{{VERSION}}", purl_version) - component["version"] = component["version"].replace("{{VERSION}}", version) - if component.get("purl"): - component["purl"] = component["purl"].replace( - "{{VERSION}}", urllib.parse.quote(purl_version) - ) - if not is_valid_purl(component["purl"]): - logger.warning(f"PURL: Invalid PURL ({component['purl']})") - if component.get("cpe"): - component["cpe"] = component["cpe"].replace("{{VERSION}}", cpe_version) - - -def set_dependency_version(dependencies: list, meta_bom_ref: str, purl_version: str) -> None: - """Update the appropriate dependency version fields in the metadata SBOM""" - r = 0 - d = 0 - for dependency in dependencies: - if "{{VERSION}}" in dependency["ref"] and dependency["ref"] == meta_bom_ref: - dependency["ref"] = dependency["ref"].replace("{{VERSION}}", purl_version) - r += 1 - for i in range(len(dependency["dependsOn"])): - if dependency["dependsOn"][i] == meta_bom_ref: - dependency["dependsOn"][i] = dependency["dependsOn"][i].replace( - "{{VERSION}}", purl_version - ) - d += 1 - - logger.debug(f"set_dependency_version: '{meta_bom_ref}' updated {r} refs and {d} dependsOn") - - -def get_subfolders_dict(folder_path: str = ".") -> dict: - """Get list of all directories in the specified path""" - subfolders = [] try: - # Get all entries (files and directories) in the specified path - entries = os.listdir(folder_path) + for subfolder in subfolders: + folder_path = os.path.join(repo_root, base_folder_path, subfolder) + logger.info("Getting subfolders in: %s", folder_path) + # Get all entries (files and directories) in the specified path + folders.extend( + [ + os.path.join(base_folder_path, subfolder, item) + for item in os.listdir(folder_path) + ] + ) + logger.debug("Found folders: %s", folders) # Filter for directories - for entry in entries: - full_path = os.path.join(folder_path, entry) - if os.path.isdir(full_path): - subfolders.append(entry) + folders = [folder for folder in folders if os.path.isdir(folder)] + folders.sort() + return folders except FileNotFoundError: - logger.error(f"Error: Directory '{folder_path}' not found.") - except Exception as e: - logger.error(f"An error occurred: {e}") - - subfolders.sort() - return {key: 0 for key in subfolders} - - -def add_component_property(component: dict, name: str, value: str) -> None: - """Add a key/value to to 'properties' in SBOM component""" - if "properties" not in component: - component["properties"] = [] - component["properties"].append({"name": name, "value": value}) + logger.error("Error: Directory '%s' not found.", os.path.join(base_folder_path, subfolder)) + except (PermissionError, OSError) as e: + logger.error( + "An error occurred while accessing the directory '%s'.", + os.path.join(base_folder_path, subfolder), + ) + logger.error(e) def get_component_import_script_path(component: dict) -> str: @@ -420,13 +271,14 @@ def del_component_priority_version_source(component: dict) -> None: for i in range(len(component["properties"]) - 1, -1, -1): if component["properties"][i].get("name") == "generate_sbom:priority_version_source": logger.debug( - f"PRIORITY VERSION SOURCE: {component['bom-ref']}: Removing priority version source from SBOM metadata." + "PRIORITY VERSION SOURCE: %s: Removing priority version source from SBOM metadata.", + component["bom-ref"], ) del component["properties"][i] def get_version_from_import_script(file_path: str) -> str: - """A rudimentary parse of a shell script file to extract the static value defined for the VERSION variable""" + """A rudimentary parse of a shell or python script file to extract the static value defined for the VERSION variable""" try: with open(file_path, "r", encoding="utf-8") as file: for line in file: @@ -436,17 +288,38 @@ def get_version_from_import_script(file_path: str) -> str: r"\g", line.strip(), ) - except Exception as e: - logger.warning(f"Unable to load {file_path}") + elif line.strip().startswith("VERSION = "): + return re.sub( + r"^VERSION\s=\s(?P[\"']?)(?P\S+)(?P=quote).*$", + r"\g", + line.strip(), + ) + except OSError as e: + logger.warning("Unable to load %s", file_path) logger.warning(e) else: return None +def deduplicate_list_of_dicts(list_of_dicts): + """Deduplicate a list of dicts while preserving order. Dicts must be hashable (i.e., contain only hashable types)""" + seen = set() + unique_list = [] + for d in list_of_dicts: + # Convert dict items to frozenset for hashability + frozenset_items = frozenset(d.items()) + if frozenset_items not in seen: + seen.add(frozenset_items) + unique_list.append(d) + return unique_list + + # endregion functions and classes def main() -> None: + """Main function to generate SBOM""" + # region define args parser = argparse.ArgumentParser( @@ -508,14 +381,26 @@ def main() -> None: ) files.add_argument( "--sbom-in", - help="Input path for previous SBOM file (Default: './sbom.json')", + help="Input path for previous SBOM file (Default: './sbom.private.json')", + default="./sbom.private.json", + type=str, + ) + files.add_argument( + "--sbom-out-public", + help="Output path for public SBOM file (Default: './sbom.json')", default="./sbom.json", type=str, ) files.add_argument( - "--sbom-out", - help="Output path for SBOM file (Default: './sbom.json')", - default="./sbom.json", + "--sbom-out-internal", + help="Output path for internal SBOM file (Default: './sbom.private.json')", + default="./sbom.private.json", + type=str, + ) + parser.add_argument( + "--branch-filter", + help="Run only if Git repo branch matches regex (Default: '.*')", + default=".*", type=str, ) parser.add_argument( @@ -581,8 +466,16 @@ def main() -> None: ) git_info.branch = args.branch + # Check if branch matches the branch filter regex + if not re.fullmatch(args.branch_filter, git_info.branch): + print( + f"Branch '{git_info.branch}' does not match branch filter '{args.branch_filter}'. Terminating as successful." + ) + sys.exit(0) + # files - sbom_out_path = args.sbom_out + sbom_out_public_path = args.sbom_out_public + sbom_out_internal_path = args.sbom_out_internal sbom_in_path = args.sbom_in sbom_metadata_path = args.sbom_metadata save_warnings = args.save_warnings @@ -668,15 +561,18 @@ def main() -> None: print_banner("Loading metadata SBOM and previous SBOM") - meta_bom = read_sbom_json_file(sbom_metadata_path) - if not meta_bom: - logger.error("No SBOM metadata. This is fatal.") + if os.path.exists(sbom_metadata_path): + meta_bom = read_sbom_json_file(sbom_metadata_path) + else: + logger.error("No SBOM metadata file at '%s'. This is fatal.", sbom_metadata_path) sys.exit(1) - prev_bom = read_sbom_json_file(sbom_in_path) - if not prev_bom: + if os.path.exists(sbom_in_path): + prev_bom = read_sbom_json_file(sbom_in_path) + else: logger.warning( - "Unable to load previous SBOM data. The new SBOM will be generated without any previous context. This is unexpected, but not fatal." + "PREVIOUS SBOM: No previous SBOM file at `%s`. The new SBOM will be generated without any previous context. This is unexpected, but not fatal.", + sbom_in_path, ) # Create empty prev_bom to avoid downstream processing errors prev_bom = { @@ -714,7 +610,10 @@ def main() -> None: # Attempt to determine the MongoDB Version being scanned logger.debug( - f"Available MongoDB version options, tag: {git_info.release_tag}, branch: {git_info.branch}, previous SBOM: {prev_bom['metadata']['component']['version']}" + "Available MongoDB version options, tag: %s, branch: %s, previous SBOM: %s", + git_info.release_tag, + git_info.branch, + prev_bom["metadata"]["component"]["version"], ) meta_bom_ref = meta_bom["metadata"]["component"]["bom-ref"] @@ -730,7 +629,7 @@ def main() -> None: version = git_info.release_tag[1:] # remove leading 'r' purl_version = git_info.release_tag cpe_version = version # without leading 'r' - logger.info(f"Using release_tag '{git_info.release_tag}' as MongoDB version") + logger.info("Using release_tag '%s' as MongoDB version", git_info.release_tag) # Release branch e.g., v7.0 or v8.2 elif target == "branch" and re.fullmatch(REGEX_RELEASE_BRANCH, git_info.branch): @@ -738,7 +637,7 @@ def main() -> None: purl_version = git_info.branch # remove leading 'v', add wildcard. e.g. 8.2.* cpe_version = version[1:] + ".*" - logger.info(f"Using release branch '{git_info.branch}' as MongoDB version") + logger.info("Using release branch '%s' as MongoDB version", git_info.branch) # Previous SBOM app version, if all needed specifiers exist elif ( @@ -749,7 +648,7 @@ def main() -> None: version = prev_bom["metadata"]["component"]["version"] purl_version = prev_bom["metadata"]["component"]["purl"].split("@")[-1] cpe_version = prev_bom["metadata"]["component"]["cpe"].split(":")[5] - logger.info(f"Using previous SBOM version '{version}' as MongoDB version") + logger.info("Using previous SBOM version '%s' as MongoDB version", version) else: # Fall back to the version specified in the Endor SBOM @@ -758,7 +657,8 @@ def main() -> None: purl_version = version cpe_version = version logger.warning( - f"Using SBOM version '{version}' from Endor Labs scan. This is unlikely to be accurate and may specify a PR #." + "Using SBOM version '%s' from Endor Labs scan. This is unlikely to be accurate and may specify a PR #.", + version, ) # Set main component version @@ -772,10 +672,26 @@ def main() -> None: # region Parse metadata SBOM components - third_party_folders = get_subfolders_dict(git_info.repo_root.as_posix() + "/src/third_party") + third_party_folders = get_subfolders_list( + git_info.repo_root.as_posix(), "src/third_party", {"private"} + ) + logger.debug("Initial list of 'src/third_party' subfolders: %s", third_party_folders) + + # Convert to a dictionary to count instances folders found in SBOM locations + third_party_folders = dict.fromkeys(third_party_folders, 0) + # exclude folders specified in config.py for folder in third_party_folders_remove: - del third_party_folders[folder] + if folder in third_party_folders: + del third_party_folders[folder] + else: + logger.warning( + "THIRD_PARTY FOLDERS: folder '%s' specified for removal in config.py not found in 'src/third_party' folders list. Consider updating config.py.", + folder, + ) + + # Load codeowners data for later lookup + owners = Owners() for component in meta_bom["components"]: versions = { @@ -786,6 +702,8 @@ def main() -> None: } component_key = component["bom-ref"].split("@")[0] + if "properties" not in component: + component["properties"] = [] print_banner("Component: " + component_key) @@ -795,7 +713,9 @@ def main() -> None: if priority_version_source: versions["priority_version_source"] = priority_version_source logger.info( - f"PRIORITY VERSION SOURCE: {component_key}: Set priority version source to '{priority_version_source}'" + "PRIORITY VERSION SOURCE: %s: Set priority version source to '%s'", + component_key, + priority_version_source, ) del_component_priority_version_source(component) @@ -807,7 +727,9 @@ def main() -> None: component["properties"].extend(endor_component.get("properties", [])) versions["endor"] = endor_component.get("version") logger.debug( - f"VERSION ENDOR: {component_key}: Found version '{versions['endor']}' in Endor Labs results" + "VERSION ENDOR: %s: Found version '%s' in Endor Labs results", + component_key, + versions["endor"], ) ############## Import Script ############### @@ -821,11 +743,16 @@ def main() -> None: versions["import_script"] = versions["import_script"].replace("release-", "") if versions["import_script"]: logger.debug( - f"VERSION IMPORT SCRIPT: {component_key}: Found version '{versions['import_script']}' in import script '{import_script_path}'" + "VERSION IMPORT SCRIPT: %s: Found version '%s' in import script '%s'", + component_key, + versions["import_script"], + import_script_path, ) else: logger.debug( - f"VERSION IMPORT SCRIPT: {component_key}: Import script not found! '{import_script_path}'" + "VERSION IMPORT SCRIPT: %s: Import script not found! '%s'", + component_key, + import_script_path, ) ############## Metadata ############### @@ -833,7 +760,7 @@ def main() -> None: if "{{VERSION}}" not in component["version"]: versions["metadata"] = component.get("version") - logger.info(f"VERSIONS: {component_key}: " + str(versions)) + logger.info("VERSIONS: %s: %s", component_key, str(versions)) ############## Component Special Cases ############### process_component_special_cases( @@ -864,7 +791,11 @@ def main() -> None: ) ) logger.warning( - f"VERSION MISMATCH: {component_key}: Endor version {versions['endor']} does not match import script version {versions['import_script']}. 'priority_version_source' from metadata: {versions['priority_version_source']}" + "VERSION MISMATCH: %s: Endor version %s does not match import script version %s. 'priority_version_source' from metadata: %s", + component_key, + versions["endor"], + versions["import_script"], + versions["priority_version_source"], ) # For the standard workflow, we favor the pre-set priority version source, @@ -872,7 +803,9 @@ def main() -> None: if versions["priority_version_source"] and versions["priority_version_source"] in versions: version = versions[versions["priority_version_source"]] logger.info( - f"VERSION: {component_key}: Using priority_version_source '{priority_version_source}' from metadata file." + "VERSION: %s: Using priority_version_source '%s' from metadata file.", + component_key, + priority_version_source, ) else: version = versions["endor"] or versions["import_script"] or versions["metadata"] @@ -891,36 +824,91 @@ def main() -> None: set_dependency_version(meta_bom["dependencies"], meta_bom_ref, version) - # check against third_party folders + # check against third_party folders and log codeowners if location is defined in evidence occurrences component_defines_location = False for occurrence in component.get("evidence", {}).get("occurrences", []): location = occurrence.get("location") if location: component_defines_location = True + # Look up the codeowner for the folder and add as a property + component_codeowners = owners.get_codeowners(location) + logger.debug( + "CODEOWNER: %s code owners for location %s are %s", + component_key, + location, + component_codeowners, + ) + if not component_codeowners: + component_codeowners = ["unknown"] + logger.warning( + "CODEOWNER: %s could not determine code owners for location %s", + component_key, + location, + ) + else: + for codeowner in component_codeowners: + try: + jira_teams = owners.get_jira_team_from_codeowner(codeowner) + except KeyError: + logger.warning( + "CODEOWNER: %s could not determine JIRA teams for codeowner %s. Mapping may be missing from buildscripts/util/co_jira_map.yml", + component_key, + codeowner, + ) + jira_teams = [codeowner] + continue + for jira_team in jira_teams: + add_component_property( + component, "internal:team_responsible", jira_team + ) + logger.info( + "CODEOWNER: %s code owner team determined to be %s based on location %s", + component_key, + jira_team, + location, + ) if location.startswith("src/third_party/"): - location = location.replace("src/third_party/", "") if location in third_party_folders: third_party_folders[location] += 1 logger.debug( - f"THIRD_PARTY FOLDER: {component_key} matched folder {location} specified in SBOM" + "THIRD_PARTY FOLDER: %s matched folder %s specified in SBOM", + component_key, + location, + ) + elif os.path.isdir(git_info.repo_root.as_posix() + "/" + location): + logger.debug( + "THIRD_PARTY FOLDER: %s folder %s specified in SBOM exists", + component_key, + location, ) else: logger.warning( - f"THIRD_PARTY FOLDER: {component_key} lists third-party location folder as {location}, which does not exist!" + "THIRD_PARTY FOLDER: %s lists third-party location folder as %s, which does not exist!", + component_key, + location, ) else: logger.warning( - f"THIRD_PARTY FOLDER: {component_key} lists a location as '{location}'. Ideally, all third-party components are located under 'src/third_party/'." + "THIRD_PARTY FOLDER: %s lists a location as '%s'. Ideally, all third-party components are located under 'src/third_party/'.", + component_key, + location, ) if not component_defines_location: logger.warning( - f"THIRD_PARTY FOLDER: {component_key} does not define a location in '.evidence.occurrences[]'" + "THIRD_PARTY FOLDER: %s does not define a location in '.evidence.occurrences[]'", + component_key, ) + + # Deduplicate properties list + component["properties"] = deduplicate_list_of_dicts(component.get("properties", [])) + else: logger.warning( - f"VERSION NOT FOUND: Could not find a version for {component_key}! Removing from SBOM. Component may need to be removed from the {sbom_metadata_path} file." + "VERSION NOT FOUND: Could not find version information for '%s'! Removing from SBOM. Component may need to be removed from the %s file.", + component_key, + sbom_metadata_path, ) - del component + remove_sbom_component(meta_bom, component_key) print_banner("Third Party Folders") third_party_folders_missed = { @@ -928,8 +916,8 @@ def main() -> None: } if third_party_folders_missed: logger.warning( - "THIRD_PARTY FOLDERS: 'src/third_party' folders not matched with a component: " - + ",".join(third_party_folders_missed.keys()) + "THIRD_PARTY FOLDERS: 'src/third_party' folders not matched with a component: %s", + ",".join(third_party_folders_missed.keys()), ) else: logger.info( @@ -947,16 +935,25 @@ def main() -> None: print_banner("New Endor Labs components") if endor_components: logger.info( - f"ENDOR SBOM: There are {len(endor_components)} unmatched components in the Endor Labs SBOM. Adding as-is. The applicable metadata should be added to the metadata SBOM for the next run." + "ENDOR SBOM: There are %d unmatched components in the Endor Labs SBOM. Adding as-is. The applicable metadata should be added to the metadata SBOM for the next run.", + len(endor_components), ) for component in endor_components: # set scope to excluded by default until the component is evaluated endor_components[component]["scope"] = "excluded" + + # Add blank object for missing fields to avoid issues for downstream processing expecting those fields to exist + if "licenses" not in endor_components[component]: + endor_components[component]["licenses"] = [] + logger.warning( + "LICENSES: %s does not have a 'licenses' field. Adding empty list to component.", + endor_components[component]["bom-ref"], + ) meta_bom["components"].append(endor_components[component]) meta_bom["dependencies"].append( {"ref": endor_components[component]["bom-ref"], "dependsOn": []} ) - logger.info(f"SBOM AS-IS COMPONENT: Added {component}") + logger.warning("SBOM AS-IS COMPONENT: Added %s", component) # endregion Parse unmatched Endor Labs components @@ -966,14 +963,17 @@ def main() -> None: sbom_app_version_changed = ( prev_bom["metadata"]["component"]["version"] != meta_bom["metadata"]["component"]["version"] ) - logger.info(f"SUMMARY: MongoDB version changed: {sbom_app_version_changed}") + logger.info("SUMMARY: MongoDB version changed: %s", sbom_app_version_changed) # Have the components changed? prev_components = sbom_components_to_dict(prev_bom, with_version=True) meta_components = sbom_components_to_dict(meta_bom, with_version=True) sbom_components_changed = prev_components.keys() != meta_components.keys() logger.info( - f"SBOM_DIFF: SBOM components changed (added, removed, or version): {sbom_components_changed}. Previous SBOM has {len(prev_components)} components; New SBOM has {len(meta_components)} components" + "SBOM_DIFF: SBOM components changed (added, removed, or version): %s. Previous SBOM has %d components; New SBOM has %d components", + sbom_components_changed, + len(prev_components), + len(meta_components), ) # Components in prev SBOM but not in generated SBOM @@ -982,16 +982,16 @@ def main() -> None: prev_components_diff = list(set(prev_components.keys()) - set(meta_components.keys())) if prev_components_diff: logger.info( - "SBOM_DIFF: Components in previous SBOM and not in generated SBOM: " - + ",".join(prev_components_diff) + "SBOM_DIFF: Components in previous SBOM and not in generated SBOM: %s", + ",".join(prev_components_diff), ) # Components in generated SBOM but not in prev SBOM meta_components_diff = list(set(meta_components.keys()) - set(prev_components.keys())) if meta_components_diff: logger.info( - "SBOM_DIFF: Components in generated SBOM and not in previous SBOM: " - + ",".join(meta_components_diff) + "SBOM_DIFF: Components in generated SBOM and not in previous SBOM: %s", + ",".join(meta_components_diff), ) # serialNumber https://cyclonedx.org/docs/1.5/json/#serialNumber @@ -1020,13 +1020,17 @@ def main() -> None: # metadata.tools https://cyclonedx.org/docs/1.5/json/#metadata_tools meta_bom["metadata"]["tools"] = endor_bom["metadata"]["tools"] - write_sbom_json_file(meta_bom, sbom_out_path) + write_sbom_json_file(meta_bom, sbom_out_internal_path) + + convert_sbom_to_public(meta_bom) + write_sbom_json_file(meta_bom, sbom_out_public_path) # Access the collected warnings print_banner("CONSOLIDATED WARNINGS") warnings = [] for record in warning_handler.warnings: warnings.append("- " + record.getMessage()) + warnings.sort() print("\n".join(warnings)) diff --git a/buildscripts/sbom/metadata.cdx.json b/buildscripts/sbom/metadata.cdx.json index 4393e10def8..10f15b43a2f 100644 --- a/buildscripts/sbom/metadata.cdx.json +++ b/buildscripts/sbom/metadata.cdx.json @@ -5,7 +5,7 @@ "serialNumber": "urn:uuid:a973a3fe-5abe-4432-91fa-cc30c1034545", "version": 1, "metadata": { - "timestamp": "2025-10-16T16:23:07Z", + "timestamp": "2026-02-23T16:23:07Z", "lifecycles": [ { "phase": "pre-build" @@ -29,27 +29,27 @@ "purl": "pkg:github/mongodb/mongo@{{VERSION}}", "externalReferences": [ { - "type": "license", "url": "https://raw.githubusercontent.com/mongodb/mongo/refs/heads/master/LICENSE-Community.txt", - "comment": "Server Side Public License 1.0" + "comment": "Server Side Public License 1.0", + "type": "license" }, { - "type": "website", "url": "https://www.mongodb.com/products/self-managed/community-edition", - "comment": "MongoDB Community Edition is self-managed and can be hosted locally or in the cloud." + "comment": "MongoDB Community Edition is self-managed and can be hosted locally or in the cloud.", + "type": "website" }, { - "type": "website", "url": "https://www.mongodb.com/products/self-managed/enterprise-advanced", - "comment": "MongoDB Enterprise Advanced has powerful tools for automation, operations, and security in self-managed environments." + "comment": "MongoDB Enterprise Advanced has powerful tools for automation, operations, and security in self-managed environments.", + "type": "website" }, { - "type": "release-notes", - "url": "https://www.mongodb.com/docs/manual/release-notes/" + "url": "https://www.mongodb.com/docs/manual/release-notes/", + "type": "release-notes" }, { - "type": "vcs", - "url": "https://github.com/mongodb/mongo" + "url": "https://github.com/mongodb/mongo", + "type": "vcs" } ] }, @@ -75,6 +75,7 @@ "name": "Mozilla Firefox ESR", "version": "{{VERSION}}", "description": "The C++-only SpiderMonkey component of FireFox ESR used by MongoDB.", + "scope": "required", "licenses": [ { "license": { @@ -91,11 +92,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/mozjs" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Integration" - }, { "name": "emits_persisted_data", "value": "false" @@ -104,15 +108,60 @@ "name": "import_script_path", "value": "src/third_party/mozjs/get-sources.sh" } + ] + }, + { + "type": "library", + "bom-ref": "pkg:generic/gnome/libxml2@{{VERSION}}", + "supplier": { + "name": "GNOME Project", + "url": [ + "https://gitlab.gnome.org/GNOME/libxml2" + ] + }, + "author": "Daniel Veillard", + "group": "gnome", + "name": "libxml2", + "version": "{{VERSION}}", + "description": "libxml2 is an XML toolkit implemented in C, originally developed for the GNOME project. It provides a set of interfaces for parsing, modifying, and validating XML documents.", + "scope": "optional", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "copyright": "Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Copyright (C) The Libxml2 Contributors.", + "cpe": "cpe:2.3:a:xmlsoft:libxml2:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:generic/gnome/libxml2@{{VERSION}}", + "externalReferences": [ + { + "url": "https://gitlab.gnome.org/GNOME/libxml2.git", + "type": "distribution" + } ], "evidence": { "occurrences": [ { - "location": "src/third_party/mozjs" + "location": "src/third_party/private/libxml2" } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/private/libxml2/scripts/import.sh" + }, + { + "name": "generate_sbom:priority_version_source", + "value": "import_script" + } + ] }, { "type": "library", @@ -130,9 +179,10 @@ }, "author": "Marius Cornea", "group": "intel", - "name": "Intel® Decimal Floating-Point Math Library", + "name": "Intel\u00ae Decimal Floating-Point Math Library", "version": "{{VERSION}}", "description": "A a software implementation of the IEEE Standard 754-2019 Decimal Floating-Point Arithmetic specification.", + "scope": "required", "licenses": [ { "license": { @@ -144,18 +194,8 @@ "purl": "pkg:generic/intel/IntelRDFPMathLib@{{VERSION}}", "externalReferences": [ { - "type": "distribution", - "url": "https://www.netlib.org/misc/intel/" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Execution" - }, - { - "name": "emits_persisted_data", - "value": "false" + "url": "https://www.netlib.org/misc/intel/", + "type": "distribution" } ], "evidence": { @@ -165,7 +205,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "data", @@ -181,6 +226,7 @@ "name": "Unicode Character Database", "version": "8.0.0", "description": "Unicode Data Files", + "scope": "required", "licenses": [ { "license": { @@ -188,7 +234,7 @@ } } ], - "copyright": "Copyright © 1991–2015 Unicode, Inc", + "copyright": "Copyright \u00a9 1991\u20132015 Unicode, Inc", "purl": "pkg:generic/unicode-org/unicode@8.0.0?repository_url=https%3A%2F%2Fwww.unicode.org%2FPublic%2F8.0.0%2F", "externalReferences": [ { @@ -196,16 +242,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, - { - "name": "emits_persisted_data", - "value": "true" - } - ], "evidence": { "occurrences": [ { @@ -213,7 +249,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + } + ] }, { "type": "library", @@ -223,6 +264,7 @@ "name": "valgrind.h", "version": "{{VERSION}}", "description": "This header file is part of Valgrind, a dynamic binary instrumentation framework.", + "scope": "required", "licenses": [ { "license": { @@ -238,16 +280,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Build" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -255,7 +287,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -265,6 +302,7 @@ "name": "MurmurHash3", "version": "a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb", "description": "MurmurHash is a non-cryptographic hash function suitable for general hash-based lookup.", + "scope": "required", "licenses": [ { "license": { @@ -280,16 +318,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Execution" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -297,7 +325,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -313,6 +346,7 @@ "name": "Abseil Common Libraries (C++)", "version": "{{VERSION}}", "description": "Abseil is an open-source collection of C++ code (compliant to C++17) designed to augment the C++ standard library.", + "scope": "required", "licenses": [ { "license": { @@ -328,11 +362,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/abseil-cpp" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -341,15 +378,7 @@ "name": "import_script_path", "value": "src/third_party/abseil-cpp/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/abseil-cpp" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -359,6 +388,7 @@ "name": "linenoise", "version": "6cdc775807e57b2c3fd64bd207814f8ee1fe35f3", "description": "A small self-contained alternative to readline and libedit", + "scope": "required", "licenses": [ { "license": { @@ -374,16 +404,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Build" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -394,7 +414,220 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/apache/arrow@{{VERSION}}", + "supplier": { + "name": "The Apache Software Foundation", + "url": [ + "https://apache.org/" + ] + }, + "group": "apache", + "name": "Apache Arrow", + "version": "{{VERSION}}", + "description": "Apache Arrow is a cross-language development platform for in-memory data. It specifies a standardized language-independent columnar memory format for flat and hierarchical data, organized for efficient analytic operations on modern hardware.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "id": "BSD-2-Clause" + } + }, + { + "license": { + "id": "BSD-3-Clause" + } + }, + { + "license": { + "id": "BSL-1.0" + } + }, + { + "license": { + "id": "CC-BY-3.0" + } + }, + { + "license": { + "id": "CC0-1.0" + } + }, + { + "license": { + "id": "HPND" + } + }, + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "id": "OpenSSL" + } + }, + { + "license": { + "id": "WTFPL" + } + }, + { + "license": { + "id": "Zlib" + } + } + ], + "copyright": "Copyright 2016-2026 The Apache Software Foundation", + "cpe": "cpe:2.3:a:apache:arrow:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/apache/arrow@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/apache/arrow.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/arrow" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/private/arrow/scripts/getsources.py" + }, + { + "name": "generate_sbom:priority_version_source", + "value": "import_script" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/apache/avro@{{VERSION}}", + "supplier": { + "name": "The Apache Software Foundation", + "url": [ + "https://apache.org/" + ] + }, + "group": "apache", + "name": "Apache Avro", + "version": "{{VERSION}}", + "description": "Apache Avro is a data serialization system. This is the C++ implementation.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "id": "FSFAP" + } + } + ], + "copyright": "Copyright 2010-2025 The Apache Software Foundation", + "cpe": "cpe:2.3:a:apache:avro:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/apache/avro@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/apache/avro.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/avro-cpp" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/private/avro-cpp/scripts/import.sh" + }, + { + "name": "generate_sbom:priority_version_source", + "value": "import_script" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/apache/thrift@{{VERSION}}", + "supplier": { + "name": "The Apache Software Foundation", + "url": [ + "https://apache.org/" + ] + }, + "group": "apache", + "name": "Apache Thrift", + "version": "{{VERSION}}", + "description": "Thrift is a lightweight, language-independent software stack for point-to-point RPC implementation.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "id": "BSD-3-Clause" + } + } + ], + "copyright": "Copyright (C) 2006 - 2019, The Apache Software Foundation", + "cpe": "cpe:2.3:a:apache:thrift:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/apache/thrift@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/apache/thrift.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/arrow/dist/thrift" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -402,11 +635,12 @@ "supplier": { "name": "sinusoidal engineering" }, - "author": "Juanpe Bolívar", + "author": "Juanpe Bol\u00edvar", "group": "arximboldi", "name": "immer", "version": "{{VERSION}}", - "description": "Postmodern immutable and persistent data structures for C++ — value semantics at scale", + "description": "Postmodern immutable and persistent data structures for C++ \u2014 value semantics at scale", + "scope": "required", "licenses": [ { "license": { @@ -422,16 +656,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Execution" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -439,7 +663,113 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/aws/aws-sdk-cpp@{{VERSION}}", + "supplier": { + "name": "Amazon Web Services", + "url": [ + "https://amazon.com/aws" + ] + }, + "author": "Amazon Web Services", + "group": "aws", + "name": "AWS SDK for C++", + "version": "{{VERSION}}", + "description": "The AWS SDK for C++ provides a C++ interface for Amazon Web Services.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "copyright": "Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.", + "cpe": "cpe:2.3:a:amazon:aws-sdk-cpp:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/aws/aws-sdk-cpp@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/aws/aws-sdk-cpp.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/aws-sdk" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/private/aws-sdk/scripts/getsources.sh" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/azure/azure-sdk-for-cpp@azure-storage-blobs_{{VERSION}}", + "supplier": { + "name": "Microsoft Corporation", + "url": [ + "https://azure.microsoft.com" + ] + }, + "author": "Microsoft Corporation", + "group": "azure", + "name": "Azure SDK for C++ - Storage Blobs", + "version": "{{VERSION}}", + "description": "Azure Storage Blobs client library for C++. This library provides functionality for uploading, downloading, and managing blobs in Azure Storage.", + "scope": "optional", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "copyright": "Copyright (c) Microsoft Corporation. All rights reserved.", + "purl": "pkg:github/azure/azure-sdk-for-cpp@azure-storage-blobs_{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/azure/azure-sdk-for-cpp.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/azure-sdk" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/private/azure-sdk/scripts/import.sh" + }, + { + "name": "generate_sbom:priority_version_source", + "value": "import_script" + } + ] }, { "type": "library", @@ -455,6 +785,7 @@ "name": "Boost C++ Libraries", "version": "{{VERSION}}", "description": "Super-project for modularized Boost. Boost is a repository of free, portable, peer-reviewed C++ libraries. It acts as a proving ground for new libraries, particularly those which work well with the ISO C++ Standard Library.", + "scope": "required", "licenses": [ { "license": { @@ -471,11 +802,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/boost" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -484,15 +818,7 @@ "name": "import_script_path", "value": "src/third_party/boost/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/boost" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -508,6 +834,7 @@ "name": "c-ares", "version": "{{VERSION}}", "description": "A C library for asynchronous DNS requests", + "scope": "required", "licenses": [ { "license": { @@ -524,11 +851,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/cares" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "false" @@ -537,15 +867,7 @@ "name": "import_script_path", "value": "src/third_party/cares/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/cares" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -555,6 +877,7 @@ "name": "Asio C++ Library", "version": "{{VERSION}}", "description": "Asio is a cross-platform C++ library for network and low-level I/O programming that provides developers with a consistent asynchronous model using a modern C++ approach.", + "scope": "required", "licenses": [ { "license": { @@ -562,7 +885,7 @@ } } ], - "copyright": "Copyright © 2003-2025 Christopher M. Kohlhoff", + "copyright": "Copyright \u00a9 2003-2025 Christopher M. Kohlhoff", "purl": "pkg:github/chriskohlhoff/asio@{{VERSION}}", "externalReferences": [ { @@ -570,20 +893,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/asio/scripts/import.sh" - } - ], "evidence": { "occurrences": [ { @@ -591,7 +900,62 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/asio/scripts/import.sh" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/confluentinc/librdkafka@{{VERSION}}", + "supplier": { + "name": "Confluent Inc." + }, + "author": "Magnus Edenhill", + "group": "confluentinc", + "name": "librdkafka - The Apache Kafka C/C++ library", + "version": "{{VERSION}}", + "description": "The Apache Kafka C/C++ library", + "scope": "required", + "licenses": [ + { + "license": { + "id": "BSD-2-Clause" + } + } + ], + "copyright": "Copyright (c) 2012-2022, Magnus Edenhill; 2023, Confluent Inc.", + "cpe": "cpe:2.3:a:confluent:librdkafka:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/confluentinc/librdkafka@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/confluentinc/librdkafka.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/librdkafka" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/private/librdkafka/scripts/librdkafka_get_sources.sh" + } + ] }, { "type": "library", @@ -608,6 +972,7 @@ "name": "Cyrus SASL", "version": "{{VERSION}}", "description": "Simple Authentication and Security Layer (SASL) is a specification that describes how authentication mechanisms can be plugged into an application protocol on the wire. Cyrus SASL is an implementation of SASL that makes it easy for application developers to integrate authentication mechanisms into their application in a generic way.", + "scope": "optional", "licenses": [ { "license": { @@ -624,16 +989,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Build" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -641,7 +996,12 @@ } ] }, - "scope": "optional" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -651,6 +1011,7 @@ "name": "libdwarf", "version": "{{VERSION}}", "description": "A library for reading DWARF2 and later DWARF data.", + "scope": "excluded", "licenses": [ { "license": { @@ -669,28 +1030,14 @@ } ], "copyright": "Copyright 2000,2004 Silicon Graphics, Inc.; Portions Copyright 2002-2010 Sun Microsystems, Inc.; Portions Copyright 2007-2025 David Anderson.; Portions Copyright 2008-2010 Arxan Technologies, Inc.; Portions Copyright 2010-2012 SN Systems Ltd.; Portions Copyright 2015,2020 Google, Inc.; All Rights Reserved.", - "purl": "pkg:github/davea42/libdwarf-code@{{VERSION}}", "cpe": "cpe:2.3:a:libdwarf_project:libdwarf:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/davea42/libdwarf-code@{{VERSION}}", "externalReferences": [ { "url": "https://github.com/davea42/libdwarf-code.git", "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/libdwarf/scripts/import.sh" - } - ], "evidence": { "occurrences": [ { @@ -698,7 +1045,16 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/libdwarf/scripts/import.sh" + } + ] }, { "type": "library", @@ -708,6 +1064,7 @@ "name": "SafeInt", "version": "{{VERSION}}", "description": "SafeInt is a class library for C++ that manages integer overflows.", + "scope": "required", "licenses": [ { "license": { @@ -723,11 +1080,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/SafeInt" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -736,15 +1096,7 @@ "name": "import_script_path", "value": "src/third_party/SafeInt/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/SafeInt" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -754,6 +1106,7 @@ "name": "timelib", "version": "{{VERSION}}", "description": "Timelib is a timezone and date/time library that can calculate local time, convert between timezones and parse textual descriptions of date/time information.", + "scope": "required", "licenses": [ { "license": { @@ -769,11 +1122,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/timelib" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, { "name": "emits_persisted_data", "value": "false" @@ -782,15 +1138,7 @@ "name": "import_script_path", "value": "src/third_party/timelib/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/timelib" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -806,6 +1154,7 @@ "name": "folly", "version": "{{VERSION}}", "description": "An open-source C++ library developed and used at Facebook.", + "scope": "required", "licenses": [ { "license": { @@ -818,22 +1167,8 @@ "purl": "pkg:github/facebook/folly@{{VERSION}}", "externalReferences": [ { - "type": "vcs", - "url": "https://github.com/facebook/folly.git" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/folly/scripts/import.sh" + "url": "https://github.com/facebook/folly.git", + "type": "vcs" } ], "evidence": { @@ -843,7 +1178,16 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/folly/scripts/import.sh" + } + ] }, { "type": "library", @@ -859,6 +1203,7 @@ "name": "Zstandard (zstd)", "version": "{{VERSION}}", "description": "Zstandard - Fast real-time compression algorithm", + "scope": "required", "licenses": [ { "expression": "BSD-3-Clause OR GPL-2.0-only" @@ -873,11 +1218,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/zstandard" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -886,15 +1234,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/zstandard_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/zstandard" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -910,6 +1250,7 @@ "name": "fmt", "version": "{{VERSION}}", "description": "A modern formatting library", + "scope": "required", "licenses": [ { "license": { @@ -926,11 +1267,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/fmt" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -939,15 +1283,7 @@ "name": "import_script_path", "value": "src/third_party/fmt/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/fmt" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -963,6 +1299,7 @@ "name": "benchmark", "version": "{{VERSION}}", "description": "A microbenchmark support library", + "scope": "excluded", "licenses": [ { "license": { @@ -978,11 +1315,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/benchmark" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -991,15 +1331,110 @@ "name": "import_script_path", "value": "src/third_party/benchmark/scripts/import.sh" } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/google/flatbuffers@{{VERSION}}", + "supplier": { + "name": "Google LLC", + "url": [ + "https://opensource.google/" + ] + }, + "group": "google.opensource", + "name": "github.com/google/flatbuffers", + "version": "{{VERSION}}", + "description": "FlatBuffers is a cross-platform serialization library", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "copyright": "Copyright 2014 Google Inc. All rights reserved.", + "cpe": "cpe:2.3:a:google:flatbuffers:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/google/flatbuffers@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/google/flatbuffers.git", + "type": "distribution" + } ], "evidence": { "occurrences": [ { - "location": "src/third_party/benchmark" + "location": "src/third_party/private/arrow/dist/flatbuffers" } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/google/fuzztest@{{VERSION}}", + "supplier": { + "name": "Google LLC", + "url": [ + "https://opensource.google/" + ] + }, + "author": "The Google Test and Google Mock Communities", + "group": "google.opensource", + "name": "fuzztest", + "version": "{{VERSION}}", + "description": "FuzzTest", + "scope": "excluded", + "licenses": [ + { + "license": { + "id": "BSD-3-Clause" + } + }, + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "id": "HPND" + } + } + ], + "copyright": "Copyright 2008, Google Inc. All rights reserved.", + "cpe": "cpe:2.3:a:google:fuzztest:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/google/fuzztest@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/google/fuzztest.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/fuzztest" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/fuzztest/scripts/import.sh" + } + ] }, { "type": "library", @@ -1015,6 +1450,7 @@ "name": "googletest", "version": "{{VERSION}}", "description": "GoogleTest - Google Testing and Mocking Framework", + "scope": "excluded", "licenses": [ { "license": { @@ -1031,11 +1467,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/googletest" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Disaggregated Storage" - }, { "name": "emits_persisted_data", "value": "false" @@ -1044,15 +1483,7 @@ "name": "import_script_path", "value": "src/third_party/googletest/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/googletest" - } - ] - }, - "scope": "excluded" + ] }, { "type": "library", @@ -1068,6 +1499,7 @@ "name": "re2", "version": "{{VERSION}}", "description": "RE2 is a fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python. It is a C++ library.", + "scope": "required", "licenses": [ { "license": { @@ -1084,11 +1516,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/re2" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1097,15 +1532,7 @@ "name": "import_script_path", "value": "src/third_party/re2/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/re2" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1121,6 +1548,7 @@ "name": "S2 Geometry Library", "version": "{{VERSION}}", "description": "Computational geometry and spatial indexing on the sphere", + "scope": "required", "licenses": [ { "license": { @@ -1136,16 +1564,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Integration" - }, - { - "name": "emits_persisted_data", - "value": "true" - } - ], "evidence": { "occurrences": [ { @@ -1153,7 +1571,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + } + ] }, { "type": "library", @@ -1169,6 +1592,7 @@ "name": "snappy", "version": "{{VERSION}}", "description": "A fast compressor/decompressor", + "scope": "required", "licenses": [ { "license": { @@ -1185,11 +1609,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/snappy" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1198,15 +1625,7 @@ "name": "import_script_path", "value": "src/third_party/snappy/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/snappy" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1222,6 +1641,7 @@ "name": "tcmalloc", "version": "{{VERSION}}", "description": "TCMalloc is Google's customized implementation of C's malloc() and C++'s operator new used for memory allocation within our C and C++ code. TCMalloc is a fast, multi-threaded malloc implementation.", + "scope": "required", "licenses": [ { "license": { @@ -1231,12 +1651,6 @@ ], "copyright": "Copyright 2024 The TCMalloc Authors", "purl": "pkg:github/google/tcmalloc@{{VERSION}}", - "externalReferences": [ - { - "url": "https://github.com/google/tcmalloc.git", - "type": "distribution" - } - ], "pedigree": { "descendants": [ { @@ -1256,18 +1670,10 @@ } ] }, - "properties": [ + "externalReferences": [ { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/tcmalloc/scripts/import.sh" + "url": "https://github.com/google/tcmalloc.git", + "type": "distribution" } ], "evidence": { @@ -1277,7 +1683,16 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/tcmalloc/scripts/import.sh" + } + ] }, { "type": "library", @@ -1293,6 +1708,7 @@ "name": "gperftools", "version": "{{VERSION}}", "description": "gperftools (originally Google Performance Tools) is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools.", + "scope": "required", "licenses": [ { "license": { @@ -1309,11 +1725,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/gperftools" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - }, { "name": "emits_persisted_data", "value": "false" @@ -1326,15 +1745,7 @@ "name": "generate_sbom:priority_version_source", "value": "import_script" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/gperftools" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1350,6 +1761,7 @@ "name": "gRPC (C++)", "version": "{{VERSION}}", "description": "gRPC is a modern, open source, high-performance remote procedure call (RPC) framework that can run anywhere. gRPC enables client and server applications to communicate transparently, and simplifies the building of connected systems.", + "scope": "required", "licenses": [ { "license": { @@ -1366,11 +1778,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/grpc" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1379,15 +1794,7 @@ "name": "import_script_path", "value": "src/third_party/grpc/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/grpc" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1397,6 +1804,7 @@ "name": "yaml-cpp", "version": "{{VERSION}}", "description": "A YAML parser and emitter in C++", + "scope": "required", "licenses": [ { "license": { @@ -1413,11 +1821,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/yaml-cpp" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "false" @@ -1426,15 +1837,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/yaml-cpp_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/yaml-cpp" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1444,6 +1847,7 @@ "name": "cpptrace", "version": "{{VERSION}}", "description": "Simple, portable, and self-contained stacktrace library for C++11 and newer", + "scope": "excluded", "licenses": [ { "license": { @@ -1459,11 +1863,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/cpptrace" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1472,15 +1879,7 @@ "name": "import_script_path", "value": "src/third_party/cpptrace/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/cpptrace" - } - ] - }, - "scope": "excluded" + ] }, { "type": "library", @@ -1496,6 +1895,7 @@ "name": "JSON-Schema-Test-Suite", "version": "728066f9c5c258ba3b1804a22a5b998f2ec77ec0", "description": "A language agnostic test suite for the JSON Schema specifications", + "scope": "excluded", "licenses": [ { "license": { @@ -1511,16 +1911,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Optimization" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -1528,7 +1918,94 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/juliastrings/utf8proc@{{VERSION}}", + "author": "Jan Behrens", + "group": "juliastrings", + "name": "utf8proc", + "version": "{{VERSION}}", + "description": "A clean C library for processing UTF-8 Unicode data", + "scope": "required", + "licenses": [ + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "id": "Unicode-TOU", + "url": "https://www.unicode.org/copyright.html" + } + } + ], + "copyright": "Copyright \u00a9 2014-2021 by Steven G. Johnson, Jiahao Chen, Tony Kelman, Jonas Fonseca, and other contributors listed in the git history.", + "purl": "pkg:github/juliastrings/utf8proc@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/juliastrings/utf8proc.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/mongocxx/dist/mongoc/utf8proc" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/jupp0r/prometheus-cpp@{{VERSION}}", + "author": "Jupp Mueller, Gregor Jasny", + "group": "jupp0r", + "name": "Prometheus Client Library for Modern C++", + "version": "{{VERSION}}", + "description": "This library aims to enable Metrics-Driven Development for C++ services. It implements the Prometheus Data Model, a powerful abstraction on which to collect and expose metrics.", + "scope": "excluded", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "copyright": "Copyright (c) 2016-2021 Jupp Mueller, Copyright (c) 2017-2022 Gregor Jasny", + "purl": "pkg:github/jupp0r/prometheus-cpp@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/jupp0r/prometheus-cpp.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/prometheus-cpp" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -1544,6 +2021,7 @@ "name": "LibTomCrypt", "version": "{{VERSION}}", "description": "LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines.", + "scope": "required", "licenses": [ { "license": { @@ -1560,11 +2038,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/tomcrypt-1.18.2" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "true" @@ -1573,15 +2054,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/tomcrypt_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/tomcrypt-1.18.2" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1597,6 +2070,7 @@ "name": "libunwind", "version": "{{VERSION}}", "description": "The primary goal of this project is to define a portable and efficient C programming interface (API) to determine the call-chain of a program. The API additionally provides the means to manipulate the preserved (callee-saved) state of each call-frame and to resume execution at any point in the call-chain (non-local goto). The API supports both local (same-process) and remote (across-process) operation.", + "scope": "required", "licenses": [ { "license": { @@ -1613,11 +2087,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/unwind" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1626,15 +2103,7 @@ "name": "import_script_path", "value": "src/third_party/unwind/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/unwind" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1650,6 +2119,7 @@ "name": "zlib", "version": "{{VERSION}}", "description": "zlib is a general purpose data compression library.", + "scope": "required", "licenses": [ { "license": { @@ -1657,7 +2127,7 @@ } } ], - "copyright": "Copyright © 1995-2024 Jean-loup Gailly and Mark Adler.", + "copyright": "Copyright \u00a9 1995-2024 Jean-loup Gailly and Mark Adler.", "cpe": "cpe:2.3:a:zlib:zlib:{{VERSION}}:*:*:*:*:*:*:*", "purl": "pkg:github/madler/zlib@{{VERSION}}", "externalReferences": [ @@ -1666,20 +2136,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, - { - "name": "emits_persisted_data", - "value": "true" - }, - { - "name": "import_script_path", - "value": "src/third_party/scripts/zlib_get_sources.sh" - } - ], "evidence": { "occurrences": [ { @@ -1687,7 +2143,16 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "import_script_path", + "value": "src/third_party/scripts/zlib_get_sources.sh" + } + ] }, { "type": "library", @@ -1703,6 +2168,7 @@ "name": "libmongocrypt", "version": "{{VERSION}}", "description": "Required C library for Client Side and Queryable Encryption in MongoDB", + "scope": "required", "licenses": [ { "license": { @@ -1719,11 +2185,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/libmongocrypt" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "true" @@ -1732,15 +2201,7 @@ "name": "import_script_path", "value": "src/third_party/libmongocrypt/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/libmongocrypt" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1754,8 +2215,9 @@ "author": "MongoDB, Inc.", "group": "mongodb", "name": "MongoDB C Driver", - "description": "The Official MongoDB driver for C language", "version": "{{VERSION}}", + "description": "The Official MongoDB driver for C language", + "scope": "required", "licenses": [ { "license": { @@ -1772,11 +2234,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/libbson" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "true" @@ -1785,15 +2250,52 @@ "name": "import_script_path", "value": "src/third_party/libbson/import.sh" } + ] + }, + { + "type": "application", + "bom-ref": "pkg:github/mongodb/mongo-cxx-driver@{{VERSION}}", + "supplier": { + "name": "MongoDB, Inc.", + "url": [ + "https://mongodb.com" + ] + }, + "author": "MongoDB, Inc.", + "group": "mongodb", + "name": "mongo-cxx-driver", + "version": "{{VERSION}}", + "description": "C++ Driver for MongoDB", + "scope": "required", + "licenses": [ + { + "license": { + "name": "Apache-2.0" + } + } + ], + "copyright": "Copyright 2009-present MongoDB, Inc.", + "cpe": "cpe:2.3:a:mongodb:c++:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/mongodb/mongo-cxx-driver@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/mongodb/mongo-cxx-driver", + "type": "vcs" + } ], "evidence": { "occurrences": [ { - "location": "src/third_party/libbson" + "location": "src/third_party/private/mongocxx" } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -1803,6 +2305,7 @@ "name": "nlohmann/json", "version": "{{VERSION}}", "description": "JSON for Modern C++", + "scope": "optional", "licenses": [ { "license": { @@ -1818,11 +2321,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/nlohmann-json" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1831,15 +2337,7 @@ "name": "import_script_path", "value": "src/third_party/nlohmann-json/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/nlohmann-json" - } - ] - }, - "scope": "optional" + ] }, { "type": "library", @@ -1853,8 +2351,9 @@ "author": "OpenJS Foundation", "group": "nodejs", "name": "node", - "description": "A modified version of the GetStringWidth function from Node.js, originating from the https://github.com/joyent/node repository.", "version": "22.1.0", + "description": "A modified version of the GetStringWidth function from Node.js, originating from the https://github.com/joyent/node repository.", + "scope": "excluded", "licenses": [ { "license": { @@ -1870,12 +2369,6 @@ "type": "website" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - } - ], "evidence": { "occurrences": [ { @@ -1883,7 +2376,7 @@ } ] }, - "scope": "excluded" + "properties": [] }, { "type": "library", @@ -1899,6 +2392,7 @@ "name": "opentelemetry-cpp", "version": "{{VERSION}}", "description": "OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. As an industry-standard, OpenTelemetry is supported by more than 40 observability vendors, integrated by many libraries, services, and apps, and adopted by numerous end users.", + "scope": "optional", "licenses": [ { "license": { @@ -1914,11 +2408,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/opentelemetry-cpp" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1927,15 +2424,7 @@ "name": "import_script_path", "value": "src/third_party/opentelemetry-cpp/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/opentelemetry-cpp" - } - ] - }, - "scope": "optional" + ] }, { "type": "library", @@ -1951,6 +2440,7 @@ "name": "opentelemetry-proto", "version": "{{VERSION}}", "description": "OpenTelemetry protocol (OTLP) specification and Protobuf definitions", + "scope": "optional", "licenses": [ { "license": { @@ -1966,11 +2456,14 @@ "type": "vcs" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/opentelemetry-proto" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1983,15 +2476,7 @@ "name": "generate_sbom:priority_version_source", "value": "import_script" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/opentelemetry-proto" - } - ] - }, - "scope": "optional" + ] }, { "type": "library", @@ -2002,11 +2487,12 @@ "https://pcre2project.github.io/pcre2/" ] }, - "author": "Philip Hazel, Nicholas Wilson, Zoltán Herczeg", + "author": "Philip Hazel, Nicholas Wilson, Zolt\u00e1n Herczeg", "group": "pcre2", "name": "PCRE2 - Perl-Compatible Regular Expressions", "version": "{{VERSION}}", "description": "The PCRE2 library is a set of C functions that implement regular expression pattern matching.", + "scope": "required", "licenses": [ { "expression": "BSD-3-Clause WITH PCRE2-exception" @@ -2021,11 +2507,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/pcre2" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, { "name": "emits_persisted_data", "value": "false" @@ -2034,15 +2523,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/pcre2_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/pcre2" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -2058,6 +2539,7 @@ "name": "Protobuf", "version": "{{VERSION}}", "description": "Protocol Buffers - Google's data interchange format", + "scope": "required", "licenses": [ { "license": { @@ -2074,11 +2556,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/protobuf" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "false" @@ -2091,15 +2576,7 @@ "name": "generate_sbom:priority_version_source", "value": "import_script" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/protobuf" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -2115,6 +2592,7 @@ "name": "CRoaring", "version": "{{VERSION}}", "description": "Roaring bitmaps in C (and C++), with SIMD (AVX2, AVX-512 and NEON) optimizations: used by Apache Doris, ClickHouse, and StarRocks. Roaring bitmaps are compressed bitmaps which tend to outperform conventional compressed bitmaps such as WAH, EWAH or Concise. In some instances, they can be hundreds of times faster and they often offer significantly better compression.", + "scope": "required", "licenses": [ { "expression": "Apache-2.0 OR MIT" @@ -2129,11 +2607,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/croaring" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, { "name": "emits_persisted_data", "value": "false" @@ -2142,15 +2623,7 @@ "name": "import_script_path", "value": "src/third_party/croaring/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/croaring" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -2166,6 +2639,7 @@ "name": "JSON Schema Store", "version": "6847cfc3a17a04a7664474212db50c627e1e3408", "description": "A collection of JSON schema files including full API", + "scope": "excluded", "licenses": [ { "license": { @@ -2181,16 +2655,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Optimization" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -2198,7 +2662,12 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -2214,6 +2683,7 @@ "name": "Snowball Stemming Algorithms (libstemmer)", "version": "{{VERSION}}", "description": "Snowball is a small string processing language for creating stemming algorithms for use in Information Retrieval, plus a collection of stemming algorithms implemented using it.", + "scope": "required", "licenses": [ { "license": { @@ -2229,11 +2699,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/libstemmer_c" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Integration" - }, { "name": "emits_persisted_data", "value": "true" @@ -2242,15 +2715,96 @@ "name": "import_script_path", "value": "src/third_party/libstemmer_c/scripts/import.sh" } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/tencent/rapidjson@{{VERSION}}", + "supplier": { + "name": "Tencent", + "url": [ + "https://opensource.tencent.com/" + ] + }, + "group": "tencent", + "name": "rapidjson", + "version": "{{VERSION}}", + "description": "A fast JSON parser/generator for C++ with both SAX/DOM style API", + "scope": "required", + "licenses": [ + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "id": "BSD-3-Clause" + } + }, + { + "license": { + "id": "JSON" + } + } + ], + "copyright": "Copyright (C) 2015 THL A29 Limited, a Tencent company, and Milo Yip.", + "purl": "pkg:github/tencent/rapidjson@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/tencent/rapidjson.git", + "type": "distribution" + }, + { + "url": "https://rapidjson.org/", + "type": "website" + } ], "evidence": { "occurrences": [ { - "location": "src/third_party/libstemmer_c" + "location": "src/third_party/private/arrow/dist/rapidjson" } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/troydhanson/uthash@{{VERSION}}", + "author": "Troy D. Hanson", + "group": "troydhanson", + "name": "uthash", + "version": "{{VERSION}}", + "description": "C macros for hash tables and more", + "scope": "required", + "licenses": [ + { + "license": { + "id": "BSD-1-Clause" + } + } + ], + "copyright": "Copyright (c) 2005-2025, Troy D. Hanson", + "purl": "pkg:github/troydhanson/uthash@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/troydhanson/uthash.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/mongocxx/dist/mongoc/uthash" + } + ] + } }, { "type": "library", @@ -2266,6 +2820,7 @@ "name": "ICU4C - International Components for Unicode C/C++", "version": "{{VERSION}}", "description": "International Components for Unicode (ICU) is an open-source project of mature libraries for Unicode support, software internationalization, and software globalization. The C/C++ version, known as ICU4C, offers comprehensive functionalities for handling globalized applications.", + "scope": "required", "licenses": [ { "license": { @@ -2274,7 +2829,7 @@ } } ], - "copyright": "Copyright © 2016-2025 Unicode, Inc.", + "copyright": "Copyright \u00a9 2016-2025 Unicode, Inc.", "cpe": "cpe:2.3:a:icu-project:international_components_for_unicode:{{VERSION}}:*:*:*:*:c/c++:*:*", "purl": "pkg:github/unicode-org/icu@{{VERSION}}", "externalReferences": [ @@ -2283,20 +2838,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, - { - "name": "emits_persisted_data", - "value": "true" - }, - { - "name": "import_script_path", - "value": "src/third_party/scripts/icu_get_sources.sh" - } - ], "evidence": { "occurrences": [ { @@ -2304,7 +2845,64 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "import_script_path", + "value": "src/third_party/scripts/icu_get_sources.sh" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/veorq/siphash@{{VERSION}}", + "author": "Jean-Philippe Aumasson, Daniel J. Bernstein", + "group": "veorq", + "name": "siphash", + "version": "{{VERSION}}", + "description": "High-speed secure pseudorandom function for short messages", + "scope": "required", + "licenses": [ + { + "license": { + "id": "CC0-1.0" + } + }, + { + "license": { + "id": "MIT" + } + }, + { + "license": { + "name": "Apache 2.0 with LLVM exception" + } + } + ], + "copyright": "This code is copyright (c) 2014-2023 Jean-Philippe Aumasson, Daniel J. Bernstein.", + "purl": "pkg:github/veorq/siphash@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/veorq/siphash/", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/siphash" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "framework", @@ -2320,6 +2918,7 @@ "name": "WiredTiger", "version": "{{VERSION}}", "description": "WiredTiger is an high performance, scalable, production quality, NoSQL, Open Source extensible platform for data management.", + "scope": "required", "licenses": [ { "expression": "GPL-2.0-only OR GPL-3.0-only" @@ -2333,16 +2932,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Engines" - }, - { - "name": "emits_persisted_data", - "value": "true" - } - ], "evidence": { "occurrences": [ { @@ -2350,7 +2939,50 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/xtensor-stack/xsimd@{{VERSION}}", + "author": "Johan Mabille and Sylvain Corlay", + "group": "xtensor-stack", + "name": "xsimd", + "version": "{{VERSION}}", + "description": "C++ wrappers for SIMD intrinsics and parallelized, optimized mathematical functions (SSE, AVX, AVX512, NEON, SVE, WebAssembly, VSX, RISC-V))", + "scope": "required", + "licenses": [ + { + "license": { + "id": "BSD-3-Clause" + } + } + ], + "copyright": "Copyright 2016, Johan Mabille and Sylvain Corlay.", + "purl": "pkg:github/xtensor-stack/xsimd@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/xtensor-stack/xsimd.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/private/arrow/dist/rapidjson" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -2360,6 +2992,7 @@ "name": "pypi/ocspbuilder", "version": "0.10.2", "description": "Creates and signs online certificate status protocol (OCSP) requests and responses for X.509 certificates", + "scope": "excluded", "licenses": [ { "license": { @@ -2375,16 +3008,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -2392,7 +3015,12 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -2408,6 +3036,7 @@ "name": "pypi/ocspresponder", "version": "0.5.0", "description": "RFC 6960 compliant OCSP Responder framework written in Python 3.", + "scope": "excluded", "licenses": [ { "license": { @@ -2423,16 +3052,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -2440,64 +3059,175 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/libarchive/bzip2@bzip2-{{VERSION}}", + "supplier": { + "name": "bzip2 project", + "url": [ + "https://sourceware.org/bzip2/" + ] + }, + "author": "Julian Seward", + "group": "libarchive", + "name": "bzip2", + "version": "{{VERSION}}", + "description": "A high-quality data compression program and library.", + "licenses": [ + { + "license": { + "id": "bzip2-1.0.6" + } + } + ], + "copyright": "Copyright (C) 1996-2010 Julian Seward ; Copyright (C) 2019-2020 Federico Mena Quintero ; Copyright (C) 2021 Micah Snyder.", + "purl": "pkg:github/libarchive/bzip2@bzip2-{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/libarchive/bzip2", + "type": "distribution" + } + ], + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/bzip2/scripts/import.sh" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/bzip2" + } + ] + }, + "scope": "required" + }, + { + "type": "library", + "bom-ref": "pkg:github/json-c/json-c@{{VERSION}}", + "supplier": { + "name": "json-c project", + "url": [ + "https://github.com/json-c/json-c" + ] + }, + "author": "Eric Haszlakiewicz", + "group": "json-c", + "name": "json-c", + "version": "{{VERSION}}", + "description": "A JSON implementation in C.", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "copyright": "Copyright (c) 2009-2012 Eric Haszlakiewicz; Copyright (c) 2004, 2005 Metaparadigm Pte Ltd", + "purl": "pkg:github/json-c/json-c@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/json-c/json-c", + "type": "distribution" + } + ], + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/json-c/scripts/import.sh" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/json-c" + } + ] + }, + "scope": "required" + }, + { + "type": "library", + "bom-ref": "pkg:github/rnpgp/rnp@{{VERSION}}", + "supplier": { + "name": "Ribose Group Inc.", + "url": [ + "https://www.rnpgp.org/" + ] + }, + "author": "Ribose Group Inc.", + "group": "rnpgp", + "name": "rnp", + "version": "{{VERSION}}", + "description": "A high performance C++ OpenPGP library, fully compliant to RFC 4880.", + "licenses": [ + { + "license": { + "id": "BSD-2-Clause" + } + }, + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "id": "MIT" + } + } + ], + "copyright": "Copyright (c) 2017-2024, Ribose Inc. All rights reserved.", + "purl": "pkg:github/rnpgp/rnp@{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/rnpgp/rnp", + "type": "distribution" + } + ], + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/rnp/scripts/import.sh" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/rnp" + } + ] + }, + "scope": "required" } ], "dependencies": [ { - "ref": "pkg:github/mongodb/mongo@{{VERSION}}", - "dependsOn": [ - "pkg:github/abseil/abseil-cpp@{{VERSION}}", - "pkg:github/arximboldi/immer@{{VERSION}}", - "pkg:github/chriskohlhoff/asio@{{VERSION}}", - "pkg:github/google/benchmark@{{VERSION}}", - "pkg:github/boostorg/boost@boost-{{VERSION}}", - "pkg:github/c-ares/c-ares@{{VERSION}}", - "pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-{{VERSION}}", - "pkg:github/dcleblanc/safeint@{{VERSION}}", - "pkg:github/derickr/timelib@{{VERSION}}", - "pkg:github/fmtlib/fmt@{{VERSION}}", - "pkg:github/facebook/folly@{{VERSION}}", - "pkg:github/google/re2@{{VERSION}}", - "pkg:github/google/s2geometry@{{VERSION}}", - "pkg:github/google/snappy@{{VERSION}}", - "pkg:github/google/googletest@{{VERSION}}", - "pkg:github/gperftools/gperftools@{{VERSION}}", - "pkg:github/grpc/grpc@{{VERSION}}", - "pkg:github/unicode-org/icu@{{VERSION}}", - "pkg:generic/intel/IntelRDFPMathLib@{{VERSION}}", - "pkg:github/jbeder/yaml-cpp@{{VERSION}}", - "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0", - "pkg:github/mongodb/libmongocrypt@{{VERSION}}", - "pkg:github/libtom/libtomcrypt@{{VERSION}}", - "pkg:github/libunwind/libunwind@{{VERSION}}", - "pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3", - "pkg:github/mongodb/mongo-c-driver@{{VERSION}}", - "pkg:deb/debian/firefox-esr@{{VERSION}}-1?arch=source", - "pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc", - "pkg:pypi/ocspbuilder@0.10.2", - "pkg:pypi/ocspresponder@0.5.0", - "pkg:github/pcre2project/pcre2@{{VERSION}}", - "pkg:github/protocolbuffers/protobuf@{{VERSION}}", - "pkg:github/roaringbitmap/croaring@{{VERSION}}", - "pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408", - "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb", - "pkg:github/snowballstem/snowball@{{VERSION}}", - "pkg:github/google/tcmalloc@{{VERSION}}", - "pkg:generic/unicode-org/unicode@8.0.0", - "pkg:generic/valgrind/valgrind@{{VERSION}}", - "pkg:github/madler/zlib@{{VERSION}}", - "pkg:github/facebook/zstd@{{VERSION}}", - "pkg:github/open-telemetry/opentelemetry-cpp@{{VERSION}}", - "pkg:github/open-telemetry/opentelemetry-proto@{{VERSION}}", - "pkg:github/nlohmann/json@{{VERSION}}", - "pkg:github/wiredtiger/wiredtiger@{{VERSION}}", - "pkg:github/davea42/libdwarf-code@{{VERSION}}", - "pkg:github/jeremy-rifkin/cpptrace@{{VERSION}}" - ] + "ref": "pkg:deb/debian/firefox-esr@{{VERSION}}-1?arch=source", + "dependsOn": [] }, { - "ref": "pkg:deb/debian/firefox-esr@{{VERSION}}-1?arch=source", + "ref": "pkg:generic/gnome/libxml2@{{VERSION}}", "dependsOn": [] }, { @@ -2524,10 +3254,31 @@ "ref": "pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3", "dependsOn": [] }, + { + "ref": "pkg:github/apache/arrow@{{VERSION}}", + "dependsOn": [ + "pkg:github/apache/thrift@{{VERSION}}", + "pkg:github/google/flatbuffers@{{VERSION}}", + "pkg:github/tencent/rapidjson@{{VERSION}}", + "pkg:github/xtensor-stack/xsimd@{{VERSION}}" + ] + }, + { + "ref": "pkg:github/apache/avro@{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/arximboldi/immer@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/aws/aws-sdk-cpp@{{VERSION}}", + "dependsOn": [] + }, + { + "ref": "pkg:github/azure/azure-sdk-for-cpp@azure-storage-blobs_{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/boostorg/boost@boost-{{VERSION}}", "dependsOn": [] @@ -2540,6 +3291,10 @@ "ref": "pkg:github/chriskohlhoff/asio@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/confluentinc/librdkafka@{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-{{VERSION}}", "dependsOn": [] @@ -2572,6 +3327,14 @@ "ref": "pkg:github/google/benchmark@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/google/flatbuffers@{{VERSION}}", + "dependsOn": [] + }, + { + "ref": "pkg:github/google/fuzztest@{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/google/googletest@{{VERSION}}", "dependsOn": [] @@ -2608,10 +3371,22 @@ "ref": "pkg:github/jeremy-rifkin/cpptrace@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/json-c/json-c@{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0", "dependsOn": [] }, + { + "ref": "pkg:github/jupp0r/prometheus-cpp@{{VERSION}}", + "dependsOn": [] + }, + { + "ref": "pkg:github/libarchive/bzip2@bzip2-{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/libtom/libtomcrypt@{{VERSION}}", "dependsOn": [] @@ -2630,7 +3405,78 @@ }, { "ref": "pkg:github/mongodb/mongo-c-driver@{{VERSION}}", - "dependsOn": [] + "dependsOn": [ + "pkg:github/madler/zlib@{{VERSION}}", + "pkg:github/juliastrings/utf8proc@{{VERSION}}", + "pkg:github/troydhanson/uthash@{{VERSION}}" + ] + }, + { + "ref": "pkg:github/mongodb/mongo-cxx-driver@{{VERSION}}", + "dependsOn": [ + "pkg:github/mongodb/mongo-c-driver@{{VERSION}}" + ] + }, + { + "ref": "pkg:github/mongodb/mongo@{{VERSION}}", + "dependsOn": [ + "pkg:deb/debian/firefox-esr@{{VERSION}}-1?arch=source", + "pkg:generic/gnome/libxml2@{{VERSION}}", + "pkg:generic/intel/IntelRDFPMathLib@{{VERSION}}", + "pkg:generic/unicode-org/unicode@8.0.0", + "pkg:generic/valgrind/valgrind@{{VERSION}}", + "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb", + "pkg:github/abseil/abseil-cpp@{{VERSION}}", + "pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3", + "pkg:github/apache/arrow@{{VERSION}}", + "pkg:github/apache/avro@{{VERSION}}", + "pkg:github/arximboldi/immer@{{VERSION}}", + "pkg:github/aws/aws-sdk-cpp@{{VERSION}}", + "pkg:github/azure/azure-sdk-for-cpp@azure-storage-blobs_{{VERSION}}", + "pkg:github/boostorg/boost@boost-{{VERSION}}", + "pkg:github/c-ares/c-ares@{{VERSION}}", + "pkg:github/chriskohlhoff/asio@{{VERSION}}", + "pkg:github/confluentinc/librdkafka@{{VERSION}}", + "pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-{{VERSION}}", + "pkg:github/davea42/libdwarf-code@{{VERSION}}", + "pkg:github/dcleblanc/safeint@{{VERSION}}", + "pkg:github/derickr/timelib@{{VERSION}}", + "pkg:github/facebook/folly@{{VERSION}}", + "pkg:github/facebook/zstd@{{VERSION}}", + "pkg:github/fmtlib/fmt@{{VERSION}}", + "pkg:github/google/benchmark@{{VERSION}}", + "pkg:github/google/fuzztest@{{VERSION}}", + "pkg:github/google/googletest@{{VERSION}}", + "pkg:github/google/re2@{{VERSION}}", + "pkg:github/google/s2geometry@{{VERSION}}", + "pkg:github/google/snappy@{{VERSION}}", + "pkg:github/google/tcmalloc@{{VERSION}}", + "pkg:github/gperftools/gperftools@{{VERSION}}", + "pkg:github/grpc/grpc@{{VERSION}}", + "pkg:github/jbeder/yaml-cpp@{{VERSION}}", + "pkg:github/jeremy-rifkin/cpptrace@{{VERSION}}", + "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0", + "pkg:github/libtom/libtomcrypt@{{VERSION}}", + "pkg:github/libunwind/libunwind@{{VERSION}}", + "pkg:github/madler/zlib@{{VERSION}}", + "pkg:github/mongodb/libmongocrypt@{{VERSION}}", + "pkg:github/mongodb/mongo-cxx-driver@{{VERSION}}", + "pkg:github/nlohmann/json@{{VERSION}}", + "pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc", + "pkg:github/open-telemetry/opentelemetry-cpp@{{VERSION}}", + "pkg:github/open-telemetry/opentelemetry-proto@{{VERSION}}", + "pkg:github/pcre2project/pcre2@{{VERSION}}", + "pkg:github/protocolbuffers/protobuf@{{VERSION}}", + "pkg:github/rnpgp/rnp@{{VERSION}}", + "pkg:github/roaringbitmap/croaring@{{VERSION}}", + "pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408", + "pkg:github/snowballstem/snowball@{{VERSION}}", + "pkg:github/unicode-org/icu@{{VERSION}}", + "pkg:github/veorq/siphash@{{VERSION}}", + "pkg:github/wiredtiger/wiredtiger@{{VERSION}}", + "pkg:pypi/ocspbuilder@0.10.2", + "pkg:pypi/ocspresponder@0.5.0" + ] }, { "ref": "pkg:github/nlohmann/json@{{VERSION}}", @@ -2656,6 +3502,13 @@ "ref": "pkg:github/protocolbuffers/protobuf@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/rnpgp/rnp@{{VERSION}}", + "dependsOn": [ + "pkg:github/json-c/json-c@{{VERSION}}", + "pkg:github/libarchive/bzip2@bzip2-{{VERSION}}" + ] + }, { "ref": "pkg:github/roaringbitmap/croaring@{{VERSION}}", "dependsOn": [] @@ -2668,14 +3521,26 @@ "ref": "pkg:github/snowballstem/snowball@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/tencent/rapidjson@{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/unicode-org/icu@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/veorq/siphash@{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:github/wiredtiger/wiredtiger@{{VERSION}}", "dependsOn": [] }, + { + "ref": "pkg:github/xtensor-stack/xsimd@{{VERSION}}", + "dependsOn": [] + }, { "ref": "pkg:pypi/ocspbuilder@0.10.2", "dependsOn": [] diff --git a/buildscripts/sbom/sbom_files_pr.py b/buildscripts/sbom/sbom_files_pr.py index ad645010e50..acc37076496 100644 --- a/buildscripts/sbom/sbom_files_pr.py +++ b/buildscripts/sbom/sbom_files_pr.py @@ -6,11 +6,19 @@ Script that opens a PR using a bot to update SBOM-related files. import argparse import os import re +import sys import time -from github import Commit, GithubException, GithubIntegration, GitRef, PullRequest, Repository +from github import ( + GithubException, + GithubIntegration, + GitRef, + InputGitTreeElement, + PullRequest, + Repository, +) -SBOM_FILES = ["sbom.json", "README.third_party.md"] +SBOM_FILES = ["sbom.json", "sbom.private.json", "README.third_party.md"] def get_repository(github_owner, github_repo, app_id, _private_key) -> Repository.Repository: @@ -39,16 +47,16 @@ def get_pull_request(branch_gitref: GitRef.GitRef) -> PullRequest.PullRequest | return None -def create_branch(base_branch, new_branch) -> None: +def create_branch(repository, base_branch, new_branch) -> None: """ Create a new branch or get existing branch. """ try: print(f"Attempting to create branch '{new_branch}' with base branch '{base_branch}'.") ref = f"refs/heads/{new_branch}" - base_repo_branch = repo.get_branch(base_branch) + base_repo_branch = repository.get_branch(base_branch) sha = base_repo_branch.commit.sha - repo.create_git_ref(ref=ref, sha=sha) + repository.create_git_ref(ref=ref, sha=sha) print(f"Created branch '{new_branch}', ref: {ref}, sha: {sha}") except GithubException as e: if e.status == 422: @@ -57,25 +65,36 @@ def create_branch(base_branch, new_branch) -> None: raise -def read_text_file(file_path: str) -> str: +def read_text_file(path: str) -> str: """Read a text file and return as string""" try: - with open(file_path, "r", encoding="utf-8") as file: + with open(path, "r", encoding="utf-8") as file: content = file.read() return content except FileNotFoundError: - print(f"ERROR: The file '{file_path}' was not found.") - return f"ERROR: The file '{file_path}' was not found." - except Exception as e: + print(f"ERROR: The file '{path}' was not found.") + return f"ERROR: The file '{path}' was not found." + except (OSError, UnicodeDecodeError) as e: print(f"An error occurred: {e}") + return f"ERROR: An error occurred while reading '{path}': {e}" if __name__ == "__main__": parser = argparse.ArgumentParser( - description="This script checks for changes to SBOM and related files and creats a PR if files have been updated.", + formatter_class=argparse.ArgumentDefaultsHelpFormatter, + description=( + "This script checks for changes to SBOM and related files and creates a PR if " + "files have been updated." + ), ) parser.add_argument("--github-owner", help="GitHub org/owner (e.g., 10gen).", type=str) parser.add_argument("--github-repo", help="GitHub repository name (e.g., mongo).", type=str) + parser.add_argument( + "--branch-filter", + help="Create a PR only if base branch matches regex.", + type=str, + default=".*", + ) parser.add_argument("--base-branch", help="base branch to merge into.", type=str) parser.add_argument("--new-branch", help="New branch for the PR.", type=str) parser.add_argument("--pr-title", help="Title for the PR.", type=str) @@ -98,9 +117,17 @@ if __name__ == "__main__": if not args.app_id or not args.private_key: parser.error( - "Must define --app-id or env MONGO_PR_BOT_APP_ID and --private-key or env MONGO_PR_BOT_PRIVATE_KEY." + "Must define --app-id or env MONGO_PR_BOT_APP_ID and --private-key or env " + "MONGO_PR_BOT_PRIVATE_KEY." ) + # Check if base branch matches the branch filter regex + if not re.fullmatch(args.branch_filter, args.base_branch): + print( + f"Base branch '{args.base_branch}' does not match branch filter '{args.branch_filter}'. Terminating as successful." + ) + sys.exit(0) + # Replace spaces with newline, if applicable private_key = ( args.private_key[:31] + args.private_key[31:-29].replace(" ", "\n") + args.private_key[-29:] @@ -109,17 +136,29 @@ if __name__ == "__main__": repo = get_repository(args.github_owner, args.github_repo, args.app_id, private_key) print("repo: ", repo) - HAS_UPDATE = False + # Collect all changed files first so we can commit them in a single commit + changed_files: list[tuple[str, str]] = [] for file_path in SBOM_FILES: - original_file = repo.get_contents(file_path, ref=f"refs/heads/{args.base_branch}") - print("original_file: ", original_file) - original_content = original_file.decoded_content.decode() + print(f"Checking file '{file_path}' on '{args.base_branch}' for changes...") + # Try to get the existing file from the base branch; 404 means "new file" + try: + original_file = repo.get_contents(file_path, ref=f"refs/heads/{args.base_branch}") + print("original_file: ", original_file) + original_content = original_file.decoded_content.decode() + except GithubException as e: + if e.status in [403, 404]: + print(f"'{file_path}' does not exist on {args.base_branch}; treating as new file") + original_content = "" + else: + raise + try: with open(file_path, "r", encoding="utf-8") as file: new_content = file.read() except FileNotFoundError: print("Error: file '%s' not found.", file_path) + continue # Compare content with removed Endor Labs version to avoid triggering a new SBOM on only that change PATTERN = r'{"name":"EndorLabsInc","version":".*"}' @@ -128,37 +167,47 @@ if __name__ == "__main__": new_content_compare = re.sub(PATTERN, REPL, "".join(new_content.split())) if original_content_compare != new_content_compare: - create_branch(args.base_branch, args.new_branch) - original_file_new_branch = repo.get_contents( - file_path, ref=f"refs/heads/{args.new_branch}" + print(f"Detected change in '{file_path}'") + changed_files.append((file_path, new_content)) + + if changed_files: + # Ensure the branch exists (create if needed) + create_branch(repo, args.base_branch, args.new_branch) + + # Small delay to reduce chance of 409s immediately after branch creation + time.sleep(5) + + # Base commit/tree on the current head of the PR branch + branch_ref = repo.get_branch(args.new_branch) + base_commit_sha = branch_ref.commit.sha + base_commit = repo.get_git_commit(base_commit_sha) + base_tree = repo.get_git_tree(base_commit_sha) + + # Build tree elements for all changed files in one go + elements = [ + InputGitTreeElement( + path=path, + mode="100644", + type="blob", + content=content, ) - print("original_file_new_branch: ", original_file_new_branch) + for path, content in changed_files + ] - print("New file is different from original file.") - print("repo.update_file:") - print(f" message: Updating '{file_path}'") - print(" path: ", file_path) - print(" sha: ", original_file_new_branch.sha) - print(" content:") - print(new_content[:128]) - print("...[truncated]...") - print(new_content[-128:]) - print(" branch: ", args.new_branch) - time.sleep(10) # Wait to reduce chance of 409 errors - update_file_result = repo.update_file( - message=f"Updating '{file_path}'", - path=file_path, - sha=original_file_new_branch.sha, - content=new_content, - branch=args.new_branch, - ) - print("update_file_result: ", update_file_result) - commit: Commit = update_file_result.get("commit") - print("commit: ", commit) + new_tree = repo.create_git_tree(elements, base_tree) - HAS_UPDATE = True + commit_message = "Update SBOM-related files: " + ", ".join( + path for path, _ in changed_files + ) + print("Creating single commit with message:", commit_message) - if HAS_UPDATE: + new_commit = repo.create_git_commit(commit_message, new_tree, [base_commit]) + + # Move branch ref to new commit (single commit containing all file updates) + ref = repo.get_git_ref(f"heads/{args.new_branch}") + ref.edit(new_commit.sha) + + if changed_files: # Get open PR or create new PR pull_requests = repo.get_pulls( state="open", head=f"{args.github_owner}:{args.new_branch}", base=args.base_branch @@ -173,7 +222,6 @@ if __name__ == "__main__": print(f" head={args.new_branch}") print(f" base={args.base_branch}") print(f" body={pr_body}") - pull_request = repo.create_pull( title=args.pr_title, head=args.new_branch, diff --git a/buildscripts/sbom/sbom_utils.py b/buildscripts/sbom/sbom_utils.py new file mode 100644 index 00000000000..379104dcd17 --- /dev/null +++ b/buildscripts/sbom/sbom_utils.py @@ -0,0 +1,261 @@ +#!/usr/bin/env python3 +""" +Utility functions for processing CycloneDX SBOMs + +""" + +import json +import logging +import os +import re +import urllib.parse + +logger = logging.getLogger("generate_sbom") +logger.setLevel(logging.NOTSET) + +# ################ PURL Validation ################ +REGEX_STR_PURL_OPTIONAL = ( # Optional Version (any chars except ? @ #) + r"(?:@[^?@#]*)?" + # Optional Qualifiers (any chars except @ #) + r"(?:\?[^@#]*)?" + # Optional Subpath (any chars) + r"(?:#.*)?$" +) + +REGEX_PURL = { + # deb PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/deb-definition.md + "deb": re.compile( + r"^pkg:deb/" # Scheme and type + # Namespace (organization/user), letters must be lowercase + r"(debian|ubuntu)+" + r"/" + r"[a-z0-9._-]+" + REGEX_STR_PURL_OPTIONAL # Name + ), + # Generic PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/generic-definition.md + "generic": re.compile( + r"^pkg:generic/" # Scheme and type + r"([a-zA-Z0-9._-]+/)?" # Optional namespace segment + r"[a-zA-Z0-9._-]+" + REGEX_STR_PURL_OPTIONAL # Name (required) + ), + # GitHub PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/github-definition.md + "github": re.compile( + r"^pkg:github/" # Scheme and type + # Namespace (organization/user), letters must be lowercase + r"[a-z0-9-]+" + r"/" + r"[a-z0-9._-]+" + REGEX_STR_PURL_OPTIONAL # Name (repository) + ), + # PyPI PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/pypi-definition.md + "pypi": re.compile( + r"^pkg:pypi/" # Scheme and type + r"[a-z0-9_-]+" # Name, letters must be lowercase, dashes, underscore + + REGEX_STR_PURL_OPTIONAL + ), +} + +# Metadata SBOM requirements +METADATA_FIELDS_REQUIRED = [ + "type", + "bom-ref", + "group", + "name", + "version", + "description", + "licenses", + "copyright", + "externalReferences", + "scope", +] +METADATA_FIELDS_ONE_OF = [ + ["author", "supplier"], + ["purl", "cpe"], +] + + +def add_component_property(component: dict, name: str, value: str) -> None: + """Add a key/value to to 'properties' in SBOM component""" + if "properties" not in component: + component["properties"] = [] + component["properties"].append({"name": name, "value": value}) + + +def check_metadata_sbom(meta_bom: dict) -> None: + """Run checks on SBOM component metadata for expected fields.""" + for component in meta_bom["components"]: + for field in METADATA_FIELDS_REQUIRED: + if field not in component: + logger.warning( + "METADATA: %s is missing required field '%s'.", + (component.get("bom-ref") or component.get("name")), + field, + ) + for fields in METADATA_FIELDS_ONE_OF: + found = False + for field in fields: + found = found or field in component + if not found: + logger.warning( + "METADATA: %s is missing one of fields '%s'.", + (component.get("bom-ref") or component.get("name")), + fields, + ) + + +def convert_sbom_to_public(sbom_dict: dict): + """Remove internal-only properties and components from SBOM""" + + original_components_len = len(sbom_dict["components"]) + # Identify internal components based on evidence occurrence in internal folders + internal_components = [ + c["bom-ref"] + for c in sbom_dict["components"] + if any( + occurence.get("location", "").startswith("src/third_party/private") + for occurence in c.get("evidence", {}).get("occurrences", []) + ) + ] + + # Remove internal components and any dependencies on them from the SBOM + sbom_dict["components"] = [ + c for c in sbom_dict["components"] if c["bom-ref"] not in internal_components + ] + sbom_dict["dependencies"] = [ + d for d in sbom_dict["dependencies"] if d["ref"] not in internal_components + ] + for dependency in sbom_dict["dependencies"]: + dependency["dependsOn"] = [ + d for d in dependency["dependsOn"] if d not in internal_components + ] + logger.info( + "PUBLIC SBOM: Removed %d internal components", + original_components_len - len(sbom_dict["components"]), + ) + # Remove internal proerties from public components + original_properties_len = sum(len(c.get("properties", [])) for c in sbom_dict["components"]) + for component in sbom_dict["components"]: + component["properties"] = [ + p + for p in component.get("properties", []) + if not p.get("name", "").startswith("internal:") + ] + logger.info( + "PUBLIC SBOM: Removed %d internal properties from public components", + original_properties_len + - sum(len(c.get("properties", [])) for c in sbom_dict["components"]), + ) + + +def is_valid_purl(purl: str) -> bool: + """Validate a GitHub or Generic PURL""" + for purl_type, regex in REGEX_PURL.items(): + if regex.match(purl): + logger.debug( + "PURL: %s matched PURL type '%s' regex '%s'", purl, purl_type, regex.pattern + ) + return True + return False + + +def read_sbom_json_file(file_path: str) -> dict: + """Load a JSON SBOM file (schema is not validated)""" + try: + with open(file_path, "r", encoding="utf-8") as input_json: + sbom_json = input_json.read() + result = json.loads(sbom_json) + logger.info("SBOM loaded from %s with %d components", file_path, len(result["components"])) + return result + except OSError as e: + logger.error("Error loading SBOM file from %s", file_path) + logger.error(e) + except json.JSONDecodeError as e: + logger.error("Error decoding JSON SBOM file from %s", file_path) + logger.error(e) + + +def remove_sbom_component(sbom_dict: dict, component_key: str) -> None: + """Remove a component from the SBOM by its bom-ref key""" + sbom_dict["components"] = [ + c for c in sbom_dict["components"] if not c["bom-ref"].startswith(component_key) + ] + sbom_dict["dependencies"] = [ + d for d in sbom_dict["dependencies"] if not d["ref"].startswith(component_key) + ] + for dependency in sbom_dict["dependencies"]: + dependency["dependsOn"] = [ + d for d in dependency["dependsOn"] if not d.startswith(component_key) + ] + logger.debug("Removed component '%s' from SBOM", component_key) + + +def set_component_version( + component: dict, version: str, purl_version: str = None, cpe_version: str = None +) -> None: + """Update the appropriate version fields in a component from the metadata SBOM""" + if not purl_version: + purl_version = version + + if not cpe_version: + cpe_version = version + + component["bom-ref"] = component["bom-ref"].replace("{{VERSION}}", purl_version) + component["version"] = component["version"].replace("{{VERSION}}", version) + if component.get("purl"): + component["purl"] = component["purl"].replace( + "{{VERSION}}", urllib.parse.quote(purl_version) + ) + if not is_valid_purl(component["purl"]): + logger.warning("PURL: Invalid PURL (%s)", component["purl"]) + if component.get("cpe"): + component["cpe"] = component["cpe"].replace("{{VERSION}}", cpe_version) + + +def set_dependency_version(dependencies: list, meta_bom_ref: str, purl_version: str) -> None: + """Update the appropriate dependency version fields from the metadata SBOM""" + r = 0 + d = 0 + for dependency in dependencies: + if "{{VERSION}}" in dependency["ref"] and dependency["ref"] == meta_bom_ref: + dependency["ref"] = dependency["ref"].replace("{{VERSION}}", purl_version) + r += 1 + for i in range(len(dependency["dependsOn"])): + if dependency["dependsOn"][i] == meta_bom_ref: + dependency["dependsOn"][i] = dependency["dependsOn"][i].replace( + "{{VERSION}}", purl_version + ) + d += 1 + + logger.debug( + "set_dependency_version: '%s' updated %d refs and %d dependsOn", meta_bom_ref, r, d + ) + + +def sbom_components_to_dict(sbom: dict, with_version: bool = False) -> dict: + """Create a dict of SBOM components with a version-less PURL as the key""" + components = sbom["components"] + if with_version: + components_dict = { + urllib.parse.unquote(component["bom-ref"]): component for component in components + } + else: + components_dict = { + urllib.parse.unquote(component["bom-ref"]).split("@")[0]: component + for component in components + } + return components_dict + + +def write_sbom_json_file(sbom_dict: dict, file_path: str) -> None: + """Save a JSON SBOM file (schema is not validated)""" + try: + file_path = os.path.abspath(file_path) + with open(file_path, "w", encoding="utf-8") as output_json: + formatted_sbom = json.dumps(sbom_dict, indent=2) + "\n" + output_json.write(formatted_sbom) + except OSError as e: + logger.error("Error writing SBOM file to %s", file_path) + logger.error(e) + except TypeError as e: + logger.error("Error serializing SBOM to JSON for file %s", file_path) + logger.error(e) + else: + logger.info("SBOM file saved to %s", file_path) diff --git a/buildscripts/sbom_linter.py b/buildscripts/sbom_linter.py index 891283b62f3..a27a9347a8e 100644 --- a/buildscripts/sbom_linter.py +++ b/buildscripts/sbom_linter.py @@ -290,11 +290,13 @@ def main() -> int: help="Whether to apply formatting to the output file.", ) parser.add_argument( - "--input-file", default="sbom.json", help="The input CycloneDX file to format and lint." + "--input-file", + default="sbom.private.json", + help="The input CycloneDX file to format and lint.", ) parser.add_argument( "--output-file", - default="sbom.json", + default="sbom.private.json", help="The file to output to when formatting is specified.", ) args = parser.parse_args() diff --git a/buildscripts/tests/test_generate_sbom.py b/buildscripts/tests/test_generate_sbom.py index d6d17e4f687..0af868d5d64 100644 --- a/buildscripts/tests/test_generate_sbom.py +++ b/buildscripts/tests/test_generate_sbom.py @@ -9,16 +9,16 @@ import os import sys import unittest -sys.path.append("buildscripts/sbom") - from buildscripts.sbom.config import get_semver_from_release_version, regex_semver from buildscripts.sbom.endorctl_utils import EndorCtl -from buildscripts.sbom.generate_sbom import is_valid_purl +from buildscripts.sbom.sbom_utils import is_valid_purl logging.basicConfig(level=logging.INFO, stream=sys.stdout) class TestEndorctl(unittest.TestCase): + """Test cases for the EndorCtl class.""" + def test_endorctl_init(self): """Tests the Endorctl constructor.""" e = EndorCtl(namespace="mongodb.10gen", retry_limit=1, sleep_duration=5) @@ -38,6 +38,12 @@ class TestEndorctl(unittest.TestCase): class TestConfigRegex(unittest.TestCase): + """Test suite for configuration regex patterns and PURL validation. + + This test class validates regex patterns used for semantic versioning, + version extraction from release strings, and Package URL (PURL) validation. + """ + def test_semver_regex(self): """Tests the regex_semver.""" @@ -180,10 +186,9 @@ class TestConfigRegex(unittest.TestCase): self.assertFalse(is_valid_purl(purl), f"Expected '{purl}' to be invalid") -__unittest = True - - class TestMetadataFile(unittest.TestCase): + """Unit tests for SBOM metadata file validation and version tag consistency.""" + TEST_DIR = os.path.join("buildscripts", "sbom") VERSION_TAG = "{{VERSION}}" @@ -194,6 +199,13 @@ class TestMetadataFile(unittest.TestCase): return json.loads(sbom_json) def test_metadata_sbom_version_tags(self): + """Test that SBOM metadata components have consistent version tags. + + Verifies that each component in the metadata SBOM file contains required fields + (bom-ref and version) plus at least one of purl or cpe. Additionally ensures that + the VERSION_TAG is either present in all component properties or absent from all, + maintaining consistency across bom-ref, version, purl, and cpe fields. + """ sbom_metadata_file = os.path.join(self.TEST_DIR, "metadata.cdx.json") print(sbom_metadata_file) meta_bom = self.read_sbom_json_file(sbom_metadata_file) diff --git a/buildscripts/util/co_jira_map.yml b/buildscripts/util/co_jira_map.yml index d378f50640f..8be0419c4b6 100644 --- a/buildscripts/util/co_jira_map.yml +++ b/buildscripts/util/co_jira_map.yml @@ -8,6 +8,8 @@ - Services & Integrations 10gen/performance: - Product Performance +10gen/platsec-server: + - Product Security 10gen/query: - Query Execution - Query Integration @@ -32,6 +34,8 @@ - Query Optimization 10gen/server-catalog-and-routing: - Catalog And Routing +10gen/server-catalog-and-routing-shard-catalog: + - Catalog And Routing 10gen/server-cluster-scalability: - Cluster Scalability 10gen/server-networking-and-observability: @@ -60,5 +64,7 @@ - Storage Execution 10gen/server-workload-resilience: - Workload Execution +10gen/storage-engines: + - Storage Engines 10gen/streams-engine: - Atlas Streams diff --git a/buildscripts/util/codeowners_utils.py b/buildscripts/util/codeowners_utils.py index a2f62b7713c..542542a09df 100644 --- a/buildscripts/util/codeowners_utils.py +++ b/buildscripts/util/codeowners_utils.py @@ -19,7 +19,9 @@ def process_owners(cur_dir: str) -> tuple[dict[re.Pattern, list[str]], bool]: contents = yaml.safe_load(f) assert "version" in contents, f"Version not found in {owners_file_path}" - assert contents["version"] == "1.0.0", f"Invalid version in {owners_file_path}" + assert ( + contents["version"] == "1.0.0" or contents["version"] == "2.0.0" + ), f"Invalid version in {owners_file_path}" assert "filters" in contents no_parent_owners = False diff --git a/etc/evergreen_yml_components/tasks/misc_tasks.yml b/etc/evergreen_yml_components/tasks/misc_tasks.yml index b3d37346cff..fbde0b941df 100644 --- a/etc/evergreen_yml_components/tasks/misc_tasks.yml +++ b/etc/evergreen_yml_components/tasks/misc_tasks.yml @@ -2029,6 +2029,7 @@ tasks: - "buildscripts/sbom/generate_sbom.py" - "--project=https://github.com/10gen/mongo.git" - "--target=branch" + - "--branch-filter=${BRANCH_FILTER}" - "--branch=${branch_name}" - "--endorctl-path=${workdir}/endorctl" - "--config-path=${workdir}/.endorctl" @@ -2053,6 +2054,7 @@ tasks: - "buildscripts/sbom/sbom_files_pr.py" - "--github-owner=${github_org}" - "--github-repo=${github_repo}" + - "--branch-filter=${BRANCH_FILTER}" - "--base-branch=${branch_name}" - "--new-branch=SERVER-111072/sbom_update_${branch_name}" - "--pr-title=SERVER-111072 Auto-generated SBOM files [${branch_name}]" @@ -2103,6 +2105,7 @@ tasks: - "--run" env: REQUESTER: ${requester} + BRANCH_FILTER: ${BRANCH_FILTER} BRANCH_NAME: ${branch_name} GITHUB_ORG: ${github_org} GITHUB_REPO: ${github_repo} @@ -2110,7 +2113,7 @@ tasks: CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 CONTAINER_ENV_FILES: ${workdir}/silkbomb.env WORKING_DIR: ${workdir} - SBOM_REPO_PATH: sbom.json + SBOM_REPO_PATH: ${SBOM_REPO_PATH} LOCAL_REPO_PATH: src - name: check_for_noexcept diff --git a/etc/evergreen_yml_components/tasks/release_tasks.yml b/etc/evergreen_yml_components/tasks/release_tasks.yml index 9030822df51..1ae5124efb2 100644 --- a/etc/evergreen_yml_components/tasks/release_tasks.yml +++ b/etc/evergreen_yml_components/tasks/release_tasks.yml @@ -108,10 +108,10 @@ tasks: CONTAINER_ENV_FILES: ${workdir}/silkbomb.env CONTAINER_VOLUMES: -v ${workdir}:/workdir CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 - SBOM_REPO_PATH: sbom.json + SBOM_REPO_PATH: sbom.private.json SBOM_OUT_PATH: ${workdir}/sbom-with-vex-${branch_name}.json SILKBOMB_COMMAND: augment - SILKBOMB_ARGS: --sbom-in /workdir/src/sbom.json --sbom-out /workdir/src/sbom-with-vex-${branch_name}.json --repo ${github_org}/${github_repo} --branch ${branch_name} + SILKBOMB_ARGS: --sbom-in /workdir/src/sbom.private.json --sbom-out /workdir/src/sbom-with-vex-${branch_name}.json --repo ${github_org}/${github_repo} --branch ${branch_name} - command: subprocess.exec display_name: Upload SBOM to Google Drive" params: diff --git a/etc/evergreen_yml_components/variants/misc/misc.yml b/etc/evergreen_yml_components/variants/misc/misc.yml index fae2f9ee8db..9f1ed75ef91 100644 --- a/etc/evergreen_yml_components/variants/misc/misc.yml +++ b/etc/evergreen_yml_components/variants/misc/misc.yml @@ -119,6 +119,22 @@ buildvariants: run_on: rhel92-small expansions: ENDOR_NAMESPACE: mongodb.10gen + BRANCH_FILTER: master|v[0-9]+\.[0-9]+-staging stepback: false tasks: - name: update_sbom + + - name: upload-sbom-if-changed + display_name: "Upload SBOM if changed" + allowed_requesters: ["commit"] + expansions: + BRANCH_FILTER: master|v[0-9]+\.[0-9]+-staging + SBOM_REPO_PATH: &sbom_file sbom.private.json + paths: + - *sbom_file + tags: ["assigned_to_jira_team_platsec_ssdlc"] + run_on: + - rhel8.8-small + stepback: false + tasks: + - name: upload_sbom_via_silkbomb_if_changed diff --git a/etc/evergreen_yml_components/variants/rhel/test_dev.yml b/etc/evergreen_yml_components/variants/rhel/test_dev.yml index 4d196725b43..1bba4db2e6c 100644 --- a/etc/evergreen_yml_components/variants/rhel/test_dev.yml +++ b/etc/evergreen_yml_components/variants/rhel/test_dev.yml @@ -376,16 +376,3 @@ buildvariants: - name: sharding_pqs_index_filters distros: - rhel8.8-medium - - - name: upload-sbom-if-changed - display_name: "Upload SBOM if changed" - allowed_requesters: ["commit"] - activate: true - paths: - - "sbom.json" - tags: ["assigned_to_jira_team_platsec_ssdlc"] - run_on: - - rhel8.8-small - stepback: false - tasks: - - name: upload_sbom_via_silkbomb_if_changed diff --git a/evergreen/functions/upload_sbom_via_silkbomb.py b/evergreen/functions/upload_sbom_via_silkbomb.py index 868d9f5d98a..0b686359a58 100644 --- a/evergreen/functions/upload_sbom_via_silkbomb.py +++ b/evergreen/functions/upload_sbom_via_silkbomb.py @@ -1,4 +1,5 @@ import pathlib +import re import subprocess import sys @@ -50,7 +51,7 @@ def upload_sbom_via_silkbomb( container_options = ["--pull=always", "--platform=linux/amd64", "--rm"] container_env_files = ["--env-file", str(creds_file_path.resolve())] container_volumes = ["-v", f"{workdir}:/workdir"] - silkbomb_command = "augment" # it augment first and uses upload command + silkbomb_command = "upload" silkbomb_args = [ "--sbom-in", f"/workdir/{local_repo_path}/{sbom_repo_path}", @@ -105,7 +106,7 @@ def upload_sbom_via_silkbomb( try: print(f"Running command: {' '.join(command)}") subprocess.run(command, check=True, text=True, capture_output=True, timeout=timeout_seconds) - print("Updated sbom.json file upload via Silkbomb successful!") + print("Updated SBOM file upload via Silkbomb successful!") except FileNotFoundError as e: print(f"Error: '{container_command}' command not found.") raise e @@ -135,6 +136,14 @@ def run( str, typer.Option(..., envvar="LOCAL_REPO_PATH", help="Path to the local git repository."), ], + branch_filter: Annotated[ + str, + typer.Option( + ..., + envvar="BRANCH_FILTER", + help=r"Upload SBOM only if branch_name matches regex. (e.g., 'master|v[0-9]+\.[0-9]+-staging').", + ), + ], branch_name: Annotated[ str, typer.Option(..., envvar="BRANCH_NAME", help="The head branch (e.g., the PR branch name)."), @@ -147,7 +156,7 @@ def run( envvar="SBOM_REPO_PATH", help="Path to the SBOM file to check and upload.", ), - ] = "sbom.json", + ] = "sbom.private.json", requester: Annotated[ str, typer.Option( @@ -181,13 +190,11 @@ def run( bool, typer.Option("--check-sbom-file-change", help="Check for changes to the SBOM file.") ] = False, ): - if requester != "commit" and not dry_run: - print(f"Skipping: Run can only be triggered for 'commit', but requester was '{requester}'.") - sys.exit(0) - - major_branches = ["v7.0", "v8.0", "v8.1", "master"] # Only major branches that MongoDB supports - if False and branch_name not in major_branches: - print(f"Skipping: Branch '{branch_name}' is not a major branch. Exiting.") + # Check if branch name matches the branch filter regex + if not re.fullmatch(branch_filter, branch_name): + print( + f"Branch '{branch_name}' does not match branch filter '{branch_filter}'. Terminating as successful." + ) sys.exit(0) repo_path = pathlib.Path(f"{workdir}/{local_repo_path}") diff --git a/sbom.json b/sbom.json index a700b63d388..7155022a559 100644 --- a/sbom.json +++ b/sbom.json @@ -2,10 +2,10 @@ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", - "serialNumber": "urn:uuid:a973a3fe-5abe-4432-91fa-cc30c1034545", - "version": 13, + "serialNumber": "urn:uuid:71d980f0-95c5-4dfa-8987-307eb8880ce2", + "version": 2, "metadata": { - "timestamp": "2026-01-20T18:10:03Z", + "timestamp": "2026-02-24T23:55:48Z", "lifecycles": [ { "phase": "pre-build" @@ -29,27 +29,27 @@ "purl": "pkg:github/mongodb/mongo@master", "externalReferences": [ { - "type": "license", "url": "https://raw.githubusercontent.com/mongodb/mongo/refs/heads/master/LICENSE-Community.txt", - "comment": "Server Side Public License 1.0" + "comment": "Server Side Public License 1.0", + "type": "license" }, { - "type": "website", "url": "https://www.mongodb.com/products/self-managed/community-edition", - "comment": "MongoDB Community Edition is self-managed and can be hosted locally or in the cloud." + "comment": "MongoDB Community Edition is self-managed and can be hosted locally or in the cloud.", + "type": "website" }, { - "type": "website", "url": "https://www.mongodb.com/products/self-managed/enterprise-advanced", - "comment": "MongoDB Enterprise Advanced has powerful tools for automation, operations, and security in self-managed environments." + "comment": "MongoDB Enterprise Advanced has powerful tools for automation, operations, and security in self-managed environments.", + "type": "website" }, { - "type": "release-notes", - "url": "https://www.mongodb.com/docs/manual/release-notes/" + "url": "https://www.mongodb.com/docs/manual/release-notes/", + "type": "release-notes" }, { - "type": "vcs", - "url": "https://github.com/mongodb/mongo" + "url": "https://github.com/mongodb/mongo", + "type": "vcs" } ] }, @@ -63,7 +63,7 @@ "services": [ { "name": "Endor Labs Inc", - "version": "v1.7.769" + "version": "v1.7.846" } ] } @@ -83,6 +83,7 @@ "name": "Mozilla Firefox ESR", "version": "140.7.0esr", "description": "The C++-only SpiderMonkey component of FireFox ESR used by MongoDB.", + "scope": "required", "licenses": [ { "license": { @@ -99,11 +100,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/mozjs" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Integration" - }, { "name": "emits_persisted_data", "value": "false" @@ -112,15 +116,7 @@ "name": "import_script_path", "value": "src/third_party/mozjs/get-sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/mozjs" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -141,6 +137,7 @@ "name": "Intel\u00ae Decimal Floating-Point Math Library", "version": "2.0.1", "description": "A a software implementation of the IEEE Standard 754-2019 Decimal Floating-Point Arithmetic specification.", + "scope": "required", "licenses": [ { "license": { @@ -152,22 +149,8 @@ "purl": "pkg:generic/intel/IntelRDFPMathLib@2.0.1", "externalReferences": [ { - "type": "distribution", - "url": "https://www.netlib.org/misc/intel/" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Execution" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "internal:endor_labs_bom-ref", - "value": "pkg:generic/intel-dfp-math@2.0.1?package-id=378bc021cd4ac04e&vcs_url=https%3A%2F%2Fwww.netlib.org%2Fmisc%2Fintel%2FIntelRDFPMathLib20U1.tar.gz" + "url": "https://www.netlib.org/misc/intel/", + "type": "distribution" } ], "evidence": { @@ -177,7 +160,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "data", @@ -193,6 +181,7 @@ "name": "Unicode Character Database", "version": "8.0.0", "description": "Unicode Data Files", + "scope": "required", "licenses": [ { "license": { @@ -208,16 +197,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, - { - "name": "emits_persisted_data", - "value": "true" - } - ], "evidence": { "occurrences": [ { @@ -225,7 +204,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + } + ] }, { "type": "library", @@ -235,6 +219,7 @@ "name": "valgrind.h", "version": "093bef43d69236287ccc748591c9560a71181b0a", "description": "This header file is part of Valgrind, a dynamic binary instrumentation framework.", + "scope": "required", "licenses": [ { "license": { @@ -250,20 +235,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Build" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "internal:endor_labs_bom-ref", - "value": "pkg:generic/sourceware.org/git/valgrind@093bef43d69236287ccc748591c9560a71181b0a?package-id=28ec2eb9a0f1cc16" - } - ], "evidence": { "occurrences": [ { @@ -271,7 +242,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -281,6 +257,7 @@ "name": "MurmurHash3", "version": "a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb", "description": "MurmurHash is a non-cryptographic hash function suitable for general hash-based lookup.", + "scope": "required", "licenses": [ { "license": { @@ -296,16 +273,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Execution" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -313,7 +280,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -329,6 +301,7 @@ "name": "Abseil Common Libraries (C++)", "version": "20250512.1", "description": "Abseil is an open-source collection of C++ code (compliant to C++17) designed to augment the C++ standard library.", + "scope": "required", "licenses": [ { "license": { @@ -344,11 +317,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/abseil-cpp" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -357,15 +333,7 @@ "name": "import_script_path", "value": "src/third_party/abseil-cpp/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/abseil-cpp" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -375,6 +343,7 @@ "name": "linenoise", "version": "6cdc775807e57b2c3fd64bd207814f8ee1fe35f3", "description": "A small self-contained alternative to readline and libedit", + "scope": "required", "licenses": [ { "license": { @@ -390,16 +359,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Build" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -410,19 +369,25 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", - "bom-ref": "pkg:github/arximboldi/immer@0b3aaf699b9d6f2e89f8e2b6d1221c307e02bda3", + "bom-ref": "pkg:github/arximboldi/immer@v0.9.1", "supplier": { "name": "sinusoidal engineering" }, "author": "Juanpe Bol\u00edvar", "group": "arximboldi", "name": "immer", - "version": "0b3aaf699b9d6f2e89f8e2b6d1221c307e02bda3", + "version": "0.9.1", "description": "Postmodern immutable and persistent data structures for C++ \u2014 value semantics at scale", + "scope": "required", "licenses": [ { "license": { @@ -431,23 +396,13 @@ } ], "copyright": "Copyright (C) 2016, 2017, 2018 Juan Pedro Bolivar Puente", - "purl": "pkg:github/arximboldi/immer@0b3aaf699b9d6f2e89f8e2b6d1221c307e02bda3", + "purl": "pkg:github/arximboldi/immer@v0.9.1", "externalReferences": [ { "url": "https://github.com/arximboldi/immer.git", "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Execution" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -455,7 +410,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -471,6 +431,7 @@ "name": "Boost C++ Libraries", "version": "1.88.0", "description": "Super-project for modularized Boost. Boost is a repository of free, portable, peer-reviewed C++ libraries. It acts as a proving ground for new libraries, particularly those which work well with the ISO C++ Standard Library.", + "scope": "required", "licenses": [ { "license": { @@ -487,11 +448,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/boost" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -500,15 +464,7 @@ "name": "import_script_path", "value": "src/third_party/boost/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/boost" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -524,6 +480,7 @@ "name": "c-ares", "version": "1.27.0", "description": "A C library for asynchronous DNS requests", + "scope": "required", "licenses": [ { "license": { @@ -540,11 +497,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/cares" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "false" @@ -553,15 +513,7 @@ "name": "import_script_path", "value": "src/third_party/cares/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/cares" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -571,6 +523,7 @@ "name": "Asio C++ Library", "version": "1.34.2", "description": "Asio is a cross-platform C++ library for network and low-level I/O programming that provides developers with a consistent asynchronous model using a modern C++ approach.", + "scope": "required", "licenses": [ { "license": { @@ -586,11 +539,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/asio" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "false" @@ -599,15 +555,7 @@ "name": "import_script_path", "value": "src/third_party/asio/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/asio" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -624,6 +572,7 @@ "name": "Cyrus SASL", "version": "2.1.28", "description": "Simple Authentication and Security Layer (SASL) is a specification that describes how authentication mechanisms can be plugged into an application protocol on the wire. Cyrus SASL is an implementation of SASL that makes it easy for application developers to integrate authentication mechanisms into their application in a generic way.", + "scope": "optional", "licenses": [ { "license": { @@ -640,16 +589,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Build" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -657,7 +596,12 @@ } ] }, - "scope": "optional" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -667,6 +611,7 @@ "name": "libdwarf", "version": "2.1.0", "description": "A library for reading DWARF2 and later DWARF data.", + "scope": "excluded", "licenses": [ { "license": { @@ -685,28 +630,14 @@ } ], "copyright": "Copyright 2000,2004 Silicon Graphics, Inc.; Portions Copyright 2002-2010 Sun Microsystems, Inc.; Portions Copyright 2007-2025 David Anderson.; Portions Copyright 2008-2010 Arxan Technologies, Inc.; Portions Copyright 2010-2012 SN Systems Ltd.; Portions Copyright 2015,2020 Google, Inc.; All Rights Reserved.", - "purl": "pkg:github/davea42/libdwarf-code@libdwarf-2.1.0", "cpe": "cpe:2.3:a:libdwarf_project:libdwarf:2.1.0:*:*:*:*:*:*:*", + "purl": "pkg:github/davea42/libdwarf-code@libdwarf-2.1.0", "externalReferences": [ { "url": "https://github.com/davea42/libdwarf-code.git", "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/libdwarf/scripts/import.sh" - } - ], "evidence": { "occurrences": [ { @@ -714,7 +645,16 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/libdwarf/scripts/import.sh" + } + ] }, { "type": "library", @@ -724,6 +664,7 @@ "name": "SafeInt", "version": "3.0.28a", "description": "SafeInt is a class library for C++ that manages integer overflows.", + "scope": "required", "licenses": [ { "license": { @@ -739,11 +680,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/SafeInt" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -752,15 +696,7 @@ "name": "import_script_path", "value": "src/third_party/SafeInt/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/SafeInt" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -770,6 +706,7 @@ "name": "timelib", "version": "2022.13", "description": "Timelib is a timezone and date/time library that can calculate local time, convert between timezones and parse textual descriptions of date/time information.", + "scope": "required", "licenses": [ { "license": { @@ -785,11 +722,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/timelib" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, { "name": "emits_persisted_data", "value": "false" @@ -798,15 +738,7 @@ "name": "import_script_path", "value": "src/third_party/timelib/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/timelib" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -822,6 +754,7 @@ "name": "folly", "version": "2023.12.25.00", "description": "An open-source C++ library developed and used at Facebook.", + "scope": "required", "licenses": [ { "license": { @@ -834,22 +767,8 @@ "purl": "pkg:github/facebook/folly@v2023.12.25.00", "externalReferences": [ { - "type": "vcs", - "url": "https://github.com/facebook/folly.git" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/folly/scripts/import.sh" + "url": "https://github.com/facebook/folly.git", + "type": "vcs" } ], "evidence": { @@ -859,7 +778,16 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/folly/scripts/import.sh" + } + ] }, { "type": "library", @@ -875,6 +803,7 @@ "name": "Zstandard (zstd)", "version": "1.5.5", "description": "Zstandard - Fast real-time compression algorithm", + "scope": "required", "licenses": [ { "expression": "BSD-3-Clause OR GPL-2.0-only" @@ -889,11 +818,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/zstandard" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -902,15 +834,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/zstandard_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/zstandard" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -926,6 +850,7 @@ "name": "fmt", "version": "11.2.0", "description": "A modern formatting library", + "scope": "required", "licenses": [ { "license": { @@ -942,11 +867,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/fmt" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -955,15 +883,7 @@ "name": "import_script_path", "value": "src/third_party/fmt/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/fmt" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -979,6 +899,7 @@ "name": "benchmark", "version": "1.5.2", "description": "A microbenchmark support library", + "scope": "excluded", "licenses": [ { "license": { @@ -994,11 +915,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/benchmark" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1007,15 +931,66 @@ "name": "import_script_path", "value": "src/third_party/benchmark/scripts/import.sh" } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/google/fuzztest@2025-07-28", + "supplier": { + "name": "Google LLC", + "url": [ + "https://opensource.google/" + ] + }, + "author": "The Google Test and Google Mock Communities", + "group": "google.opensource", + "name": "fuzztest", + "version": "2025-07-28", + "description": "FuzzTest", + "scope": "excluded", + "licenses": [ + { + "license": { + "id": "BSD-3-Clause" + } + }, + { + "license": { + "id": "Apache-2.0" + } + }, + { + "license": { + "id": "HPND" + } + } + ], + "copyright": "Copyright 2008, Google Inc. All rights reserved.", + "cpe": "cpe:2.3:a:google:fuzztest:2025-07-28:*:*:*:*:*:*:*", + "purl": "pkg:github/google/fuzztest@2025-07-28", + "externalReferences": [ + { + "url": "https://github.com/google/fuzztest.git", + "type": "distribution" + } ], "evidence": { "occurrences": [ { - "location": "src/third_party/benchmark" + "location": "src/third_party/fuzztest" } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/fuzztest/scripts/import.sh" + } + ] }, { "type": "library", @@ -1031,6 +1006,7 @@ "name": "googletest", "version": "1.17.0", "description": "GoogleTest - Google Testing and Mocking Framework", + "scope": "excluded", "licenses": [ { "license": { @@ -1047,11 +1023,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/googletest" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Disaggregated Storage" - }, { "name": "emits_persisted_data", "value": "false" @@ -1060,15 +1039,7 @@ "name": "import_script_path", "value": "src/third_party/googletest/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/googletest" - } - ] - }, - "scope": "excluded" + ] }, { "type": "library", @@ -1084,6 +1055,7 @@ "name": "re2", "version": "2025-08-05", "description": "RE2 is a fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python. It is a C++ library.", + "scope": "required", "licenses": [ { "license": { @@ -1100,11 +1072,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/re2" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1113,15 +1088,7 @@ "name": "import_script_path", "value": "src/third_party/re2/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/re2" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1137,6 +1104,7 @@ "name": "S2 Geometry Library", "version": "a25c502bda9d7e0274b9e2b7825fbddf13cc0306", "description": "Computational geometry and spatial indexing on the sphere", + "scope": "required", "licenses": [ { "license": { @@ -1152,16 +1120,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Integration" - }, - { - "name": "emits_persisted_data", - "value": "true" - } - ], "evidence": { "occurrences": [ { @@ -1169,7 +1127,12 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + } + ] }, { "type": "library", @@ -1185,6 +1148,7 @@ "name": "snappy", "version": "1.1.10", "description": "A fast compressor/decompressor", + "scope": "required", "licenses": [ { "license": { @@ -1201,11 +1165,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/snappy" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1214,15 +1181,7 @@ "name": "import_script_path", "value": "src/third_party/snappy/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/snappy" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1238,6 +1197,7 @@ "name": "tcmalloc", "version": "f3b20f9a07e175c5d897df7b49d9830d4efa6110", "description": "TCMalloc is Google's customized implementation of C's malloc() and C++'s operator new used for memory allocation within our C and C++ code. TCMalloc is a fast, multi-threaded malloc implementation.", + "scope": "required", "licenses": [ { "license": { @@ -1247,12 +1207,6 @@ ], "copyright": "Copyright 2024 The TCMalloc Authors", "purl": "pkg:github/google/tcmalloc@f3b20f9a07e175c5d897df7b49d9830d4efa6110", - "externalReferences": [ - { - "url": "https://github.com/google/tcmalloc.git", - "type": "distribution" - } - ], "pedigree": { "descendants": [ { @@ -1272,18 +1226,10 @@ } ] }, - "properties": [ + "externalReferences": [ { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/tcmalloc/scripts/import.sh" + "url": "https://github.com/google/tcmalloc.git", + "type": "distribution" } ], "evidence": { @@ -1293,7 +1239,16 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/tcmalloc/scripts/import.sh" + } + ] }, { "type": "library", @@ -1309,6 +1264,7 @@ "name": "gperftools", "version": "2.9.1", "description": "gperftools (originally Google Performance Tools) is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools.", + "scope": "required", "licenses": [ { "license": { @@ -1325,11 +1281,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/gperftools" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - }, { "name": "emits_persisted_data", "value": "false" @@ -1338,15 +1297,7 @@ "name": "import_script_path", "value": "src/third_party/gperftools/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/gperftools" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1362,6 +1313,7 @@ "name": "gRPC (C++)", "version": "1.74.1", "description": "gRPC is a modern, open source, high-performance remote procedure call (RPC) framework that can run anywhere. gRPC enables client and server applications to communicate transparently, and simplifies the building of connected systems.", + "scope": "required", "licenses": [ { "license": { @@ -1378,11 +1330,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/grpc" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1391,15 +1346,7 @@ "name": "import_script_path", "value": "src/third_party/grpc/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/grpc" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1409,6 +1356,7 @@ "name": "yaml-cpp", "version": "0.6.3", "description": "A YAML parser and emitter in C++", + "scope": "required", "licenses": [ { "license": { @@ -1425,11 +1373,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/yaml-cpp" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "false" @@ -1438,15 +1389,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/yaml-cpp_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/yaml-cpp" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1456,6 +1399,7 @@ "name": "cpptrace", "version": "1.0.3", "description": "Simple, portable, and self-contained stacktrace library for C++11 and newer", + "scope": "excluded", "licenses": [ { "license": { @@ -1471,11 +1415,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/cpptrace" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1484,15 +1431,7 @@ "name": "import_script_path", "value": "src/third_party/cpptrace/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/cpptrace" - } - ] - }, - "scope": "excluded" + ] }, { "type": "library", @@ -1508,6 +1447,7 @@ "name": "JSON-Schema-Test-Suite", "version": "728066f9c5c258ba3b1804a22a5b998f2ec77ec0", "description": "A language agnostic test suite for the JSON Schema specifications", + "scope": "excluded", "licenses": [ { "license": { @@ -1523,16 +1463,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Optimization" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -1540,7 +1470,50 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:github/jupp0r/prometheus-cpp@v1.2.2", + "author": "Jupp Mueller, Gregor Jasny", + "group": "jupp0r", + "name": "Prometheus Client Library for Modern C++", + "version": "1.2.2", + "description": "This library aims to enable Metrics-Driven Development for C++ services. It implements the Prometheus Data Model, a powerful abstraction on which to collect and expose metrics.", + "scope": "excluded", + "licenses": [ + { + "license": { + "id": "MIT" + } + } + ], + "copyright": "Copyright (c) 2016-2021 Jupp Mueller, Copyright (c) 2017-2022 Gregor Jasny", + "purl": "pkg:github/jupp0r/prometheus-cpp@v1.2.2", + "externalReferences": [ + { + "url": "https://github.com/jupp0r/prometheus-cpp.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/prometheus-cpp" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -1556,6 +1529,7 @@ "name": "LibTomCrypt", "version": "1.18.2", "description": "LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines.", + "scope": "required", "licenses": [ { "license": { @@ -1572,11 +1546,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/tomcrypt-1.18.2" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "true" @@ -1585,15 +1562,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/tomcrypt_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/tomcrypt-1.18.2" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1609,6 +1578,7 @@ "name": "libunwind", "version": "1.8.1", "description": "The primary goal of this project is to define a portable and efficient C programming interface (API) to determine the call-chain of a program. The API additionally provides the means to manipulate the preserved (callee-saved) state of each call-frame and to resume execution at any point in the call-chain (non-local goto). The API supports both local (same-process) and remote (across-process) operation.", + "scope": "required", "licenses": [ { "license": { @@ -1625,11 +1595,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/unwind" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Programmability" - }, { "name": "emits_persisted_data", "value": "false" @@ -1638,15 +1611,7 @@ "name": "import_script_path", "value": "src/third_party/unwind/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/unwind" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1662,6 +1627,7 @@ "name": "zlib", "version": "1.3.1", "description": "zlib is a general purpose data compression library.", + "scope": "required", "licenses": [ { "license": { @@ -1678,24 +1644,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, - { - "name": "emits_persisted_data", - "value": "true" - }, - { - "name": "import_script_path", - "value": "src/third_party/scripts/zlib_get_sources.sh" - }, - { - "name": "internal:endor_labs_bom-ref", - "value": "pkg:generic/zlib@1.3.1?package-id=c8022a0449368a5c&vcs_url=https%3A%2F%2Fzlib.net%2Ffossils%2Fzlib-1.3.1.tar.gz" - } - ], "evidence": { "occurrences": [ { @@ -1703,7 +1651,16 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "import_script_path", + "value": "src/third_party/scripts/zlib_get_sources.sh" + } + ] }, { "type": "library", @@ -1719,6 +1676,7 @@ "name": "libmongocrypt", "version": "1.15.0", "description": "Required C library for Client Side and Queryable Encryption in MongoDB", + "scope": "required", "licenses": [ { "license": { @@ -1735,11 +1693,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/libmongocrypt" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "true" @@ -1748,15 +1709,7 @@ "name": "import_script_path", "value": "src/third_party/libmongocrypt/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/libmongocrypt" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1770,8 +1723,9 @@ "author": "MongoDB, Inc.", "group": "mongodb", "name": "MongoDB C Driver", - "description": "The Official MongoDB driver for C language", "version": "1.28.1", + "description": "The Official MongoDB driver for C language", + "scope": "required", "licenses": [ { "license": { @@ -1788,11 +1742,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/libbson" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, { "name": "emits_persisted_data", "value": "true" @@ -1801,15 +1758,7 @@ "name": "import_script_path", "value": "src/third_party/libbson/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/libbson" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -1819,6 +1768,7 @@ "name": "nlohmann/json", "version": "3.11.3", "description": "JSON for Modern C++", + "scope": "optional", "licenses": [ { "license": { @@ -1834,11 +1784,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/nlohmann-json" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1847,15 +1800,7 @@ "name": "import_script_path", "value": "src/third_party/nlohmann-json/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/nlohmann-json" - } - ] - }, - "scope": "optional" + ] }, { "type": "library", @@ -1869,8 +1814,9 @@ "author": "OpenJS Foundation", "group": "nodejs", "name": "node", - "description": "A modified version of the GetStringWidth function from Node.js, originating from the https://github.com/joyent/node repository.", "version": "22.1.0", + "description": "A modified version of the GetStringWidth function from Node.js, originating from the https://github.com/joyent/node repository.", + "scope": "excluded", "licenses": [ { "license": { @@ -1886,12 +1832,6 @@ "type": "website" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Workload Scheduling" - } - ], "evidence": { "occurrences": [ { @@ -1899,7 +1839,7 @@ } ] }, - "scope": "excluded" + "properties": [] }, { "type": "library", @@ -1915,6 +1855,7 @@ "name": "opentelemetry-cpp", "version": "1.24.0", "description": "OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. As an industry-standard, OpenTelemetry is supported by more than 40 observability vendors, integrated by many libraries, services, and apps, and adopted by numerous end users.", + "scope": "optional", "licenses": [ { "license": { @@ -1930,11 +1871,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/opentelemetry-cpp" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1943,15 +1887,7 @@ "name": "import_script_path", "value": "src/third_party/opentelemetry-cpp/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/opentelemetry-cpp" - } - ] - }, - "scope": "optional" + ] }, { "type": "library", @@ -1967,6 +1903,7 @@ "name": "opentelemetry-proto", "version": "1.3.2", "description": "OpenTelemetry protocol (OTLP) specification and Protobuf definitions", + "scope": "optional", "licenses": [ { "license": { @@ -1982,11 +1919,14 @@ "type": "vcs" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/opentelemetry-proto" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "true" @@ -1995,15 +1935,7 @@ "name": "import_script_path", "value": "src/third_party/opentelemetry-proto/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/opentelemetry-proto" - } - ] - }, - "scope": "optional" + ] }, { "type": "library", @@ -2019,6 +1951,7 @@ "name": "PCRE2 - Perl-Compatible Regular Expressions", "version": "10.40", "description": "The PCRE2 library is a set of C functions that implement regular expression pattern matching.", + "scope": "required", "licenses": [ { "expression": "BSD-3-Clause WITH PCRE2-exception" @@ -2033,11 +1966,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/pcre2" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, { "name": "emits_persisted_data", "value": "false" @@ -2046,66 +1982,7 @@ "name": "import_script_path", "value": "src/third_party/scripts/pcre2_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/pcre2" - } - ] - }, - "scope": "required" - }, - { - "type": "library", - "bom-ref": "pkg:github/jupp0r/prometheus-cpp@1.3.0", - "supplier": { - "name": "Prometheus", - "url": [ - "https://prometheus.io/" - ] - }, - "author": "Jupp Mueller", - "name": "prometheus-cpp", - "version": "1.3.0", - "description": "Prometheus client library for C++", - "licenses": [ - { - "license": { - "id": "MIT" - } - } - ], - "copyright": "Jupp Mueller, Gregor Jasny", - "purl": "pkg:github/jupp0r/prometheus-cpp@1.3.0", - "externalReferences": [ - { - "url": "https://github.com/jupp0r/prometheus-cpp", - "type": "vcs" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, - { - "name": "emits_persisted_data", - "value": "true" - }, - { - "name": "import_script_path", - "value": "src/third_party/prometheus-cpp/scripts/import.sh" - } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/prometheus-cpp" - } - ] - }, - "scope": "optional" + ] }, { "type": "library", @@ -2121,6 +1998,7 @@ "name": "Protobuf", "version": "6.31.1", "description": "Protocol Buffers - Google's data interchange format", + "scope": "required", "licenses": [ { "license": { @@ -2137,11 +2015,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/protobuf" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Networking & Observability" - }, { "name": "emits_persisted_data", "value": "false" @@ -2150,15 +2031,7 @@ "name": "import_script_path", "value": "src/third_party/protobuf/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/protobuf" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -2174,6 +2047,7 @@ "name": "CRoaring", "version": "3.0.1", "description": "Roaring bitmaps in C (and C++), with SIMD (AVX2, AVX-512 and NEON) optimizations: used by Apache Doris, ClickHouse, and StarRocks. Roaring bitmaps are compressed bitmaps which tend to outperform conventional compressed bitmaps such as WAH, EWAH or Concise. In some instances, they can be hundreds of times faster and they often offer significantly better compression.", + "scope": "required", "licenses": [ { "expression": "Apache-2.0 OR MIT" @@ -2188,11 +2062,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/croaring" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, { "name": "emits_persisted_data", "value": "false" @@ -2201,15 +2078,7 @@ "name": "import_script_path", "value": "src/third_party/croaring/scripts/import.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/croaring" - } - ] - }, - "scope": "required" + ] }, { "type": "library", @@ -2225,6 +2094,7 @@ "name": "JSON Schema Store", "version": "6847cfc3a17a04a7664474212db50c627e1e3408", "description": "A collection of JSON schema files including full API", + "scope": "excluded", "licenses": [ { "license": { @@ -2240,16 +2110,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Optimization" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -2257,7 +2117,12 @@ } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] }, { "type": "library", @@ -2273,6 +2138,7 @@ "name": "Snowball Stemming Algorithms (libstemmer)", "version": "1.0.0", "description": "Snowball is a small string processing language for creating stemming algorithms for use in Information Retrieval, plus a collection of stemming algorithms implemented using it.", + "scope": "required", "licenses": [ { "license": { @@ -2288,24 +2154,6 @@ "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Integration" - }, - { - "name": "emits_persisted_data", - "value": "true" - }, - { - "name": "import_script_path", - "value": "src/third_party/libstemmer_c/scripts/import.sh" - }, - { - "name": "internal:endor_labs_bom-ref", - "value": "pkg:generic/libstemmer@1.0.0?package-id=bf7f3ec34662591d&vcs_url=http%3A%2F%2Fsnowball.tartarus.org%2Fdist%2Flibstemmer_c.tgz" - } - ], "evidence": { "occurrences": [ { @@ -2313,7 +2161,16 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "import_script_path", + "value": "src/third_party/libstemmer_c/scripts/import.sh" + } + ] }, { "type": "library", @@ -2329,6 +2186,7 @@ "name": "ICU4C - International Components for Unicode C/C++", "version": "57.1", "description": "International Components for Unicode (ICU) is an open-source project of mature libraries for Unicode support, software internationalization, and software globalization. The C/C++ version, known as ICU4C, offers comprehensive functionalities for handling globalized applications.", + "scope": "required", "licenses": [ { "license": { @@ -2346,11 +2204,14 @@ "type": "distribution" } ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/icu4c-57.1" + } + ] + }, "properties": [ - { - "name": "internal:team_responsible", - "value": "Query Execution" - }, { "name": "emits_persisted_data", "value": "true" @@ -2359,160 +2220,17 @@ "name": "import_script_path", "value": "src/third_party/scripts/icu_get_sources.sh" } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/icu4c-57.1" - } - ] - }, - "scope": "required" - }, - { - "type": "framework", - "bom-ref": "pkg:github/wiredtiger/wiredtiger@12.0.0", - "supplier": { - "name": "MongoDB, Inc.", - "url": [ - "https://mongodb.com" - ] - }, - "author": "MongoDB, Inc.", - "group": "mongodb", - "name": "WiredTiger", - "version": "12.0.0", - "description": "WiredTiger is an high performance, scalable, production quality, NoSQL, Open Source extensible platform for data management.", - "licenses": [ - { - "expression": "GPL-2.0-only OR GPL-3.0-only" - } - ], - "copyright": "Copyright (c) 2014-present MongoDB, Inc., Copyright (c) 2008-2014 WiredTiger, Inc., All rights reserved.", - "purl": "pkg:github/wiredtiger/wiredtiger@12.0.0", - "externalReferences": [ - { - "url": "https://github.com/wiredtiger/wiredtiger.git", - "type": "distribution" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Storage Engines" - }, - { - "name": "emits_persisted_data", - "value": "true" - } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/wiredtiger" - } - ] - }, - "scope": "required" + ] }, { "type": "library", - "bom-ref": "pkg:pypi/ocspbuilder@0.10.2", - "author": "Will Bond", - "group": "wbond", - "name": "pypi/ocspbuilder", - "version": "0.10.2", - "description": "Creates and signs online certificate status protocol (OCSP) requests and responses for X.509 certificates", - "licenses": [ - { - "license": { - "id": "MIT" - } - } - ], - "copyright": "Copyright (c) 2015-2018 Will Bond ", - "purl": "pkg:pypi/ocspbuilder@0.10.2", - "externalReferences": [ - { - "url": "https://pypi.org/project/ocspbuilder/", - "type": "distribution" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/mock_ocsp_responder" - } - ] - }, - "scope": "excluded" - }, - { - "type": "library", - "bom-ref": "pkg:pypi/ocspresponder@0.5.0", - "supplier": { - "name": "Threema GmbH", - "url": [ - "https://threema.ch/" - ] - }, - "author": "Threema GmbH", - "group": "threema-ch", - "name": "pypi/ocspresponder", - "version": "0.5.0", - "description": "RFC 6960 compliant OCSP Responder framework written in Python 3.", - "licenses": [ - { - "license": { - "id": "Apache-2.0" - } - } - ], - "copyright": "Copyright 2016 Threema GmbH", - "purl": "pkg:pypi/ocspresponder@0.5.0", - "externalReferences": [ - { - "url": "https://pypi.org/project/ocspresponder/", - "type": "distribution" - } - ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Server Security" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], - "evidence": { - "occurrences": [ - { - "location": "src/third_party/mock_ocsp_responder" - } - ] - }, - "scope": "excluded" - }, - { - "type": "library", - "bom-ref": "pkg:github/veorq/siphash@f26d35e964c6290ffe23d9043475ad3129f409e0", + "bom-ref": "pkg:github/veorq/siphash@eee7d0d84dc7731df2359b243aa5e75d85f6eaef", "author": "Jean-Philippe Aumasson, Daniel J. Bernstein", "group": "veorq", "name": "siphash", - "version": "f26d35e964c6290ffe23d9043475ad3129f409e0", + "version": "eee7d0d84dc7731df2359b243aa5e75d85f6eaef", "description": "High-speed secure pseudorandom function for short messages", + "scope": "required", "licenses": [ { "license": { @@ -2531,23 +2249,13 @@ } ], "copyright": "This code is copyright (c) 2014-2023 Jean-Philippe Aumasson, Daniel J. Bernstein.", - "purl": "pkg:github/veorq/siphash@f26d35e964c6290ffe23d9043475ad3129f409e0", + "purl": "pkg:github/veorq/siphash@eee7d0d84dc7731df2359b243aa5e75d85f6eaef", "externalReferences": [ { - "url": "https://github.com/veorq/siphash/blob/f26d35e/", + "url": "https://github.com/veorq/siphash/", "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Catalog and Routing" - }, - { - "name": "emits_persisted_data", - "value": "false" - } - ], "evidence": { "occurrences": [ { @@ -2555,121 +2263,139 @@ } ] }, - "scope": "required" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "framework", + "bom-ref": "pkg:github/wiredtiger/wiredtiger@12.0.0", + "supplier": { + "name": "MongoDB, Inc.", + "url": [ + "https://mongodb.com" + ] + }, + "author": "MongoDB, Inc.", + "group": "mongodb", + "name": "WiredTiger", + "version": "12.0.0", + "description": "WiredTiger is an high performance, scalable, production quality, NoSQL, Open Source extensible platform for data management.", + "scope": "required", + "licenses": [ + { + "expression": "GPL-2.0-only OR GPL-3.0-only" + } + ], + "copyright": "Copyright (c) 2014-present MongoDB, Inc., Copyright (c) 2008-2014 WiredTiger, Inc., All rights reserved.", + "purl": "pkg:github/wiredtiger/wiredtiger@12.0.0", + "externalReferences": [ + { + "url": "https://github.com/wiredtiger/wiredtiger.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/wiredtiger" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "true" + } + ] }, { "type": "library", - "bom-ref": "pkg:github/google/fuzztest@v2025.07.28", - "supplier": { - "name": "Google LLC", - "url": [ - "https://opensource.google/" - ] - }, - "author": "The Google Test and Google Mock Communities", - "group": "google.opensource", - "name": "fuzztest", - "version": "2025.07.28", - "description": "FuzzTest", + "bom-ref": "pkg:pypi/ocspbuilder@0.10.2", + "author": "Will Bond", + "group": "wbond", + "name": "pypi/ocspbuilder", + "version": "0.10.2", + "description": "Creates and signs online certificate status protocol (OCSP) requests and responses for X.509 certificates", + "scope": "excluded", "licenses": [ { "license": { - "id": "BSD-3-Clause" + "id": "MIT" } - }, + } + ], + "copyright": "Copyright (c) 2015-2018 Will Bond ", + "purl": "pkg:pypi/ocspbuilder@0.10.2", + "externalReferences": [ + { + "url": "https://pypi.org/project/ocspbuilder/", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/mock_ocsp_responder" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] + }, + { + "type": "library", + "bom-ref": "pkg:pypi/ocspresponder@0.5.0", + "supplier": { + "name": "Threema GmbH", + "url": [ + "https://threema.ch/" + ] + }, + "author": "Threema GmbH", + "group": "threema-ch", + "name": "pypi/ocspresponder", + "version": "0.5.0", + "description": "RFC 6960 compliant OCSP Responder framework written in Python 3.", + "scope": "excluded", + "licenses": [ { "license": { "id": "Apache-2.0" } } ], - "copyright": "Copyright 2008, Google Inc. All rights reserved.", - "cpe": "cpe:2.3:a:google:fuzztest:2025.07.28:*:*:*:*:*:*:*", - "purl": "pkg:github/google/fuzztest@v2025.07.28", + "copyright": "Copyright 2016 Threema GmbH", + "purl": "pkg:pypi/ocspresponder@0.5.0", "externalReferences": [ { - "url": "https://github.com/google/fuzztest.git", + "url": "https://pypi.org/project/ocspresponder/", "type": "distribution" } ], - "properties": [ - { - "name": "internal:team_responsible", - "value": "Product Security" - }, - { - "name": "emits_persisted_data", - "value": "false" - }, - { - "name": "import_script_path", - "value": "src/third_party/fuzztest/scripts/import.sh" - } - ], "evidence": { "occurrences": [ { - "location": "src/third_party/fuzztest" + "location": "src/third_party/mock_ocsp_responder" } ] }, - "scope": "excluded" + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + } + ] } ], "dependencies": [ - { - "ref": "pkg:github/mongodb/mongo@master", - "dependsOn": [ - "pkg:github/abseil/abseil-cpp@20250512.1", - "pkg:github/arximboldi/immer@0b3aaf699b9d6f2e89f8e2b6d1221c307e02bda3", - "pkg:github/chriskohlhoff/asio@asio-1-34-2", - "pkg:github/google/benchmark@v1.5.2", - "pkg:github/boostorg/boost@boost-1.88.0", - "pkg:github/c-ares/c-ares@cares-1_27_0", - "pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-2.1.28", - "pkg:github/dcleblanc/safeint@3.0.28a", - "pkg:github/derickr/timelib@2022.13", - "pkg:github/fmtlib/fmt@11.2.0", - "pkg:github/facebook/folly@v2023.12.25.00", - "pkg:github/google/re2@2025-08-05", - "pkg:github/google/s2geometry@a25c502bda9d7e0274b9e2b7825fbddf13cc0306", - "pkg:github/google/snappy@1.1.10", - "pkg:github/google/fuzztest@v2025.07.28", - "pkg:github/google/googletest@v1.17.0", - "pkg:github/gperftools/gperftools@2.9.1", - "pkg:github/grpc/grpc@v1.74.1", - "pkg:github/unicode-org/icu@icu-release-57-1", - "pkg:generic/intel/IntelRDFPMathLib@2.0.1", - "pkg:github/jbeder/yaml-cpp@yaml-cpp-0.6.3", - "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0", - "pkg:github/mongodb/libmongocrypt@1.15.0", - "pkg:github/libtom/libtomcrypt@v1.18.2", - "pkg:github/libunwind/libunwind@v1.8.1", - "pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3", - "pkg:github/mongodb/mongo-c-driver@1.28.1", - "pkg:deb/debian/firefox-esr@140.7.0esr-1?arch=source", - "pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc", - "pkg:pypi/ocspbuilder@0.10.2", - "pkg:pypi/ocspresponder@0.5.0", - "pkg:github/pcre2project/pcre2@pcre2-10.40", - "pkg:github/protocolbuffers/protobuf@v6.31.1", - "pkg:github/roaringbitmap/croaring@v3.0.1", - "pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408", - "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb", - "pkg:github/snowballstem/snowball@1.0.0", - "pkg:github/google/tcmalloc@f3b20f9a07e175c5d897df7b49d9830d4efa6110", - "pkg:generic/unicode-org/unicode@8.0.0", - "pkg:generic/valgrind/valgrind@093bef43d69236287ccc748591c9560a71181b0a", - "pkg:github/madler/zlib@1.3.1", - "pkg:github/facebook/zstd@v1.5.5", - "pkg:github/open-telemetry/opentelemetry-cpp@v1.24.0", - "pkg:github/open-telemetry/opentelemetry-proto@1.3.2", - "pkg:github/nlohmann/json@v3.11.3", - "pkg:github/wiredtiger/wiredtiger@12.0.0", - "pkg:github/davea42/libdwarf-code@libdwarf-2.1.0", - "pkg:github/jeremy-rifkin/cpptrace@v1.0.3" - ] - }, { "ref": "pkg:deb/debian/firefox-esr@140.7.0esr-1?arch=source", "dependsOn": [] @@ -2699,7 +2425,7 @@ "dependsOn": [] }, { - "ref": "pkg:github/arximboldi/immer@0b3aaf699b9d6f2e89f8e2b6d1221c307e02bda3", + "ref": "pkg:github/arximboldi/immer@v0.9.1", "dependsOn": [] }, { @@ -2747,7 +2473,7 @@ "dependsOn": [] }, { - "ref": "pkg:github/google/fuzztest@v2025.07.28", + "ref": "pkg:github/google/fuzztest@2025-07-28", "dependsOn": [] }, { @@ -2790,6 +2516,10 @@ "ref": "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0", "dependsOn": [] }, + { + "ref": "pkg:github/jupp0r/prometheus-cpp@v1.2.2", + "dependsOn": [] + }, { "ref": "pkg:github/libtom/libtomcrypt@v1.18.2", "dependsOn": [] @@ -2808,7 +2538,62 @@ }, { "ref": "pkg:github/mongodb/mongo-c-driver@1.28.1", - "dependsOn": [] + "dependsOn": [ + "pkg:github/madler/zlib@1.3.1" + ] + }, + { + "ref": "pkg:github/mongodb/mongo@master", + "dependsOn": [ + "pkg:deb/debian/firefox-esr@140.7.0esr-1?arch=source", + "pkg:generic/intel/IntelRDFPMathLib@2.0.1", + "pkg:generic/unicode-org/unicode@8.0.0", + "pkg:generic/valgrind/valgrind@093bef43d69236287ccc748591c9560a71181b0a", + "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb", + "pkg:github/abseil/abseil-cpp@20250512.1", + "pkg:github/antirez/linenoise@6cdc775807e57b2c3fd64bd207814f8ee1fe35f3", + "pkg:github/arximboldi/immer@v0.9.1", + "pkg:github/boostorg/boost@boost-1.88.0", + "pkg:github/c-ares/c-ares@cares-1_27_0", + "pkg:github/chriskohlhoff/asio@asio-1-34-2", + "pkg:github/cyrusimap/cyrus-sasl@cyrus-sasl-2.1.28", + "pkg:github/davea42/libdwarf-code@libdwarf-2.1.0", + "pkg:github/dcleblanc/safeint@3.0.28a", + "pkg:github/derickr/timelib@2022.13", + "pkg:github/facebook/folly@v2023.12.25.00", + "pkg:github/facebook/zstd@v1.5.5", + "pkg:github/fmtlib/fmt@11.2.0", + "pkg:github/google/benchmark@v1.5.2", + "pkg:github/google/fuzztest@2025-07-28", + "pkg:github/google/googletest@v1.17.0", + "pkg:github/google/re2@2025-08-05", + "pkg:github/google/s2geometry@a25c502bda9d7e0274b9e2b7825fbddf13cc0306", + "pkg:github/google/snappy@1.1.10", + "pkg:github/google/tcmalloc@f3b20f9a07e175c5d897df7b49d9830d4efa6110", + "pkg:github/gperftools/gperftools@2.9.1", + "pkg:github/grpc/grpc@v1.74.1", + "pkg:github/jbeder/yaml-cpp@yaml-cpp-0.6.3", + "pkg:github/jeremy-rifkin/cpptrace@v1.0.3", + "pkg:github/json-schema-org/json-schema-test-suite@728066f9c5c258ba3b1804a22a5b998f2ec77ec0", + "pkg:github/libtom/libtomcrypt@v1.18.2", + "pkg:github/libunwind/libunwind@v1.8.1", + "pkg:github/madler/zlib@1.3.1", + "pkg:github/mongodb/libmongocrypt@1.15.0", + "pkg:github/nlohmann/json@v3.11.3", + "pkg:github/nodejs/node@22.1.0?download_url=https%3A%2F%2Fgithub.com%2Fnodejs%2Fnode%2Fblob%2F8b45c5d26a829bcd3280401dbc1874bcd1302289%2Fsrc%2Fnode_i18n.cc%23L825%23src%2Fnode_i18n.cc%3AGetStringWidth#src/node_i18n.cc", + "pkg:github/open-telemetry/opentelemetry-cpp@v1.24.0", + "pkg:github/open-telemetry/opentelemetry-proto@1.3.2", + "pkg:github/pcre2project/pcre2@pcre2-10.40", + "pkg:github/protocolbuffers/protobuf@v6.31.1", + "pkg:github/roaringbitmap/croaring@v3.0.1", + "pkg:github/schemastore/schemastore@6847cfc3a17a04a7664474212db50c627e1e3408", + "pkg:github/snowballstem/snowball@1.0.0", + "pkg:github/unicode-org/icu@icu-release-57-1", + "pkg:github/veorq/siphash@eee7d0d84dc7731df2359b243aa5e75d85f6eaef", + "pkg:github/wiredtiger/wiredtiger@12.0.0", + "pkg:pypi/ocspbuilder@0.10.2", + "pkg:pypi/ocspresponder@0.5.0" + ] }, { "ref": "pkg:github/nlohmann/json@v3.11.3", @@ -2850,6 +2635,10 @@ "ref": "pkg:github/unicode-org/icu@icu-release-57-1", "dependsOn": [] }, + { + "ref": "pkg:github/veorq/siphash@eee7d0d84dc7731df2359b243aa5e75d85f6eaef", + "dependsOn": [] + }, { "ref": "pkg:github/wiredtiger/wiredtiger@12.0.0", "dependsOn": [] diff --git a/src/third_party/OWNERS.yml b/src/third_party/OWNERS.yml index fb00e945d7a..9d4676748ad 100644 --- a/src/third_party/OWNERS.yml +++ b/src/third_party/OWNERS.yml @@ -100,9 +100,6 @@ filters: - "pcre2": approvers: - 10gen/query-execution - - "private/.placeholder": - approvers: - - 10gen/devprod-build - "prometheus-cpp": approvers: - 10gen/server-networking-and-observability diff --git a/src/third_party/README.md b/src/third_party/README.md index 7b0bd8b940d..b9145cebdbd 100644 --- a/src/third_party/README.md +++ b/src/third_party/README.md @@ -9,18 +9,18 @@ This policy applies to [github.com/mongodb/mongo](https://github.com/mongodb/mon 1. Fork the third-party library into [github.com/mongodb-forks](https://github.com/mongodb-forks). > **Note:** To track versions for vulnerabilities, forking a named version (e.g., `v2.0.1`) is required against forking a specific commit. 2. Pull the library from [github.com/mongodb-forks](https://github.com/mongodb-forks) into the `src/third_party` directory inside a folder named for the library being vendored. -3. Include the added library in `/sbom.json` under `components`. This will be verified by the linter in `buildscripts/sbom_linter.py`. For more detail, see the [SBOM](#sbom) section below. +3. It is not necessary to update the `/sbom.json` file, as an automated Evergreen task will add the component to the SBOM once merged. + > **Optional, but preferred:** Add component metadata to the `buildscripts/sbom/metadata.cdx.json`, see the [SBOM](#sbom) section below for field definitions. If not added, the automated SBOM generation will instead gather all available information from the C/C++ SCA tooling. 4. Include a `scripts/import.sh` script inside the vendored library. > **Note:** A specific reference to the forked branch in [github.com/mongodb-forks](https://github.com/mongodb-forks) must be hardcoded. This helps developers understand and replicate the process used to vendor a specific library, facilitating maintenance. -5. Include a `VERSION=XYZ` line in the `scripts/import.sh` script (here `XYZ` indicates the version of the third party library). +5. Include a `VERSION=XYZ` line in the `scripts/import.sh` script (here `XYZ` indicates the version of the third party library). This line will be used by the automated SBOM generation. ## Updating a third-party library in the server to a new upstream version 1. Fork the new upstream version to the repo already created in [github.com/mongodb-forks](https://github.com/mongodb-forks). 2. Pull the forked version from [github.com/mongodb-forks](https://github.com/mongodb-forks) to the vendored library in `src/third_party`. 3. Update `src/third_party//scripts/import.sh` with the exact reference used. -4. Update `/sbom.json` with the new vendored version. - > **Note:** Remember to update both the `version` and the `purl`. +4. It is not necessary to update the `/sbom.json` file, as an automated Evergreen task will update the component version in the SBOM once merged. ## Modifying a third-party library in the server @@ -34,21 +34,27 @@ The `sbom.json` file in the root of the MongoDB repository contains key informat Exhaustive documentation can be found at [https://cyclonedx.org/schema/](https://cyclonedx.org/schema/), this README is intended to describe our most common uses of fields. If your library does not easily fit the standard values below, please reach out to the Server Security team for assistance. +Custom or enriched component metadata can optionally be added to `buildscripts/sbom/metadata.cdx.json`. The automated SBOM generation Evergreen task will check for component metadata in this file and merge it with results from the C/C++ SCA tooling. + ## Components -The top-level key "components" contains an array of third party components vendored in our repository. `component` objects have the following fields: +The top-level key "components" contains an array of third party components vendored in our repository. `component` objects have the following fields in `buildscripts/sbom/metadata.cdx.json`: | Field Name | Description | | --- | --- | -`name` | The name of the component.| -| `version` | The version of the component. The `import.sh` file created for the component should have a line like `VERSION=1.2.3` where the right side of the `=` matches this string.| | `type` | The type of the component, such as library, application, framework, etc. For our vendored components, this will generally be `library`.| -| `purl` | Package URL. A URL that uniquely identifies the component and its version. This is a standard format that looks like `pkg:[type]/[packagename]@[version]`.| -| `supplier` | The source of the package, often correlated with the package type in the `purl`. -| `bom-ref` | A UUID to identify the component, since all other fields are subject to change. Can be generated by running `uuidgen`.| -| `licenses` | Information about the licenses under which the component is used. For boilerplate licenses, this is the [SPDX license identifier](https://spdx.org/licenses/) for the license. This field also supports urls and text blobs.| -| `scope` | The intended usage scope of the component in MongoDB. If the binary is distributed with our software, this must be `required`. For components used only for testing, this should be `excluded`.| -| `evidence` | This contains an array of `occurences`, which in turn contain `location` strings specifying the location of the component in our repo.| +|`bom-ref` | Should be the same as the `purl` field, including the `{{VERSION}}` as a placeholder string.| +|`supplier` and/or `author` | The entity supplying the package and/or the author(s) of the package. Must have at least one of these fields. | +|`group` | The grouping name or identifier. Typically the GitHub organization, the source package, or domain name.| +|`name` | The name of the component.| +|`version` | The version of the component. Set to `{{VERSION}}` as a placeholder string. The `import.sh` file created for the component should have a line like `VERSION=1.2.3` where the right side of the `=` specifies teh version.| +|`description` | A brief description of the package and its function.| +|`scope` | Set to `required` if package is always included in the distribution, `optional` if sometimes included (e.g., Windows-only), or `excluded` if only used from build/test/dev. +|`licenses` | Information about the licenses under which the component is used. For boilerplate licenses, this is the [SPDX license identifier](https://spdx.org/licenses/) for the license. This field also supports urls and text blobs.| +|`copyright` | A copyright notice informing users of the underlying claims to copyright ownership in a published work.| +|`cpe` and/or `purl` | The Common Platform Enumeration (CPE) [https://nvd.nist.gov/products/cpe](CPE Dictionary) and/or Package URL (PURL) [https://github.com/package-url/purl-spec](specification). It is required that one or both of these fields be populated for the purposes of SBOM vulnerability analysis. Use `{{VERSION}}` as a placeholder string.| +| `externalReferences` | This contains an array informational links about the component, typically the location of the git repo (`url`) and the type (`distribution` or `vcs`). It is used to populate [README.third_party.md](/README.third_party.md) | +| `evidence` | This contains an array of `occurrences`, which in turn contain `location` strings specifying the location of the component in our repo.| | `properties` | Additional custom properties related to the component, see below.| ## Properties @@ -57,7 +63,58 @@ Component objects contain a `properties` field that is used for adding our own p | Field Name | Description | | --- | --- | -| `internal:team_responsible` | The MongoDB team responsible for this library. The team name should match the string for the team in [mothra](https://github.com/10gen/mothra/blob/main/mothra/teams/database.yaml). | | `emits_persisted_data` | This should be set to true if the component outputs persisted data to disk. This is important because in this case, updating the library could cause breakage due to the format of this data changing. | -| `info_link` | This is an informational link about the component. It is used to populate [README.third_party.md](/README.third_party.md) | -| `import_script_path` | The location of the script used to update the library to a new version. The standard location is `src/third_party/[componentdir]/scripts/import.sh`. | \ No newline at end of file +| `import_script_path` | The location of the script (if it exists) used to update the library to a new version. The standard location is `src/third_party/[componentdir]/scripts/import.sh`. | + +### Component Metadata Example +``` +{ + "type": "library", + "bom-ref": "pkg:github/boostorg/boost@boost-{{VERSION}}", + "supplier": { + "name": "The Boost Foundation", + "url": [ + "https://www.boost.org/" + ] + }, + "author": "Boost Developers", + "group": "boost", + "name": "Boost C++ Libraries", + "version": "{{VERSION}}", + "description": "Super-project for modularized Boost. Boost is a repository of free, portable, peer-reviewed C++ libraries", + "scope": "required", + "licenses": [ + { + "license": { + "id": "BSL-1.0" + } + } + ], + "copyright": "Boost copyright claims are made on a per-file basis and listed as comments in source file headers", + "cpe": "cpe:2.3:a:boost:boost:{{VERSION}}:*:*:*:*:*:*:*", + "purl": "pkg:github/boostorg/boost@boost-{{VERSION}}", + "externalReferences": [ + { + "url": "https://github.com/boostorg/boost.git", + "type": "distribution" + } + ], + "evidence": { + "occurrences": [ + { + "location": "src/third_party/boost" + } + ] + }, + "properties": [ + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "import_script_path", + "value": "src/third_party/boost/scripts/import.sh" + } + ] +} +``` \ No newline at end of file