From a84b835da434080b34a91fb808d445f9f6b650ef Mon Sep 17 00:00:00 2001
From: Thanh Nguyen <thanh.nguyen@mongodb.com>
Date: Mon, 24 Nov 2025 15:07:59 +0000
Subject: [PATCH 1/2] Updated to use cyclonedx-py instead of cdxgen for
 silkbomb

---
 .github/workflows/sbom.yml | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index fcf39902da..f567740dc2 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -1,6 +1,6 @@
 name: Generate SBOM
 
-# This workflow uses cdxgen and publishes an sbom.json artifact.
+# This workflow uses cyclonedx-py and publishes an sbom.json artifact.
 # It runs on manual trigger or when package files change on main branch,
 # and creates a PR with the updated SBOM.
 # Internal documentation: go/sbom-scope
@@ -42,9 +42,26 @@ jobs:
           source .venv/bin/activate
           pip install -r requirements.txt
           pip install .
-          npx @cyclonedx/cdxgen -t python --exclude "uv.lock" --exclude "requirements/**" --exclude "requirements.txt" --spec-version 1.5 --no-validate --json-pretty -o sbom.json
-        env:
-          FETCH_LICENSE: true
+          pip uninstall -y pip setuptools
+          deactivate
+          python -m venv .venv-sbom
+          source .venv-sbom/bin/activate
+          pip install cyclonedx-bom==7.2.1
+          cyclonedx-py environment --spec-version 1.5 --output-format JSON --output-file sbom.json .venv
+          # Add PURL for pymongo (local package doesn't get PURL automatically)
+          jq '(.components[] | select(.name == "pymongo" and .purl == null)) |= (. + {purl: ("pkg:pypi/pymongo@" + .version)})' sbom.json > sbom.tmp.json && mv sbom.tmp.json sbom.json
+
+      - name: Download CycloneDX CLI
+        run: |
+          curl -L -s -o /tmp/cyclonedx "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.29.1/cyclonedx-linux-x64"
+          chmod +x /tmp/cyclonedx
+
+      - name: Validate SBOM
+        run: /tmp/cyclonedx validate --input-file sbom.json --fail-on-errors
+
+      - name: Cleanup
+        if: always()
+        run: rm -rf .venv .venv-sbom
 
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4
@@ -70,7 +87,7 @@ jobs:
             - Updated `sbom.json` to reflect current dependencies
 
             ### Verification
-            The SBOM was generated using cdxgen with the current Python environment.
+            The SBOM was generated using cyclonedx-py v7.2.1 with the current Python environment.
 
             ### Triggered by
             - Commit: ${{ github.sha }}
@@ -81,8 +98,4 @@ jobs:
           labels: |
             sbom
             automated
-            dependencies
-
-      - name: Cleanup
-        if: always()
-        run: rm -rf .venv
+            dependencies
\ No newline at end of file

From 88c44034dd375ac0ec8c3320bb09eea194dd72c2 Mon Sep 17 00:00:00 2001
From: Thanh Nguyen <thanh.nguyen@mongodb.com>
Date: Mon, 24 Nov 2025 15:36:38 +0000
Subject: [PATCH 2/2] linter fix

---
 .github/workflows/sbom.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index f567740dc2..373139f274 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -98,4 +98,4 @@ jobs:
           labels: |
             sbom
             automated
-            dependencies
\ No newline at end of file
+            dependencies