PHPC-2380: Add SBOM file and tooling to update it #1577
Conversation
alcaeus
changed the title
| @@ -67,3 +67,6 @@ mongodb-*tgz | |||
|
|
|||
| # Coverage files | |||
| coverage* | |||
|
|
|||
| # temporary purls file | |||
| /purls.txt | |||
There was a problem hiding this comment.
Noted that you only want to ignore this in the project root directory.
| bundled build). When bumping the bundled version, be sure to update the version | ||
| check _and_ error message in the `pkg-config` blocks for the submodule being | ||
| updated. When updating libmongoc, be sure to update both version checks for | ||
| libmongoc and libbson. |
There was a problem hiding this comment.
Good to call this out, even though the lines are close together.
| PURLS_FILE="${ROOT_DIR}/purls.txt" | ||
|
|
||
| LIBMONGOC_VERSION=$(cat ${ROOT_DIR}/src/LIBMONGOC_VERSION_CURRENT | tr -d '[:space:]') | ||
| LIBMONGOCRYPT_VERSION=$(cat ${ROOT_DIR}/src/LIBMONGOCRYPT_VERSION_CURRENT | tr -d '[:space:]') |
There was a problem hiding this comment.
I assume we don't need to call out that these files must be updated since the SBOM generation step follows the "Ensure version information is correct" step, which updates these.
CONTRIBUTING.md
Outdated
| ``` | ||
|
|
||
| ### Updating libmongocrypt | ||
| This script will generate a purl file with our dependencies, then run the |
There was a problem hiding this comment.
Do you want to clarify that the purl file is temporary, since update-sbom.sh removes it after invoking Docker?
Separate question: what is needed to "have access to artifactory"? I feel like this section would benefit from some links to internal resources.
There was a problem hiding this comment.
Added a "temporary" and removed the section about artifactory access - either it "just works" because I'm accessing it from our network or it is public - either way I don't imagine any external contributors running this kind of stuff on the regular anyways.
alcaeus
force-pushed
the
phpc-2380-prep-silk-onboarding
branch
from
044c367 to
0c332a2
Compare
PHPC-2380
This PR introduces the "SBOM lite" file necessary to generate a full SBOM when releasing a new version. The SBOM file is generated from a list of purls using the silkbomb tool. The script to update the tooling is added, along with updated instructions for updating submodules.