-
Type: Task
-
Resolution: Unresolved
-
Priority: Unknown
-
None
-
Component/s: Security
-
None
-
Needed - No Spec Changes
-
Drivers MUST generate Software Bill of Materials (SBOM) Lite documents for releases and provide those to Silk, which is a tool DevProd is using for vulnerability tracking. If a driver bundles no dependencies, the SBOM Lite will be empty. See SBOMs: SBOM Lites and Augmented SBOMs in the Centralized Vulnerability Management README for a description of SBOM formats.
Drivers MUST maintain SBOM Lite documents in their git repositories.
Drivers with bundled dependencies MUST integrate with a supported tool (e.g. Snyk) that can perform vulnerability scanning and feed results into Silk for SBOM generation. If Snyk is used, drivers SHOULD NOT rely on it to infer dependencies, as it is prone to false-positives and version inaccuracies.
Drivers MUST publish Augmented SBOM documents (produced by Silk processing SBOM Lite documents) alongside releases.
Note: For purposes of reporting and vulnerability tracking, third-party dependencies only refers to bundled dependencies that ship with a driver. It does not include any dependencies that may be installed by a package manager.
- split to
-
MOTOR-1302 Integrate with Silk and generate SBOM documents for releases
- Backlog
-
CDRIVER-5535 Integrate with Silk and generate SBOM documents for releases
- Closed
-
CSHARP-5048 Integrate with Silk and generate SBOM documents for releases
- Closed
-
CXX-3008 Integrate with Silk and generate SBOM documents for releases
- Closed
-
GODRIVER-3187 Integrate with Silk and generate SBOM documents for releases
- Closed
-
JAVA-5430 Integrate with Silk and generate SBOM documents for releases
- Closed
-
MONGOCRYPT-680 Integrate with Silk and generate SBOM documents for releases
- Closed
-
NODE-6113 Integrate with Silk and generate SBOM documents for releases
- Closed
-
PHPC-2384 Integrate with Silk and generate SBOM documents for releases
- Closed
-
PHPLIB-1434 Integrate with Silk and generate SBOM documents for releases
- Closed
-
PHPORM-185 Integrate with Silk and generate SBOM documents for releases
- Closed
-
PYTHON-4383 Integrate with Silk and generate SBOM documents for releases
- Closed
-
RUBY-3449 Integrate with Silk and generate SBOM documents for releases
- Closed
-
RUST-1919 Integrate with Silk and generate SBOM documents for releases
- Closed
-
VS-129 Integrate with Silk and generate SBOM documents for releases
- Closed