PHPLIB-1866: Add automated SBOM generation using cyclonedx-php-composer

.evergreen/config.yml

@@ -56,6 +56,7 @@ github_checks_aliases:
 # Include files that contain various tasks, task groups, and build variant definitions
 include:
   - filename: .evergreen/config/functions.yml
+  - filename: .evergreen/config/sbom.yml
 
   - filename: .evergreen/config/build-task-groups.yml
   - filename: .evergreen/config/build-variants.yml

.evergreen/config/functions.yml

@@ -1,4 +1,50 @@
 functions:
+  "generate-sbom":
+    - command: subprocess.exec
+      type: setup
+      display_name: Generate SBOM
+      params:
+        working_dir: src
+        binary: bash
+        args:
+          - .evergreen/generate-sbom.sh
+
+  "upload-sbom":
+    - command: ec2.assume_role
+      display_name: Assume ECR readonly IAM role
+      params:
+        role_arn: &ecr_ro_role_arn arn:aws:iam::901841024863:role/ecr-role-evergreen-ro
+    - command: subprocess.exec
+      type: setup
+      display_name: Log in to ECR
+      params:
+        working_dir: src
+        binary: bash
+        include_expansions_in_env:
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+          - AWS_SESSION_TOKEN
+        args:
+          - -c
+          - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
+    - command: ec2.assume_role
+      display_name: Assume Silkbomb IAM role
+      params:
+        role_arn: &silkbomb_role_arn arn:aws:iam::901841024863:role/silkbomb
+    - command: subprocess.exec
+      type: test
+      display_name: Upload SBOM via Silkbomb
+      params:
+        working_dir: src
+        binary: bash
+        include_expansions_in_env:
+          - branch_name
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+          - AWS_SESSION_TOKEN
+        args:
+          - .evergreen/upload-sbom.sh
+
   "fetch source":
     # Executes git clone and applies the submitted patch, if any
     - command: git.get_project

.evergreen/config/sbom.yml

@@ -0,0 +1,24 @@
+tasks:
+  - name: upload-sbom
+    tags: ["ssdlc"]
+    allowed_requesters: ["commit"]
+    exec_timeout_secs: 600
+    # pre_error_fails_task: false allows the task to proceed even if pre steps such as
+    # "fetch extension" fail. PHP and Composer (needed by generate-sbom.sh) are available
+    # from the earlier "install dependencies" and "install composer" pre steps.
+    pre_error_fails_task: false
+    commands:
+      - func: "generate-sbom"
+      - func: "upload-sbom"
+
+buildvariants:
+  - name: sbom
+    display_name: "SBOM"
+    allowed_requesters: ["commit"]
+    stepback: false
+    paths:
+      - composer.json
+    run_on:
+      - ubuntu2004-small
+    tasks:
+      - name: upload-sbom

.evergreen/generate-sbom.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Environment Variables:
+#   None required — all inputs are derived from the repository.
+set -eo pipefail
+
+SERIAL_NUMBER="urn:uuid:dc42a43b-4ace-4c42-9a6e-0b9e28fdd100"
+
+# composer require modifies composer.json. Save and restore it so the cyclonedx
+# plugin is not added to the project's dependencies.
+cp composer.json composer.json.bak
+trap 'mv composer.json.bak composer.json' EXIT
+
+echo "Installing CycloneDX PHP Composer plugin"
+composer config allow-plugins.cyclonedx/cyclonedx-php-composer true
+composer require --dev cyclonedx/cyclonedx-php-composer:6.2.0 --no-update
+
+echo "Updating dependencies"
+# --ignore-platform-reqs: SBOM generation doesn't need to run the code, so extension
+# availability and exact PHP patch versions don't matter here.
+# --no-scripts: skip git submodule updates and other scripts that require a full dev setup.
+composer update --ignore-platform-reqs --no-scripts
+
+echo "Generating SBOM"
+composer CycloneDX:make-sbom \
+  --spec-version=1.5 \
+  --output-format=JSON \
+  --output-file=sbom.cdx.json \
+  --omit dev \
+  --no-validate
+# --no-validate: skips the plugin's built-in schema validation. Silkbomb will
+# reject a malformed SBOM on upload.
+
+jq --argjson v 1 --arg serial "$SERIAL_NUMBER" \
+  '.version = $v | .serialNumber = $serial' sbom.cdx.json > sbom.json
+rm sbom.cdx.json
+
+echo "Generated sbom.json"

.evergreen/upload-sbom.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+: "${branch_name:?}"
+: "${AWS_ACCESS_KEY_ID:?}"
+: "${AWS_SECRET_ACCESS_KEY:?}"
+: "${AWS_SESSION_TOKEN:?}"
+
+silkbomb="901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0"
+docker pull "${silkbomb}"
+
+docker run --rm -v "$(pwd):/pwd" \
+  --user "$(id -u):$(id -g)" \
+  --env 'AWS_ACCESS_KEY_ID' --env 'AWS_SECRET_ACCESS_KEY' --env 'AWS_SESSION_TOKEN' \
+  "${silkbomb}" upload \
+  --repo mongodb/mongo-php-library \
+  --branch "${branch_name}" \
+  --sbom-in /pwd/sbom.json

.github/dependabot.yml

@@ -1,5 +1,12 @@
 version: 2
 updates:
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    allow:
+      - dependency-type: "production"
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule: