PHPLIB-1866: Add automated SBOM generation using cyclonedx-php-composer#1921
Open
jasonhills-mongodb wants to merge 6 commits into
Open
Conversation
Adds a two-stage SBOM pipeline following the pattern established in mongo-csharp-driver, mongo-go-driver, and mongo-python-driver: - GitHub Actions (.github/workflows/sbom.yml): generates sbom.json from production Composer dependencies via cyclonedx-php-composer v5, validates with cyclonedx-cli, and opens a PR when composer.json changes on v2.x. Version tracking increments .version only when content changes. - Evergreen (.evergreen/config/sbom.yml + upload-sbom.sh): uploads the committed sbom.json to the internal SSDLC tracking system via silkbomb augment, triggered when sbom.json changes. Soft-fails if the augmented SBOM changes significantly. sbom.json updated with correct production dependencies (psr/log, polyfill-php85) and stable serial number.
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Introduces automated generation, validation, and upload plumbing for a CycloneDX SBOM, and updates the committed sbom.json to the newly generated output.
Changes:
- Regenerates
sbom.jsonwith updated metadata, components, and dependency graph. - Adds a GitHub Actions workflow to regenerate/validate SBOM and open an auto-update PR when it changes.
- Adds Evergreen task/functionality to augment and upload SBOM via Silkbomb.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
sbom.json |
Updates the committed CycloneDX SBOM content and version metadata. |
.github/workflows/sbom.yml |
Automates SBOM generation/validation and opens a PR when sbom.json changes. |
.evergreen/generate-sbom.sh |
Generates sbom.json and manages a stable serial number + incremental versioning. |
.evergreen/upload-sbom.sh |
Runs Silkbomb augmentation and reports significant augmented SBOM changes to Evergreen. |
.evergreen/config/sbom.yml |
Adds an Evergreen buildvariant/task to run SBOM upload. |
.evergreen/config/functions.yml |
Adds an upload-sbom function integrating AWS role assumption and upload script execution. |
.evergreen/config.yml |
Includes the new Evergreen SBOM config file. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
jasonhills-mongodb
changed the title
- Use temp files for SBOM content comparison in generate-sbom.sh instead of shell variable capture - Add jq -S (sort keys) to workflow diff steps to avoid false-positive diffs from key reordering
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds automated CycloneDX 1.5 SBOM generation for the PHP library, following the same two-stage pattern already established in:
sbom.json(being updated to Evergreen upload)Committing
sbom.jsonto the repository is the established MongoDB driver pattern for pre-build SBOM tracking.Architecture
Stage 1 — GitHub Actions (
.github/workflows/sbom.yml)Triggered on push to
v2.xwhencomposer.jsonchanges (or manually). Installscyclonedx/cyclonedx-php-composer:6.2.0, runscomposer update --ignore-platform-reqs --no-scriptsto generate a fresh lock file, generatessbom.jsonfrom production dependencies only (--omit dev), validates with cyclonedx-cli v0.32.0, and opens a PR if the content has changed. A stable serial number and monotonic.versioncounter are maintained across updates.Stage 2 — Evergreen (
.evergreen/config/sbom.yml)Path-triggered on
sbom.jsonchanges. Authenticates to ECR, pullssilkbomb:2.0, and runssilkbomb augmentto upload the SBOM to the internal SSDLC tracking system (Dependency Track / Kondukto). Soft-fails if the augmented SBOM changes significantly.Files changed
.evergreen/generate-sbom.sh— SBOM generation script.evergreen/upload-sbom.sh— silkbomb upload script.evergreen/config/functions.yml—upload-sbomEvergreen function.evergreen/config/sbom.yml—upload-sbomtask andsbombuild variant.evergreen/config.yml— include forsbom.yml.github/workflows/sbom.yml— generation workflowsbom.json— initial SBOM (2 production components:psr/log,symfony/polyfill-php85)