jasonhills-mongodb · jasonhills-mongodb · Dec 3, 2025 · Nov 22, 2025 · Nov 22, 2025 · Nov 22, 2025
diff --git a/.evergreen/config_generator/components/funcs/install_c_driver.py b/.evergreen/config_generator/components/funcs/install_c_driver.py
@@ -8,7 +8,6 @@
 
 # If updating mongoc_version_minimum to a new release (not pinning to an unreleased commit), also update:
 # - BSON_REQUIRED_VERSION and MONGOC_REQUIRED_VERSION in CMakeLists.txt
-# - the version of pkg:github/mongodb/mongo-c-driver in etc/purls.txt
 # - the default value of --c-driver-build-ref in etc/make_release.py
 # If pinning to an unreleased commit, create a "Blocked" JIRA ticket with
 # a "depends on" link to the appropriate C Driver version release ticket.

diff --git a/.evergreen/scripts/sbom.sh b/.evergreen/scripts/sbom.sh
@@ -25,18 +25,14 @@ podman pull "${silkbomb:?}"
 silkbomb_augment_flags=(
   --repo mongodb/mongo-cxx-driver
   --branch "${branch_name:?}"
-  --sbom-in /pwd/etc/cyclonedx.sbom.json
+  --sbom-in /pwd/sbom.json
   --sbom-out /pwd/etc/augmented.sbom.json.new
 
   # Any notable updates to the Augmented SBOM version should be done manually after careful inspection.
-  # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`.
+  # Otherwise, it should be equal to the existing SBOM version.
   --no-update-sbom-version
 )
 
-# First validate the SBOM Lite.
-podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \
-  validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira
-
 # Allow the timestamp to be updated in the Augmented SBOM for update purposes.
 podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}"
 

diff --git a/.github/workflows/endor_scan_and_generate_sbom.yml b/.github/workflows/endor_scan_and_generate_sbom.yml
@@ -0,0 +1,113 @@
+name: Generate SBOM
+
+on:
+  pull_request:
+    branches:
+      - "master"
+      - "releases/v*"
+      - "debian/*"
+    paths:
+      - "**/CMakeLists.txt"
+      - "**/*.cmake"
+  push:
+    branches:
+      - "master"
+      - "releases/v*"
+      - "debian/*"
+    paths:
+      - "**/CMakeLists.txt"
+      - "**/*.cmake"
+
+jobs:
+  endor_scan_and_generate_sbom:
+    permissions:
+      id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
+      contents: write # Required for commit
+      pull-requests: write # Required for PR
+    runs-on: ubuntu-latest
+    env:
+      PR_SCAN: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v6
+        with:
+          fetch-tags: true
+          submodules: recursive
+
+      - name: Configure CMake and fetch dependency sources
+        env:
+          BUILD_TYPE: Release
+          BUILD: ${{github.workspace}}/build
+          CXX_STANDARD: 17
+        working-directory: ${{env.BUILD}}
+        run: |
+          cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}} -DENABLE_TESTS=ON
+          git rm .gitignore # prevent exclusion of build/_deps from endorctl scan
+
+      - name: Endor Labs Scan (PR or Monitoring)
+        uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # v1.1.8
+        env:
+          ENDOR_SCAN_EMBEDDINGS: true
+        with:
+          additional_args: '--languages=c --include-path="build/_deps/**"'
+          enable_pr_comments: ${{ env.PR_SCAN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }} # Required for endorctl to write pr comments
+          log_level: info
+          log_verbose: false
+          namespace: mongodb.${{github.repository_owner}}
+          pr: ${{ env.PR_SCAN }}
+          scan_dependencies: true
+          scan_summary_output_type: "table"
+          tags: github_action
+
+      # - name: Set up Python
+      #   if: env.PR_SCAN == false
+      #   uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      #   with:
+      #     python-version: "3.10"
+
+      - name: Install uv (push only)
+        if: env.PR_SCAN == false
+        uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
+        with:
+          python-version: "3.10"
+          activate-environment: true
+          enable-cache: true
+
+      - name: Stash existing SBOM, generate new SBOM (push only)
+        if: env.PR_SCAN == false
+        run: |
+          # Existing SBOM: Strip out nondeterministic SBOM fields and save to temp file
+          jq 'del(.version, .metadata.timestamp, .metadata.tools.services[].version)' sbom.json > ${{runner.temp}}/sbom.existing.cdx.json
+          # etc/sbom/generate_sbom.py
+          uv run --group generate_sbom etc/sbom/generate_sbom.py --enable-github-action-token --target=branch --sbom-metadata=etc/sbom/metadata.cdx.json --save-warnings=${{runner.temp}}/warnings.txt
+          # Generated SBOM: Strip out nondeterministic SBOM fields and save to temp file
+          jq 'del(.version, .metadata.timestamp, .metadata.tools.services[].version)' sbom.json > ${{runner.temp}}/sbom.generated.cdx.json
+
+      - name: Check for SBOM changes (push only)
+        if: env.PR_SCAN == false
+        id: sbom_diff
+        run: |
+          # diff the temp SBOM files, save output to variable, supress exit code
+          RESULT=$(diff --brief ${{runner.temp}}/sbom.existing.cdx.json ${{runner.temp}}/sbom.generated.cdx.json)
+          # Set the output variable
+          echo "result=$RESULT" | tee -a $GITHUB_OUTPUT
+
+      - name: Generate pull request content and notice message, if SBOM has changed (push only)
+        if: env.PR_SCAN == false && steps.sbom_diff.outputs.result
+        run: |
+          printf "SBOM updated after commit ${{ github.sha }}.\n\n" | cat - ${{runner.temp}}/warnings.txt > ${{runner.temp}}/pr_body.txt
+          echo "::notice title=SBOM-Diff::SBOM has changed"
+
+      - name: Open Pull Request, if SBOM has changed (push only)
+        if: env.PR_SCAN == false && steps.sbom_diff.outputs.result
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+        env:
+          BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+        with:
+          add-paths: sbom.json
+          body-path: ${{runner.temp}}/pr_body.txt
+          branch: cxx-sbom-update-${{ env.BRANCH_NAME }}
+          commit-message: Update SBOM file(s)
+          delete-branch: true
+          title: CXX Update SBOM action - ${{ env.BRANCH_NAME }}
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -56,7 +56,6 @@ else()
     message(WARNING "Unknown compiler... recklessly proceeding without a version check")
 endif()
 
-# Also update etc/purls.txt.
 set(BSON_REQUIRED_VERSION 2.1.2)
 set(MONGOC_REQUIRED_VERSION 2.1.2)
 set(MONGOC_DOWNLOAD_VERSION 2.1.2)

diff --git a/etc/purls.txt b/etc/purls.txt
diff --git a/etc/releasing.md b/etc/releasing.md
@@ -75,12 +75,6 @@ Some release steps require one or more of the following secrets.
     GRS_CONFIG_USER1_USERNAME=<username>
     GRS_CONFIG_USER1_PASSWORD=<password>
     ```
-- Snyk credentials.
-  - Location: `~/.secrets/snyk-creds.txt`
-  - Format:
-    ```bash
-    SNYK_API_TOKEN=<token>
-    ```
 
 ## Pre-Release Steps
 
@@ -118,22 +112,11 @@ All issues with an Impact level of "High" or greater must have a "MongoDB Final
 
 All issues with an Impact level of "Medium" or greater which do not have a "MongoDB Final Status" of "Fix Committed" must document rationale for its current status in the "Notes" field.
 
-### SBOM Lite
+### SBOM
 
 Ensure the container engine (e.g. `podman` or `docker`) is authenticated with the DevProd-provided Amazon ECR instance.
 
-Ensure the list of bundled dependencies in `etc/purls.txt` is up-to-date. If not, update `etc/purls.txt`.
-
-If `etc/purls.txt` was updated, update the SBOM Lite document using the following command(s):
-
-```bash
-# Ensure latest version of SilkBomb is being used.
-podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0
-
-# Output: "... writing sbom to file"
-podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
-  update --refresh --no-update-sbom-version -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json"
-```
+Ensure that any `CXX Update SBOM action - $BRANCH_NAME` PRs are merged for the release branch.
 
 Run a patch build which executes the `sbom` task and download the "Augmented SBOM (Updated)" file as `etc/augmented.sbom.json`. Evergreen CLI may be used to schedule only the `sbom` task:
 
@@ -154,12 +137,6 @@ Update `etc/third_party_vulnerabilities.md` with any updates to new or known vul
 
 Download the "Augmented SBOM (Updated)" file from the latest EVG commit build in the `sbom` task and commit it into the repo as `etc/augmented.sbom.json` (even if the only notable change is the timestamp field).
 
-### Check Snyk
-
-Inspect the list of projects in the latest report for the `mongodb/mongo-cxx-driver` target in [Snyk](https://app.snyk.io/org/dev-prod/).
-
-Deactivate any projects that will not be relevant in the upcoming release. Remove any projects that are not relevant to the current release.
-
 ### Check Jira
 
 Inspect the list of tickets assigned to the version to be released on [Jira](https://jira.mongodb.com/projects/CXX?selectedItem=com.atlassian.jira.jira-projects-plugin%3Arelease-page&status=unreleased).
@@ -432,67 +409,7 @@ The new branch should be continuously tested on Evergreen. Update the "Display N
 
 ### Update SBOM serial number
 
-Check out the release branch `releases/vX.Y`.
-
-Update `etc/cyclonedx.sbom.json` with a new unique serial number for the next upcoming patch release (e.g. for `1.3.1` following the release of `1.3.0`):
-
-```bash
-# Ensure latest version of SilkBomb is being used.
-podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0
-
-# Output: "... writing sbom to file"
-podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
-  update --refresh --generate-new-serial-number -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json"
-```
-
-Update `etc/augmented.sbom.json` by running a patch build which executes the `sbom` task as described above in [SBOM Lite](#sbom-lite).
-
-Commit and push these changes to the `releases/vX.Y` branch.
-
-### Update Snyk
-
-> [!IMPORTANT]
-> Run the Snyk commands in a fresh clone of the post-release repository to avoid existing build and release artifacts from affecting Snyk.
-
-Checkout the new release tag.
-
-Configure and build the CXX Driver (do not reuse an existing C Driver installation; use the auto-downloaded C Driver sources instead):
-
-```bash
-cmake -S . -B build
-cmake --build build
-```
-
-Then run:
-
-```bash
-# Snyk credentials. Ask for these from a team member.
-. ~/.secrets/snyk-creds.txt
-
-# The new release tag. Ensure this is correct!
-release_tag="rX.Y.Z"
-
-# Authenticate with Snyk dev-prod organization.
-snyk auth "${SNYK_API_TOKEN:?}"
-
-# Verify third party dependency sources listed in etc/purls.txt are detected by Snyk.
-# If not, see: https://support.snyk.io/hc/en-us/requests/new
-# Use --exclude=extras until CXX-3042 is resolved
-snyk_args=(
-  --org=dev-prod
-  --remote-repo-url=https://github.com/mongodb/mongo-cxx-driver/
-  --target-reference="${release_tag:?}"
-  --unmanaged
-  --all-projects
-  --exclude=extras
-)
-snyk test "${snyk_args[@]:?}" --print-deps
-
-# Create a new Snyk target reference for the new release tag.
-snyk monitor "${snyk_args[@]:?}"
-```
-
-Verify the new Snyk target reference is present in the [Snyk project targets list](https://app.snyk.io/org/dev-prod/projects?groupBy=targets&before&after&searchQuery=mongo-cxx-driver&sortBy=highest+severity&filters[Show]=&filters[Integrations]=cli&filters[CollectionIds]=) for `mongodb/mongo-cxx-driver`.
+A new SBOM serial number is automatically generated when an SBOM is generated on a new branch.
 
 ### Post-Release Changes
 
@@ -512,21 +429,7 @@ For a patch release, in `etc/apidocmenu.md`, update the list of versions under "
 
 In `README.md`, sync the "Driver Development Status" table with the updated table from `etc/apidocmenu.md`.
 
-Update `etc/cyclonedx.sbom.json` with a new unique serial number for the next upcoming non-patch release (e.g. for `1.4.0` following the release of `1.3.0`):
-
-```bash
-# Ensure latest version of SilkBomb is being used.
-podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0
-
-# Output: "... writing sbom to file"
-podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
-  update --refresh --generate-new-serial-number -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json"
-
-git add etc/cyclonedx.sbom.json
-git commit -m "update SBOM serial number"
-```
-
-Update `etc/augmented.sbom.json` by running a patch build which executes the `sbom` task as described above in [SBOM Lite](#sbom-lite).
+Update `etc/augmented.sbom.json` by running a patch build which executes the `sbom` task as described above in [SBOM](#sbom).
 
 Commit these changes to the `post-release-changes` branch: