Add an ignore, add python, add old sbom

Author: jasonhills-mongodb

.github/workflows/generate_sbom.yml

@@ -12,7 +12,6 @@ jobs:
   configure-and-scan:
     permissions:
       id-token: write # Required to request a json web token (JWT) for keyless authentication with Endor Labs
-      #packages: write
       contents: read
     runs-on: ubuntu-latest
     steps:
@@ -21,49 +20,18 @@ jobs:
       with:
         submodules: recursive
 
-#    - name: Install dev libs
-#      run: sudo apt install -y libsasl2-dev libsnappy-dev libssl-dev libmongocrypt-dev
-
-    - name: Configure CMake and fetch dependency source
+    - name: Configure CMake and fetch dependency sources
       env:
         BUILD_TYPE: Release
         BUILD: ${{github.workspace}}/build
         CXX_STANDARD: 17
       working-directory: ${{env.BUILD}}
       run: cmake .. -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DCMAKE_CXX_STANDARD=${{env.CXX_STANDARD}} -DENABLE_TESTS=ON
 
-    # - name: Create and populate .endorctl/scanprofile.yaml file
-    #   run: |
-    #     mkdir .endorctl
-    #     cat <<EOF > .endorctl/scanprofile.yaml
-    #     kind: AutomatedScanParameters
-    #     spec:
-    #       automated_scan_parameters:
-    #         additional_environment_variables:
-    #           - ENDOR_SCAN_EMBEDDINGS=true
-    #         included_paths:
-    #           - build/_deps/**
-    #         #excluded_paths:
-    #         #  - benchmark/**
-    #         #  - src/**
-    #         languages:
-    #           - c
-    #         scan_dependencies: true
-    #         tags: github_action
-    #     EOF
-    #     git add .endorctl/scanprofile.yaml
-    #     echo "cat .endorctl/scanprofile.yaml"
-    #     cat .endorctl/scanprofile.yaml
-
-    # - name: Rename build folder # Endor Labs will automatically try to exclude "build"
-    #   run: |
-    #     mv build third_party
-    #     git add third_party
-
     - name: Install endorctl and Scan with Endor Labs
-      uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
+      uses: endorlabs/github-action@519df81de5f68536c84ae05ebb2986d0bb1d19fc # v1.1.8
       with:
-        additional_args: "--languages=c"
+        additional_args: "--languages=c --exclude-path=\"build/CMakeFiles/**\""
         log_level: info
         log_verbose: false
         namespace: mongodb.${{github.repository_owner}}
@@ -73,31 +41,15 @@ jobs:
       env:
         ENDOR_SCAN_EMBEDDINGS: true
 
-    # - name: Setup Endor Labs Endorctl
-    #   uses: endorlabs/github-action/setup@519df81de5f68536c84ae05ebb2986d0bb1d19fc # Release v1.1.8
-    #   with:
-    #     namespace: mongodb.${{github.repository_owner}}
-    #     enable_github_action_token: true
-
-    # - name: Run Endorctl
-    #   env:
-    #     ENDOR_SCAN_USE_SCAN_PROFILE: true
-    #   run: endorctl scan
-
-    # - uses: actions/setup-python@v6
-    #   with:
-    #     python-version: '3.10' 
-    # - run: python my_script.py
-    
-    # ${{ github.sha }}
-    # - name: Run Endorctl
-    #   env:
-    #     ENDOR_GITHUB_ACTION_TOKEN_ENABLE: true
-    #     ENDOR_SCAN_DEPENDENCIES: true
-    #     ENDOR_SCAN_EMBEDDINGS: true
-    #     ENDOR_SCAN_INCLUDE_PATH: 
-    #     ENDOR_SCAN_LANGUAGES: c
-    #     ENDOR_SCAN_SUMMARY_OUTPUT_TYPE: json
-    #     ENDOR_SCAN_TAGS: github_action
-    #   run: |
-    #     endorctl scan
+    - name: Set up Python 3.10
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      with:
+        python-version: '3.10' 
+    - uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
+      with:
+        python-version: "3.10"
+        activate-environment: true
+    - name: Install dependencies
+      run: uv sync --group make_release
+    - name: generate_sbom.py
+      run: uv run etc/sbom/generate_sbom.py --target=branch --sbom-metadata=etc/sbom/metadata.cdx.json

etc/sbom/config.py

@@ -0,0 +1,204 @@
+#!/usr/bin/env python3
+"""generate_sbom.py config. Operational configuration values stored separately from the core code."""
+
+import json
+import logging
+import re
+
+logger = logging.getLogger("generate_sbom")
+logger.setLevel(logging.NOTSET)
+
+
+# ################ Component Filters ################
+
+# List of Endor Labs SBOM components that must be removed before processing
+endor_components_remove = [
+    # An incorrect match from parts of pkg:github/madler/zlib
+    "zlib-ng/zlib-ng",
+]
+
+# bom-ref prefixes (Endor Labs has been changing them, so add all that we have seen)
+prefixes = [
+    "pkg:c/github.com/",
+    "pkg:generic/github.com/",
+    "pkg:github/",
+]
+
+for component in endor_components_remove:
+    for prefix in prefixes:
+        endor_components_remove.append(prefix + component)
+
+# ################ Component Renaming ################
+# Endor does not have syntactically valid PURLs for C/C++ packages.
+# e.g.,
+# Invalid: pkg:c/github.com/abseil/[email protected]
+# Valid: pkg:github/abseil/[email protected]
+# Run string replacements to correct for this:
+endor_components_rename = [
+    ["pkg:generic/zlib.net/zlib", "pkg:github/madler/zlib"],
+    ["pkg:github/philsquared/clara", "pkg:github/catchorg/clara"],
+    ["pkg:generic/github.com/", "pkg:github/"],
+    ["pkg:c/github.com/", "pkg:github/"],
+]
+
+# ################ PURL Validation ################
+REGEX_STR_PURL_OPTIONAL = (  # Optional Version (any chars except ? @ #)
+    r"(?:@[^?@#]*)?"
+    # Optional Qualifiers (any chars except @ #)
+    r"(?:\?[^@#]*)?"
+    # Optional Subpath (any chars)
+    r"(?:#.*)?$"
+)
+
+REGEX_PURL = {
+    # deb PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/deb-definition.md
+    "deb": re.compile(
+        r"^pkg:deb/"  # Scheme and type
+        # Namespace (organization/user), letters must be lowercase
+        r"(debian|ubuntu)+"
+        r"/"
+        r"[a-z0-9._-]+" + REGEX_STR_PURL_OPTIONAL  # Name
+    ),
+    # Generic PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/generic-definition.md
+    "generic": re.compile(
+        r"^pkg:generic/"  # Scheme and type
+        r"([a-zA-Z0-9._-]+/)?"  # Optional namespace segment
+        r"[a-zA-Z0-9._-]+" + REGEX_STR_PURL_OPTIONAL  # Name (required)
+    ),
+    # GitHub PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/github-definition.md
+    "github": re.compile(
+        r"^pkg:github/"  # Scheme and type
+        # Namespace (organization/user), letters must be lowercase
+        r"[a-z0-9-]+"
+        r"/"
+        r"[a-z0-9._-]+" + REGEX_STR_PURL_OPTIONAL  # Name (repository)
+    ),
+    # PyPI PURL. https://github.com/package-url/purl-spec/blob/main/types-doc/pypi-definition.md
+    "pypi": re.compile(
+        r"^pkg:pypi/"  # Scheme and type
+        r"[a-z0-9_-]+"  # Name, letters must be lowercase, dashes, underscore
+        + REGEX_STR_PURL_OPTIONAL
+    ),
+}
+
+
+def is_valid_purl(purl: str) -> bool:
+    """Validate a GitHub or Generic PURL"""
+    for purl_type, regex in REGEX_PURL.items():
+        if regex.match(purl):
+            logger.debug(f"PURL: {purl} matched PURL type '{purl_type}' regex '{regex.pattern}'")
+            return True
+    return False
+
+
+# ################ Version Transformation ################
+
+# In some cases we need to transform the version string to strip out tag-related text
+# It is unknown what patterns may appear in the future, so we have targeted (not broad) regex
+# This a list of 'pattern' and 'repl' inputs to re.sub()
+RE_VER_NUM = r"(0|[1-9]\d*)"
+RE_VER_LBL = r"(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?"
+RE_SEMVER = rf"{RE_VER_NUM}\.{RE_VER_NUM}\.{RE_VER_NUM}{RE_VER_LBL}"
+regex_semver = re.compile(RE_SEMVER)
+
+VERSION_PATTERN_REPL = [
+    # 'debian/1.28.1-1' pkg:github/mongodb/mongo-c-driver (temporary workaround)
+    [re.compile(rf"^debian/({RE_SEMVER})-\d$"), r"\1"],
+    # 'gperftools-2.9.1' pkg:github/gperftools/gperftools
+    # 'mongo/v1.5.2' pkg:github/google/benchmark
+    # 'mongodb-8.2.0-alpha2' pkg:github/wiredtiger/wiredtiger
+    # 'release-1.12.0' pkg:github/apache/avro
+    # 'yaml-cpp-0.6.3' pkg:github/jbeder/yaml-cpp
+    [re.compile(rf"^[-a-z]+[-/][vr]?({RE_SEMVER})$"), r"\1"],
+    # 'asio-1-34-2' pkg:github/chriskohlhoff/asio
+    # 'cares-1_27_0' pkg:github/c-ares/c-ares
+    [
+        re.compile(rf"^[a-z]+-{RE_VER_NUM}[_-]{RE_VER_NUM}[_-]{RE_VER_NUM}{RE_VER_LBL}$"),
+        r"\1.\2.\3",
+    ],
+    # 'pcre2-10.40' pkg:github/pcre2project/pcre2
+    [re.compile(rf"^[a-z0-9]+-({RE_VER_NUM}\.{RE_VER_NUM})$"), r"\1"],
+    # 'icu-release-57-1' pkg:github/unicode-org/icu
+    [re.compile(rf"^[a-z]+-?[a-z]+-{RE_VER_NUM}-{RE_VER_NUM}$"), r"\1.\2"],
+    # 'v2.6.0'  pkg:github/confluentinc/librdkafka
+    # 'r2.5.1'
+    [re.compile(rf"^[rv]({RE_SEMVER})$"), r"\1"],
+    # 'v2025.04.21.00' pkg:github/facebook/folly
+    [re.compile(r"^v(\d+\.\d+\.\d+\.\d+)$"), r"\1"],
+]
+
+
+def get_semver_from_release_version(release_ver: str) -> str:
+    """Extract the version number from string with tags or other annotations"""
+    if release_ver:
+        for re_obj, repl in VERSION_PATTERN_REPL:
+            if re_obj.match(release_ver):
+                return re_obj.sub(repl, release_ver)
+    return release_ver
+
+
+# region special component use-case functions
+
+
+def get_version_from_wiredtiger_import_data(file_path: str) -> str:
+    """Get the info in the 'import.data' file saved in the wiredtiger folder"""
+    try:
+        with open(file_path, "r") as input_json:
+            import_data = input_json.read()
+        result = json.loads(import_data)
+    except Exception as e:
+        logger.error(f"Error loading JSON file from {file_path}")
+        logger.error(e)
+        return None
+    return result.get("commit")
+
+
+def get_version_sasl_from_workspace(file_path: str) -> str:
+    """Determine the version that is pulled for Windows Cyrus SASL by searching WORKSPACE.bazel"""
+    # e.g.,
+    #         "https://s3.amazonaws.com/boxes.10gen.com/build/windows_cyrus_sasl-2.1.28.zip",
+    try:
+        with open(file_path, "r") as file:
+            for line in file:
+                if line.strip().startswith(
+                    '"https://s3.amazonaws.com/boxes.10gen.com/build/windows_cyrus_sasl-'
+                ):
+                    return line.strip().split("windows_cyrus_sasl-")[1].split(".zip")[0]
+    except Exception as e:
+        logger.warning(f"Unable to load {file_path}")
+        logger.warning(e)
+    else:
+        return None
+
+
+def process_component_special_cases(
+    component_key: str, component: dict, versions: dict, repo_root: str
+) -> None:
+    ## Special case for Cyrus SASL ##
+    if component_key == "pkg:github/cyrusimap/cyrus-sasl":
+        # Cycrus SASL is optionally loaded as a Windows library, when needed. There is no source code for Endor Labs to scan.
+        # The version of Cyrus SASL that is used is defined in the WORKSPACE.bazel file:
+        #         "https://s3.amazonaws.com/boxes.10gen.com/build/windows_cyrus_sasl-2.1.28.zip",
+        # Rather than add the complexity of Bazel queries to this script, we just search the text.
+
+        versions["import_script"] = get_version_sasl_from_workspace(repo_root + "/WORKSPACE.bazel")
+        logger.info(
+            f"VERSION SPECIAL CASE: {component_key}: Found version '{versions['import_script']}' in 'WORKSPACE.bazel' file"
+        )
+
+    ## Special case for wiredtiger ##
+    elif component_key == "pkg:github/wiredtiger/wiredtiger":
+        # MongoDB release branches import wiredtiger commits via a bot. These commits will likely not line up with a release or tag.
+        # Endor labs will try to pull the nearest release/tag, but we want the more precise commit hash, which is stored in:
+        # src/third_party/wiredtiget/import.data
+        occurrences = component.get("evidence", {}).get("occurrences", [])
+        if occurrences:
+            location = occurrences[0].get("location")
+            versions["import_script"] = get_version_from_wiredtiger_import_data(
+                f"{repo_root}/{location}/import.data"
+            )
+            logger.info(
+                f"VERSION SPECIAL CASE: {component_key}: Found version '{versions['import_script']}' in 'import.data' file"
+            )
+
+# endregion special component use-case functions