CXX-3021 Add SBOM Lite and update release instructions

CMakeLists.txt

@@ -20,6 +20,12 @@ endif()
 
 project(MONGO_CXX_DRIVER LANGUAGES CXX)
 
+set(CMAKE_MODULE_PATH
+    ${CMAKE_MODULE_PATH}
+    ${PROJECT_SOURCE_DIR}/cmake
+    ${PROJECT_SOURCE_DIR}/cmake/make_dist
+)
+
 option(BUILD_TESTING "Include test targets in the \"all\" target")
 
 if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
@@ -42,9 +48,11 @@ else()
     message(WARNING "Unknown compiler... recklessly proceeding without a version check")
 endif()
 
+# Also update etc/purls.txt.
 set(LIBBSON_REQUIRED_VERSION 1.25.0)
 set(LIBBSON_REQUIRED_ABI_VERSION 1.0)
 
+# Also update etc/purls.txt.
 set(LIBMONGOC_REQUIRED_VERSION 1.25.0)
 set(LIBMONGOC_DOWNLOAD_VERSION 1.25.0)
 set(LIBMONGOC_REQUIRED_ABI_VERSION 1.0)
@@ -67,45 +75,7 @@ endif()
 
 if(NEED_DOWNLOAD_C_DRIVER)
     message(STATUS "No Mongo C Driver path provided via CMAKE_PREFIX_PATH, will download C driver version ${LIBMONGOC_DOWNLOAD_VERSION} from the internet.")
-    message(STATUS "Download and configure C driver version ${LIBMONGOC_DOWNLOAD_VERSION} ... begin")
-    include(FetchContent)
-    include(ExternalProject)
-
-    # Declare mongo-c-driver as a dependency
-    FetchContent_Declare(
-        mongo-c-driver
-        GIT_REPOSITORY https://github.com/mongodb/mongo-c-driver.git
-        GIT_TAG ${LIBMONGOC_DOWNLOAD_VERSION}
-    )
-
-    FetchContent_GetProperties(mongo-c-driver)
-
-    if(NOT mongo-c-driver_POPULATED)
-        set(OLD_ENABLE_TESTS ${ENABLE_TESTS})
-        set(OLD_BUILD_TESTING ${BUILD_TESTING})
-        set(OLD_CMAKE_CXX_FLAGS ${CMAKE_CXX_FLAGS})
-        set(OLD_CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
-
-        set(ENABLE_EXTRA_ALIGNMENT OFF)
-
-        FetchContent_Populate(mongo-c-driver)
-
-        # Set ENABLE_TESTS to OFF to disable the test-libmongoc target in the C driver.
-        # This prevents the LoadTests.cmake script from attempting to execute test-libmongoc.
-        # test-libmongoc is not built with the "all" target.
-        # Attempting to execute test-libmongoc results in an error: "Unable to find executable: NOT_FOUND"
-        set(ENABLE_TESTS OFF)
-        set(BUILD_TESTING OFF)
-        string(REPLACE " -Werror" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
-        string(REPLACE " -Werror" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
-        add_subdirectory(${mongo-c-driver_SOURCE_DIR} ${mongo-c-driver_BINARY_DIR})
-        set(CMAKE_CXX_FLAGS ${OLD_CMAKE_CXX_FLAGS})
-        set(CMAKE_C_FLAGS ${OLD_CMAKE_C_FLAGS})
-        set(ENABLE_TESTS ${OLD_ENABLE_TESTS})
-        set(BUILD_TESTING ${OLD_BUILD_TESTING})
-    endif()
-
-    message(STATUS "Download and configure C driver version ${LIBMONGOC_DOWNLOAD_VERSION} ... end")
+    include(FetchMongoC)
 endif()
 
 # All of our target compilers support the deprecated
@@ -230,12 +200,6 @@ if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT AND MONGOCXX_OVERRIDE_DEFAULT_INS
     set(CMAKE_INSTALL_PREFIX "${CMAKE_BINARY_DIR}/install" CACHE PATH "default install path" FORCE)
 endif()
 
-set(CMAKE_MODULE_PATH
-    ${CMAKE_MODULE_PATH}
-    ${PROJECT_SOURCE_DIR}/cmake
-    ${PROJECT_SOURCE_DIR}/cmake/make_dist
-)
-
 include(GNUInstallDirs)
 include(ParseVersion)
 

cmake/CMakeLists.txt

@@ -15,10 +15,12 @@
 add_subdirectory(make_dist)
 
 set(cmake_MODULES
-    ParseVersion.cmake
-    MacroGuardTest.cmake
     BsoncxxUtil.cmake
+    FetchMnmlstcCore.cmake
+    FetchMongoC.cmake
+    MacroGuardTest.cmake
     MongocxxUtil.cmake
+    ParseVersion.cmake
 )
 
 set_local_dist(cmake_DIST_local

cmake/FetchMnmlstcCore.cmake

@@ -0,0 +1,99 @@
+# Use FetchContent to obtain mnmlstc/core.
+
+include(FetchContent)
+
+set(core-src "${CMAKE_CURRENT_BINARY_DIR}/_deps/core-src")
+set(core-subbuild "${CMAKE_CURRENT_BINARY_DIR}/_deps/core-subbuild")
+set(core-build "${CMAKE_CURRENT_BINARY_DIR}/_deps/core-build")
+set(core-install "${CMAKE_CURRENT_BINARY_DIR}/_deps/core-install")
+
+# Also update etc/purls.txt.
+FetchContent_Declare(
+    EP_mnmlstc_core
+
+    SOURCE_DIR "${core-src}"
+    SUBBUILD_DIR "${core-subbuild}"
+    BINARY_DIR "${core-build}"
+    INSTALL_DIR "${core-install}"
+
+    GIT_REPOSITORY https://github.com/mnmlstc/core
+    GIT_TAG v1.1.0
+    GIT_SHALLOW TRUE
+    LOG_DOWNLOAD ON
+
+    FETCHCONTENT_UPDATES_DISCONNECTED ON
+)
+FetchContent_GetProperties(EP_mnmlstc_core)
+
+find_package(core NO_DEFAULT_PATH PATHS "${core-install}" QUIET)
+
+if(core_FOUND AND "$CACHE{INTERNAL_MONGOC_MNMLSTC_CORE_FOUND}")
+# The mnmlstc/core library is already populated and up-to-date.
+else()
+    if(NOT ep_mnmlstc_core_POPULATED)
+        message(STATUS "Downloading mnmlstc/core...")
+        FetchContent_Populate(EP_mnmlstc_core)
+        message(STATUS "Downloading mnmlstc/core... done.")
+    endif()
+
+    message(STATUS "Configuring mnmlstc/core...")
+    execute_process(
+        COMMAND
+        "${CMAKE_COMMAND}"
+        "-S" "${core-src}"
+        "-B" "${core-build}"
+        "-DCMAKE_INSTALL_PREFIX=${core-install}"
+        "-DBUILD_TESTING=OFF"
+        "-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}"
+        "-DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}"
+        RESULT_VARIABLE retval
+    )
+
+    if(NOT "${retval}" STREQUAL "0")
+        message(FATAL_ERROR "execute_process() fatal error: ${retval}")
+    endif()
+
+    message(STATUS "Configuring mnmlstc/core... done.")
+
+    message(STATUS "Building mnmlstc/core...")
+    execute_process(
+        COMMAND
+        "${CMAKE_COMMAND}"
+        --build "${core-build}"
+        --config "${CMAKE_BUILD_TYPE}"
+        RESULT_VARIABLE retval
+    )
+
+    if(NOT "${retval}" STREQUAL "0")
+        message(FATAL_ERROR "execute_process() fatal error: ${retval}")
+    endif()
+
+    message(STATUS "Building mnmlstc/core... done.")
+
+    message(STATUS "Installing mnmlstc/core...")
+    execute_process(
+        COMMAND
+        "${CMAKE_COMMAND}"
+        --install "${core-build}"
+        --config "${CMAKE_BUILD_TYPE}"
+        RESULT_VARIABLE retval
+    )
+
+    if(NOT "${retval}" STREQUAL "0")
+        message(FATAL_ERROR "execute_process() fatal error: ${retval}")
+    endif()
+
+    message(STATUS "Installing mnmlstc/core... done.")
+
+    find_package(core REQUIRED NO_DEFAULT_PATH PATHS "${core-install}")
+
+    # Ensure the mnmlstc/core CMake configuration is also (re)configured if the cache is fresh.
+    set(INTERNAL_MONGOC_MNMLSTC_CORE_FOUND TRUE CACHE INTERNAL "")
+endif()
+
+set(CORE_INCLUDE_DIR "${CORE_INCLUDE_DIR}" PARENT_SCOPE)
+
+install(
+    DIRECTORY "${core-install}/include/"
+    DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/bsoncxx/v_noabi/bsoncxx/third_party/mnmlstc"
+)

cmake/FetchMongoC.cmake

@@ -0,0 +1,41 @@
+# Use FetchContent to obtain libbson and libmongoc.
+
+include(FetchContent)
+
+message(STATUS "Download and configure C driver version ${LIBMONGOC_DOWNLOAD_VERSION} ... begin")
+
+# Declare mongo-c-driver as a dependency
+FetchContent_Declare(
+    mongo-c-driver
+    GIT_REPOSITORY https://github.com/mongodb/mongo-c-driver.git
+    GIT_TAG ${LIBMONGOC_DOWNLOAD_VERSION}
+)
+
+FetchContent_GetProperties(mongo-c-driver)
+
+if(NOT mongo-c-driver_POPULATED)
+    set(OLD_ENABLE_TESTS ${ENABLE_TESTS})
+    set(OLD_BUILD_TESTING ${BUILD_TESTING})
+    set(OLD_CMAKE_CXX_FLAGS ${CMAKE_CXX_FLAGS})
+    set(OLD_CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
+
+    set(ENABLE_EXTRA_ALIGNMENT OFF)
+
+    FetchContent_Populate(mongo-c-driver)
+
+    # Set ENABLE_TESTS to OFF to disable the test-libmongoc target in the C driver.
+    # This prevents the LoadTests.cmake script from attempting to execute test-libmongoc.
+    # test-libmongoc is not built with the "all" target.
+    # Attempting to execute test-libmongoc results in an error: "Unable to find executable: NOT_FOUND"
+    set(ENABLE_TESTS OFF)
+    set(BUILD_TESTING OFF)
+    string(REPLACE " -Werror" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
+    string(REPLACE " -Werror" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+    add_subdirectory(${mongo-c-driver_SOURCE_DIR} ${mongo-c-driver_BINARY_DIR})
+    set(CMAKE_CXX_FLAGS ${OLD_CMAKE_CXX_FLAGS})
+    set(CMAKE_C_FLAGS ${OLD_CMAKE_C_FLAGS})
+    set(ENABLE_TESTS ${OLD_ENABLE_TESTS})
+    set(BUILD_TESTING ${OLD_BUILD_TESTING})
+endif()
+
+message(STATUS "Download and configure C driver version ${LIBMONGOC_DOWNLOAD_VERSION} ... end")

etc/CMakeLists.txt

@@ -14,6 +14,7 @@
 
 file (GLOB etc_DIST_cmds RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} *.cmd)
 file (GLOB etc_DIST_csss RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} *.css)
+file (GLOB etc_DIST_jsons RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} *.json)
 file (GLOB etc_DIST_mds RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} *.md)
 file (GLOB etc_DIST_pls RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} *.pl)
 file (GLOB etc_DIST_pys RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} *.py)
@@ -24,6 +25,7 @@ set_dist_list (etc_DIST
    CMakeLists.txt
    ${etc_DIST_cmds}
    ${etc_DIST_csss}
+   ${etc_DIST_jsons}
    ${etc_DIST_mds}
    ${etc_DIST_pls}
    ${etc_DIST_pys}

etc/cyclonedx.sbom.json

@@ -0,0 +1,113 @@
+{
+  "components": [
+    {
+      "bom-ref": "pkg:github/mnmlstc/[email protected]",
+      "copyright": "Copyright \u00a9 2013 - 2014 MNMLSTC",
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://github.com/mnmlstc/core/archive/refs/tags/v1.1.0.tar.gz"
+        },
+        {
+          "type": "website",
+          "url": "https://github.com/mnmlstc/core/tree/v1.1.0"
+        }
+      ],
+      "group": "mnmlstc",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ],
+      "name": "core",
+      "purl": "pkg:github/mnmlstc/[email protected]",
+      "type": "library",
+      "version": "v1.1.0"
+    },
+    {
+      "bom-ref": "pkg:github/mongodb/[email protected]",
+      "copyright": "Copyright 2009-present MongoDB, Inc.",
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/v1.25.0.tar.gz"
+        },
+        {
+          "type": "website",
+          "url": "https://github.com/mongodb/mongo-c-driver/tree/v1.25.0"
+        }
+      ],
+      "group": "mongodb",
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ],
+      "name": "mongo-c-driver",
+      "purl": "pkg:github/mongodb/[email protected]",
+      "type": "library",
+      "version": "v1.25.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:github/mnmlstc/[email protected]"
+    },
+    {
+      "ref": "pkg:github/mongodb/[email protected]"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2024-05-09T15:50:40.695420+00:00",
+    "tools": [
+      {
+        "externalReferences": [
+          {
+            "type": "build-system",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
+          },
+          {
+            "type": "distribution",
+            "url": "https://pypi.org/project/cyclonedx-python-lib/"
+          },
+          {
+            "type": "documentation",
+            "url": "https://cyclonedx-python-library.readthedocs.io/"
+          },
+          {
+            "type": "issue-tracker",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
+          },
+          {
+            "type": "license",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
+          },
+          {
+            "type": "release-notes",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
+          },
+          {
+            "type": "vcs",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
+          },
+          {
+            "type": "website",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
+          }
+        ],
+        "name": "cyclonedx-python-lib",
+        "vendor": "CycloneDX",
+        "version": "6.4.4"
+      }
+    ]
+  },
+  "serialNumber": "urn:uuid:dd68fbb0-f77c-4bb9-90cd-606dd854f301",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5"
+}

etc/purls.txt

@@ -0,0 +1,12 @@
+# These package URLs (purls) point to the versions (tags) of external dependencies
+# that are committed to the project. Refer: https://github.com/package-url/purl-spec
+
+# This file is fed to silkbomb to generate the cyclonedx.sbom.json file. Edit this file
+# instead of modifying the SBOM JSON directly. After modifying this file, be sure to
+# re-generate the SBOM JSON file!
+
+# libbson and libmongoc are obtained via cmake/FetchMongoC.cmake.
+pkg:github/mongodb/[email protected]
+
+# mnmlstc/core is obtained via cmake/FetchMnmlstcCore.cmake.
+pkg:github/mnmlstc/[email protected]