Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2893

Integrate with Silk and generate SBOM documents for releases

    • Type: Icon: Task Task
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Security
    • None
    • Needed - No Spec Changes
    • Hide

      Drivers MUST generate Software Bill of Materials (SBOM) Lite documents for releases and provide those to Silk, which is a tool DevProd is using for vulnerability tracking. If a driver bundles no dependencies, the SBOM Lite will be empty. See SBOMs: SBOM Lites and Augmented SBOMs in the Centralized Vulnerability Management README for a description of SBOM formats.

      Drivers MUST maintain SBOM Lite documents in their git repositories.

      Drivers with bundled dependencies MUST integrate with a supported tool (e.g. Snyk) that can perform vulnerability scanning and feed results into Silk for SBOM generation. If Snyk is used, drivers SHOULD NOT rely on it to infer dependencies, as it is prone to false-positives and version inaccuracies.

      Drivers MUST publish Augmented SBOM documents (produced by Silk processing SBOM Lite documents) alongside releases.

      Note: For purposes of reporting and vulnerability tracking, third-party dependencies only refers to bundled dependencies that ship with a driver. It does not include any dependencies that may be installed by a package manager.

      Show
      Drivers MUST generate Software Bill of Materials (SBOM) Lite documents for releases and provide those to Silk, which is a tool DevProd is using for vulnerability tracking. If a driver bundles no dependencies, the SBOM Lite will be empty. See SBOMs: SBOM Lites and Augmented SBOMs in the Centralized Vulnerability Management README for a description of SBOM formats. Drivers MUST maintain SBOM Lite documents in their git repositories. Drivers with bundled dependencies MUST integrate with a supported tool (e.g. Snyk) that can perform vulnerability scanning and feed results into Silk for SBOM generation. If Snyk is used, drivers SHOULD NOT rely on it to infer dependencies, as it is prone to false-positives and version inaccuracies. Drivers MUST publish Augmented SBOM documents (produced by Silk processing SBOM Lite documents) alongside releases. Note: For purposes of reporting and vulnerability tracking, third-party dependencies only refers to bundled dependencies that ship with a driver. It does not include any dependencies that may be installed by a package manager.
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-5535 Done 1.27.3
      CXX-3008 Fixed 3.11.0, 3.10.2
      CSHARP-5048 Done 2.26.0
      GODRIVER-3187 Fixed 1.16.0
      JAVA-5430 Won't Do
      NODE-6113 Done
      MOTOR-1302 Backlog
      PYTHON-4383 Fixed 4.8
      PHPLIB-1434 Done
      RUBY-3449 Done
      RUST-1919 Fixed 3.0.0
      PHPC-2384 Done
      PHPORM-185 Done
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-5535 Done 1.27.3 CXX-3008 Fixed 3.11.0, 3.10.2 CSHARP-5048 Done 2.26.0 GODRIVER-3187 Fixed 1.16.0 JAVA-5430 Won't Do NODE-6113 Done MOTOR-1302 Backlog PYTHON-4383 Fixed 4.8 PHPLIB-1434 Done RUBY-3449 Done RUST-1919 Fixed 3.0.0 PHPC-2384 Done PHPORM-185 Done

      Drivers MUST generate Software Bill of Materials (SBOM) Lite documents for releases and provide those to Silk, which is a tool DevProd is using for vulnerability tracking. If a driver bundles no dependencies, the SBOM Lite will be empty. See SBOMs: SBOM Lites and Augmented SBOMs in the Centralized Vulnerability Management README for a description of SBOM formats.

      Drivers MUST maintain SBOM Lite documents in their git repositories.

      Drivers with bundled dependencies MUST integrate with a supported tool (e.g. Snyk) that can perform vulnerability scanning and feed results into Silk for SBOM generation. If Snyk is used, drivers SHOULD NOT rely on it to infer dependencies, as it is prone to false-positives and version inaccuracies.

      Drivers MUST publish Augmented SBOM documents (produced by Silk processing SBOM Lite documents) alongside releases.

      Note: For purposes of reporting and vulnerability tracking, third-party dependencies only refers to bundled dependencies that ship with a driver. It does not include any dependencies that may be installed by a package manager.

            Assignee:
            Unassigned Unassigned
            Reporter:
            jmikola@mongodb.com Jeremy Mikola
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: