update docs

jasonhills-mongodb · jasonhills-mongodb · commit 9b7c5d3a9b33 · 2025-12-03T10:02:20.000-05:00
diff --git a/.evergreen/config_generator/components/funcs/install_c_driver.py b/.evergreen/config_generator/components/funcs/install_c_driver.py
@@ -8,7 +8,6 @@
 
 # If updating mongoc_version_minimum to a new release (not pinning to an unreleased commit), also update:
 # - BSON_REQUIRED_VERSION and MONGOC_REQUIRED_VERSION in CMakeLists.txt
-# - the version of pkg:github/mongodb/mongo-c-driver in etc/purls.txt
 # - the default value of --c-driver-build-ref in etc/make_release.py
 # If pinning to an unreleased commit, create a "Blocked" JIRA ticket with
 # a "depends on" link to the appropriate C Driver version release ticket.
diff --git a/.evergreen/scripts/sbom.sh b/.evergreen/scripts/sbom.sh
@@ -25,18 +25,14 @@ podman pull "${silkbomb:?}"
 silkbomb_augment_flags=(
   --repo mongodb/mongo-cxx-driver
   --branch "${branch_name:?}"
-  --sbom-in /pwd/etc/cyclonedx.sbom.json
+  --sbom-in /pwd/sbom.json
   --sbom-out /pwd/etc/augmented.sbom.json.new
 
   # Any notable updates to the Augmented SBOM version should be done manually after careful inspection.
-  # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`.
+  # Otherwise, it should be equal to the existing SBOM version.
   --no-update-sbom-version
 )
 
-# First validate the SBOM Lite.
-podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \
-  validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira
-
 # Allow the timestamp to be updated in the Augmented SBOM for update purposes.
 podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}"
 
diff --git a/.github/workflows/generate_sbom.yml b/.github/workflows/generate_sbom.yml
@@ -19,6 +19,8 @@ jobs:
       contents: write # Required for commit
       pull-requests: write # Required for PR
     runs-on: ubuntu-latest
+    env:
+      BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
     steps:
     - name: Checkout Repository
       uses: actions/checkout@v6
@@ -94,7 +96,7 @@ jobs:
       with:
         add-paths: sbom.json
         body-path: ${{runner.temp}}/pr_body.txt
-        branch: cxx-sbom-update
+        branch: cxx-sbom-update-${{ env.BRANCH_NAME }}
         commit-message: Update SBOM file(s)
         delete-branch: true
-        title: CXX Update SBOM action
+        title: CXX Update SBOM action - ${{ env.BRANCH_NAME }}
diff --git a/etc/purls.txt b/etc/purls.txt
diff --git a/etc/releasing.md b/etc/releasing.md
@@ -75,12 +75,6 @@ Some release steps require one or more of the following secrets.
     GRS_CONFIG_USER1_USERNAME=<username>
     GRS_CONFIG_USER1_PASSWORD=<password>
     ```
-- Snyk credentials.
-  - Location: `~/.secrets/snyk-creds.txt`
-  - Format:
-    ```bash
-    SNYK_API_TOKEN=<token>
-    ```
 
 ## Pre-Release Steps
 
@@ -118,22 +112,11 @@ All issues with an Impact level of "High" or greater must have a "MongoDB Final
 
 All issues with an Impact level of "Medium" or greater which do not have a "MongoDB Final Status" of "Fix Committed" must document rationale for its current status in the "Notes" field.
 
-### SBOM Lite
+### SBOM
 
 Ensure the container engine (e.g. `podman` or `docker`) is authenticated with the DevProd-provided Amazon ECR instance.
 
-Ensure the list of bundled dependencies in `etc/purls.txt` is up-to-date. If not, update `etc/purls.txt`.
-
-If `etc/purls.txt` was updated, update the SBOM Lite document using the following command(s):
-
-```bash
-# Ensure latest version of SilkBomb is being used.
-podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0
-
-# Output: "... writing sbom to file"
-podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
-  update --refresh --no-update-sbom-version -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json"
-```
+Ensure that any `CXX Update SBOM action - $BRANCH_NAME` PRs are merged for the release branch.
 
 Run a patch build which executes the `sbom` task and download the "Augmented SBOM (Updated)" file as `etc/augmented.sbom.json`. Evergreen CLI may be used to schedule only the `sbom` task:
 
@@ -154,12 +137,6 @@ Update `etc/third_party_vulnerabilities.md` with any updates to new or known vul
 
 Download the "Augmented SBOM (Updated)" file from the latest EVG commit build in the `sbom` task and commit it into the repo as `etc/augmented.sbom.json` (even if the only notable change is the timestamp field).
 
-### Check Snyk
-
-Inspect the list of projects in the latest report for the `mongodb/mongo-cxx-driver` target in [Snyk](https://app.snyk.io/org/dev-prod/).
-
-Deactivate any projects that will not be relevant in the upcoming release. Remove any projects that are not relevant to the current release.
-
 ### Check Jira
 
 Inspect the list of tickets assigned to the version to be released on [Jira](https://jira.mongodb.com/projects/CXX?selectedItem=com.atlassian.jira.jira-projects-plugin%3Arelease-page&status=unreleased).
@@ -432,67 +409,7 @@ The new branch should be continuously tested on Evergreen. Update the "Display N
 
 ### Update SBOM serial number
 
-Check out the release branch `releases/vX.Y`.
-
-Update `etc/cyclonedx.sbom.json` with a new unique serial number for the next upcoming patch release (e.g. for `1.3.1` following the release of `1.3.0`):
-
-```bash
-# Ensure latest version of SilkBomb is being used.
-podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0
-
-# Output: "... writing sbom to file"
-podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
-  update --refresh --generate-new-serial-number -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json"
-```
-
-Update `etc/augmented.sbom.json` by running a patch build which executes the `sbom` task as described above in [SBOM Lite](#sbom-lite).
-
-Commit and push these changes to the `releases/vX.Y` branch.
-
-### Update Snyk
-
-> [!IMPORTANT]
-> Run the Snyk commands in a fresh clone of the post-release repository to avoid existing build and release artifacts from affecting Snyk.
-
-Checkout the new release tag.
-
-Configure and build the CXX Driver (do not reuse an existing C Driver installation; use the auto-downloaded C Driver sources instead):
-
-```bash
-cmake -S . -B build
-cmake --build build
-```
-
-Then run:
-
-```bash
-# Snyk credentials. Ask for these from a team member.
-. ~/.secrets/snyk-creds.txt
-
-# The new release tag. Ensure this is correct!
-release_tag="rX.Y.Z"
-
-# Authenticate with Snyk dev-prod organization.
-snyk auth "${SNYK_API_TOKEN:?}"
-
-# Verify third party dependency sources listed in etc/purls.txt are detected by Snyk.
-# If not, see: https://support.snyk.io/hc/en-us/requests/new
-# Use --exclude=extras until CXX-3042 is resolved
-snyk_args=(
-  --org=dev-prod
-  --remote-repo-url=https://github.com/mongodb/mongo-cxx-driver/
-  --target-reference="${release_tag:?}"
-  --unmanaged
-  --all-projects
-  --exclude=extras
-)
-snyk test "${snyk_args[@]:?}" --print-deps
-
-# Create a new Snyk target reference for the new release tag.
-snyk monitor "${snyk_args[@]:?}"
-```
-
-Verify the new Snyk target reference is present in the [Snyk project targets list](https://app.snyk.io/org/dev-prod/projects?groupBy=targets&before&after&searchQuery=mongo-cxx-driver&sortBy=highest+severity&filters[Show]=&filters[Integrations]=cli&filters[CollectionIds]=) for `mongodb/mongo-cxx-driver`.
+A new SBOM serial number is automatically generated when an SBOM is generated on a new branch.
 
 ### Post-Release Changes
 
@@ -512,21 +429,7 @@ For a patch release, in `etc/apidocmenu.md`, update the list of versions under "
 
 In `README.md`, sync the "Driver Development Status" table with the updated table from `etc/apidocmenu.md`.
 
-Update `etc/cyclonedx.sbom.json` with a new unique serial number for the next upcoming non-patch release (e.g. for `1.4.0` following the release of `1.3.0`):
-
-```bash
-# Ensure latest version of SilkBomb is being used.
-podman pull 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0
-
-# Output: "... writing sbom to file"
-podman run -it --rm -v "$(pwd):/pwd" 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
-  update --refresh --generate-new-serial-number -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json"
-
-git add etc/cyclonedx.sbom.json
-git commit -m "update SBOM serial number"
-```
-
-Update `etc/augmented.sbom.json` by running a patch build which executes the `sbom` task as described above in [SBOM Lite](#sbom-lite).
+Update `etc/augmented.sbom.json` by running a patch build which executes the `sbom` task as described above in [SBOM](#sbom).
 
 Commit these changes to the `post-release-changes` branch:
 
diff --git a/etc/third_party_vulnerabilities.md b/etc/third_party_vulnerabilities.md
@@ -17,7 +17,7 @@ This section provides a template that may be used for actual vulnerability repor
 
 - **Date Detected:** YYYY-MM-DD
 - **Severity:** Low, Medium, High, or Critical
-- **Detector:** Silk or Snyk
+- **Detector:** Endor Labs or Dependency-Track
 - **Description:** A short vulnerability description.
 - **Dependency:** Name and version of the 3rd party dependency.
 - **Upstream Status:** False Positive, Won't Fix, Fix Pending, or Fix Available. This is the fix status for the 3rd party dependency, not the CXX Driver. "Fix Available" should include the version and/or date when the fix was released, e.g. "Fix Available (1.2.3, 1970-01-01)".
