mongo-cxx-driver icon indicating copy to clipboard operation
mongo-cxx-driver copied to clipboard
verified publisher icon mongodb

CXX-3309 Automate SBOM generation and Endor Labs scanning

Open jasonhills-mongodb opened this issue 2 weeks ago • 0 comments

Objective

  • Obviate manual SBOM component management via automated generation of a CycloneDX SBOM that includes all required and optional runtime components.
  • Add Endor Labs SCA scanning of PRs (non-blocking)

Changes

  • Add a GitHub Action workflow (.github/workflows/endor_scan_and_generate_sbom.yml) triggered by edits to cmake files that:
    • (push) performs an Endor Labs SCA scan and exports an SBOM for master or releases/v* branches, enriches SBOM with metadata, opens a PR for updated SBOM
    • (pull_request) performs an Endor Labs SCA scan for PRs (non-blocking) and, if potential vulnerabilities were found, add a comment to PR
    • (workflow_dispatch) workflow can also be triggered manually
  • Remove the etc/purls.txt file
    • update all references to it in scripts and documentation
    • existing scripts and processes using Silkbomb for the augmented SBOM are unchanged, except that the sbom.json file is used as input instead of etc/purls.txt
  • Change the location of the SBOM file from etc/cyclonedx.sbom.json to sbom.json for consistency with other MDB repos
  • Add etc/sbom folder with:
    • Python scripts for SBOM generation using Endor Labs scan results and pre-defined enrichment data
      • Dependency group added to pyproject.toml
    • SBOM enrichment data in etc/sbom/metadata.cdx.json
  • Updated SBOM-related documentation in etc/releasing.md

Testing

The workflow was thoroughly tested on a fork, including scenarios with missing or malformed files.

Permissions

The workflow requires the repository configuration to allow it to request write access and open PRs.

Miscellaneous

jasonhills-mongodb avatar Dec 04 '25 18:12 jasonhills-mongodb