GODRIVER-3599 Add task and script to generate CycloneDX SBOM

.evergreen/config.yml

@@ -643,6 +643,14 @@ tasks:
           binary: bash
           args: [*task-runner, govulncheck]
 
+  - name: generate-sbom
+    tags: ["ssdlc"]
+    commands:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args: [*task-runner, generate-sbom]
+
   - name: pull-request-helpers
     allowed_requesters: ["patch", "github_pr"]
     commands:

.pre-commit-config.yaml

@@ -71,3 +71,10 @@ repos:
     language: system
     types: [go]
     entry: etc/check_license.sh
+
+  - id: sbom-currency
+    name: sbom-currency
+    language: system
+    types: [json]
+    require_serial: true
+    entry: etc/generate-sbom.sh -c

Taskfile.yml

@@ -11,7 +11,7 @@ tasks:
 
   ### Utility tasks. ###
   default: 
-    deps: [build, check-license, check-fmt, check-modules, lint, test-short]
+    deps: [build, check-license, check-fmt, check-modules, lint, test-short, generate-sbom]
 
   add-license: bash etc/check_license.sh -a
 
@@ -87,6 +87,17 @@ tasks:
 
   govulncheck: bash etc/govulncheck.sh
 
+  generate-sbom:
+    desc: Generate a CycloneDX SBOM
+    summary: |
+      Generate a CycloneDX SBOM with the cyclonedx-gomod 'mod' subcommand
+      The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages.
+      Task will run only when go.mod is newer than sbom.cdx.json.
+    method: timestamp
+    sources: [go.mod]
+    generates: [sbom.json]
+    cmd: bash etc/generate-sbom.sh
+
   update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES
 
   ### Local testing tasks. ###

etc/generate-sbom.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -e
+
+CHECK_CURRENCY="false"
+
+# Options are:
+# -c : check currency of staged sbom.json versus go.mod.
+while getopts "c" opt; do
+    case $opt in
+        c)
+            CHECK_CURRENCY="true"
+            ;;
+        *)
+            echo "usage: $0 [-c]" >&2
+            echo " -c : (optional) check currency of staged sbom.json versus go.mod." >&2
+            exit 1
+            ;;
+    esac
+done
+#shift $((OPTIND - 1))
+
+if  ! $CHECK_CURRENCY; then
+    # The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code.
+    # TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation
+
+    ## The pipe to jq is a temporary workaround until this issue is resolved: https://github.com/CycloneDX/cyclonedx-gomod/issues/662.
+    ## When resolved, bump version and replace with commented line below.
+    # GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@[UPDATED VERSION] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.json .
+    GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.9.0 mod -type library -licenses -assert-licenses -output-version 1.5 -json . | jq '.metadata.component.purl |= split("?")[0]' | jq '.components[].purl |= split("?")[0]' > sbom.json
+elif [[ $(git diff --name-only --cached go.mod) && ! $(git diff --name-only --cached sbom.json) ]]; then
+    echo "'go.mod' has changed. 'sbom.json' must be re-generated (run 'task generate-sbom' or 'etc/generate-sbom.sh') and staged." && exit 1
+fi