mongodb
CSHARP-5626 Add evergreen script to generate CycloneDX SBOM
Added a bash script to generate a build lifecycle CycloneDX SBOM using the cyclonedx-dotnet tool. The script installs a fixed version of cyclonedx-dotnet, runs a versioned dotnet restore, and generates an SBOM for each of the 4 MongoDB.Driver Nuget packages.
To ensure accurate results, two queries are run against each of the .csproj files to ensure all development packages are excluded and that any local <ProjectReference> items are marked in the SBOM as Nuget packages. Once all 4 SBOMs are created, they are merged into a single hierarchical SBOM file.
The file is saved as sbom.cdx.json (as opposed to the current sbom.json) which is the preferred file extension for CycloneDX files. There is not yet any code to commit the new SBOM to the repo. This is to allow for evaluation of the new SBOM first without interfering with the current workflow to upload the current static sbom.json file to Kondukto.
There is also a line added to download-augmented-sbom.sh to copy the augmented SBOM to vex.cdx.json (also not yet committed to repo) after it has been uploaded to the release artifacts bucket, as this is how we should be storing the augmented SBOM for public consumption.
Once the SBOM generation process has been approved, I will add commit code for both of the cdx.json files, remove the sbom.json file and update download-augmented-sbom.sh to use the new sbom.cdx.json file.
To generate the SBOM, run evergreen/generate-sbom.sh. There shouldn't be any pre-requisites other than having the basic dotnet toolchain(s) available.