chore(ci): create separate SBOM for node-runtime-worker-thread MONGOSH-1856

Author: gagik

.evergreen.yml

@@ -3687,7 +3687,7 @@ functions:
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/dist/.sbom.json
+        local_file: src/dist/.sbom/mongosh/sbom.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-sbom.json
         bucket: mciuploads
         permissions: public-read
@@ -3696,11 +3696,29 @@ functions:
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/dist/.purls.txt
+        local_file: src/dist/.sbom/mongosh/purls.txt
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-purls.txt
         bucket: mciuploads
         permissions: public-read
         content_type: text/plain
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/dist/.sbom/node-runtime-worker-thread/sbom.json
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/node-runtime-worker-thread-${executable_os_id}${extra_upload_tag}-sbom.json
+        bucket: mciuploads
+        permissions: public-read
+        content_type: application/json
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/dist/.sbom/node-runtime-worker-thread/purls.txt
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/node-runtime-worker-thread-${executable_os_id}${extra_upload_tag}-purls.txt
+        bucket: mciuploads
+        permissions: public-read
+        content_type: text/plain
   upload_compiled_artifact:
     - command: shell.exec
       params:
@@ -3727,15 +3745,24 @@ functions:
         permissions: public-read
         content_type: application/x-gzip
   upload_first_party_deps_list:
-    - command: s3.put
+     - command: s3.put
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/first-party-deps.json
+        local_file: src/.sbom/mongosh/first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-first-party-deps.json
         bucket: mciuploads
         permissions: public-read
         content_type: application/json
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/.sbom/node-runtime-worker-thread/first-party-deps.json
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/node-runtime-worker-thread-${executable_os_id}${extra_upload_tag}-first-party-deps.json
+        bucket: mciuploads
+        permissions: public-read
+        content_type: application/json
   download_compiled_artifact:
     - command: s3.get
       type: setup
@@ -3829,77 +3856,77 @@ functions:
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-darwin-x64-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-darwin-x64-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-darwin-x64-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-darwin-arm64-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-darwin-arm64-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-darwin-arm64-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-x64-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-x64-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-x64-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-x64-openssl11-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-x64-openssl11-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-x64-openssl11-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-x64-openssl3-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-x64-openssl3-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-x64-openssl3-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-arm64-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-arm64-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-arm64-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-arm64-openssl11-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-arm64-openssl11-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-arm64-openssl11-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-arm64-openssl3-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-arm64-openssl3-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-arm64-openssl3-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-ppc64le-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-ppc64le-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-ppc64le-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-linux-s390x-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-linux-s390x-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-linux-s390x-first-party-deps.json
         bucket: mciuploads
     - command: s3.get
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/mongosh-win32-first-party-deps.json
+        local_file: src/.sbom/mongosh/mongosh-win32-first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-win32-first-party-deps.json
         bucket: mciuploads
     - command: shell.exec
@@ -3913,7 +3940,7 @@ functions:
           .evergreen/create-static-analysis-report.sh
         env:
           NODE_JS_VERSION: ${node_js_version}
-          FIRST_PARTY_DEPENDENCY_FILENAMES: .sbom/mongosh-darwin-x64-first-party-deps.json,.sbom/mongosh-darwin-arm64-first-party-deps.json,.sbom/mongosh-linux-x64-first-party-deps.json,.sbom/mongosh-linux-x64-openssl11-first-party-deps.json,.sbom/mongosh-linux-x64-openssl3-first-party-deps.json,.sbom/mongosh-linux-arm64-first-party-deps.json,.sbom/mongosh-linux-arm64-openssl11-first-party-deps.json,.sbom/mongosh-linux-arm64-openssl3-first-party-deps.json,.sbom/mongosh-linux-ppc64le-first-party-deps.json,.sbom/mongosh-linux-s390x-first-party-deps.json,.sbom/mongosh-win32-first-party-deps.json
+          FIRST_PARTY_DEPENDENCY_FILENAMES: .sbom/mongosh/mongosh-darwin-x64-first-party-deps.json,.sbom/mongosh/mongosh-darwin-arm64-first-party-deps.json,.sbom/mongosh/mongosh-linux-x64-first-party-deps.json,.sbom/mongosh/mongosh-linux-x64-openssl11-first-party-deps.json,.sbom/mongosh/mongosh-linux-x64-openssl3-first-party-deps.json,.sbom/mongosh/mongosh-linux-arm64-first-party-deps.json,.sbom/mongosh/mongosh-linux-arm64-openssl11-first-party-deps.json,.sbom/mongosh/mongosh-linux-arm64-openssl3-first-party-deps.json,.sbom/mongosh/mongosh-linux-ppc64le-first-party-deps.json,.sbom/mongosh/mongosh-linux-s390x-first-party-deps.json,.sbom/mongosh/mongosh-win32-first-party-deps.json
           GITHUB_TOKEN: ${github_token}
           GITHUB_PR_NUMBER: ${github_pr_number}
     - command: s3.put
@@ -4208,7 +4235,7 @@ functions:
         bucket: mciuploads
         permissions: private
         visibility: signed
-        local_file: src/.sbom/dependencies.json
+        local_file: src/.sbom/mongosh/dependencies.json
         remote_file: ${project}/${revision}_${revision_order_id}/dependencies.json
         content_type: application/json
         optional: true

.evergreen/compile-artifact.sh

@@ -96,10 +96,10 @@ if uname -a | grep -q 'Linux.*x86_64'; then
   test $(objdump -d dist/mongosh | grep '\bvmovd\b' | wc -l) -lt 1250
 fi
 
-npm run write-node-js-dep
-npm run create-purls-file
-cp .sbom/purls.txt dist/.purls.txt
-
-cat dist/.purls.txt
-
 npm run create-dependency-sbom-lists
+
+ls -lhA .sbom
+for dir in .sbom/*/; do
+  cp ${dir}purls.txt dist/${dir}purls.txt
+  cat dist/${dir}purls.txt
+done

.evergreen/download-crypt-shared-and-generate-sbom.sh

@@ -4,11 +4,6 @@ set -x
 
 npm run evergreen-release download-crypt-shared-library
 
-ls -lhA dist
-echo "pkg:generic/mongo_crypt_shared@$(cat dist/.mongosh_crypt_*.version)" >> dist/.purls.txt
-
-cat dist/.purls.txt
-
 set +x
 echo "${ARTIFACTORY_PASSWORD}" | docker login artifactory.corp.mongodb.com --username "${ARTIFACTORY_USERNAME}" --password-stdin
 set -x
@@ -18,8 +13,19 @@ trap_handler() {
 }
 trap trap_handler ERR EXIT
 
-docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
-docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update \
-  --purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json
-docker run --env-file /tmp/kondukto_credentials.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 augment \
-  --repo mongodb-js/mongosh --branch ${KONDUKTO_BRANCH} --sbom-in /pwd/dist/.sbom-lite.json --sbom-out /pwd/dist/.sbom.json
+ls -lhA dist/.sbom
+
+for dir in dist/.sbom/*/; do
+  purls_file="${dir}purls.txt"
+  if [ -f "$purls_file" ]; then
+    echo "pkg:generic/mongo_crypt_shared@$(cat dist/.mongosh_crypt_*.version)" >>"$purls_file"
+  fi
+
+  cat ${purls_file}
+
+  docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
+  docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update \
+    --purls /pwd/${purls_file} --sbom-out /pwd/${dir}sbom-lite.json
+  docker run --env-file /tmp/kondukto_credentials.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 augment \
+    --repo mongodb-js/mongosh --branch ${KONDUKTO_BRANCH} --sbom-in /pwd/${dir}sbom-lite.json --sbom-out /pwd/${dir}sbom.json
+done

.evergreen/evergreen.yml.in

@@ -396,7 +396,7 @@ functions:
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/dist/.sbom.json
+        local_file: src/dist/.sbom/mongosh/sbom.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-sbom.json
         bucket: mciuploads
         permissions: public-read
@@ -405,11 +405,29 @@ functions:
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/dist/.purls.txt
+        local_file: src/dist/.sbom/mongosh/purls.txt
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-purls.txt
         bucket: mciuploads
         permissions: public-read
         content_type: text/plain
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/dist/.sbom/node-runtime-worker-thread/sbom.json
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/node-runtime-worker-thread-${executable_os_id}${extra_upload_tag}-sbom.json
+        bucket: mciuploads
+        permissions: public-read
+        content_type: application/json
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/dist/.sbom/node-runtime-worker-thread/purls.txt
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/node-runtime-worker-thread-${executable_os_id}${extra_upload_tag}-purls.txt
+        bucket: mciuploads
+        permissions: public-read
+        content_type: text/plain
   upload_compiled_artifact:
     - command: shell.exec
       params:
@@ -436,15 +454,24 @@ functions:
         permissions: public-read
         content_type: application/x-gzip
   upload_first_party_deps_list:
-    - command: s3.put
+     - command: s3.put
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/first-party-deps.json
+        local_file: src/.sbom/mongosh/first-party-deps.json
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-first-party-deps.json
         bucket: mciuploads
         permissions: public-read
         content_type: application/json
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/.sbom/node-runtime-worker-thread/first-party-deps.json
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/node-runtime-worker-thread-${executable_os_id}${extra_upload_tag}-first-party-deps.json
+        bucket: mciuploads
+        permissions: public-read
+        content_type: application/json
   download_compiled_artifact:
     - command: s3.get
       type: setup
@@ -543,7 +570,7 @@ functions:
       params:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
-        local_file: src/.sbom/<% out(filename) %>
+        local_file: src/.sbom/mongosh/<% out(filename) %>
         remote_file: mongosh/binaries/${revision}/${revision_order_id}/<% out(filename) %>
         bucket: mciuploads
   <% } %>
@@ -558,7 +585,7 @@ functions:
           .evergreen/create-static-analysis-report.sh
         env:
           NODE_JS_VERSION: ${node_js_version}
-          FIRST_PARTY_DEPENDENCY_FILENAMES: <% out(firstPartyDepsFilenames.map(f => `.sbom/${f}`).join(',')) %>
+          FIRST_PARTY_DEPENDENCY_FILENAMES: <% out(firstPartyDepsFilenames.map(f => `.sbom/mongosh/${f}`).join(',')) %>
           GITHUB_TOKEN: ${github_token}
           GITHUB_PR_NUMBER: ${github_pr_number}
     - command: s3.put
@@ -853,7 +880,7 @@ functions:
         bucket: mciuploads
         permissions: private
         visibility: signed
-        local_file: src/.sbom/dependencies.json
+        local_file: src/.sbom/mongosh/dependencies.json
         remote_file: ${project}/${revision}_${revision_order_id}/dependencies.json
         content_type: application/json
         optional: true

config/build.conf.js

@@ -154,7 +154,7 @@ module.exports = {
           packagedFilePath: 'THIRD_PARTY_NOTICES'
         },
         {
-          sourceFilePath: path.resolve(path.dirname(EXECUTABLE_PATH), '.sbom.json'),
+          sourceFilePath: path.resolve(path.dirname(EXECUTABLE_PATH), '.sbom/mongosh/sbom.json'),
           packagedFilePath: '.sbom.json'
         },
       ],

package.json

@@ -49,22 +49,20 @@
     "check-coverage": "nyc check-coverage --lines=90",
     "generate-error-overview": "npm run generate-error-overview --workspace @mongosh/errors",
     "update-authors": "ts-node -P configs/tsconfig-mongosh/tsconfig.common.json scripts/generate-authors.ts",
-    "create-dependency-sbom-lists": "npm run webpack-build -w packages/cli-repl && npm run write-node-js-dep && npm run create-purls-file && npm run create-first-party-dependency-lists",
-    "create-first-party-dependency-lists": "mongodb-sbom-tools fetch-codeql-results --first-party-deps-list-dest=.sbom/first-party-deps.json --dependencies=.sbom/dependencies.json --exclude-repos=mongodb-js/kerberos,mongodb-client-encryption",
-    "create-purls-file": "node scripts/create-purls.js .sbom/dependencies.json .sbom/node-js-dep.json > .sbom/purls.txt",
+    "write-node-js-dep": "mkdir -p .sbom && node scripts/write-nodejs-dep > .sbom/node-js-dep.json",
+    "create-dependency-sbom-lists": "npm run write-node-js-dep && npm run create-dependency-sbom-lists --workspaces --if-present",
     "preupdate-third-party-notices": "npm run create-dependency-sbom-lists",
-    "update-third-party-notices": "mongodb-sbom-tools generate-3rd-party-notices --product='mongosh' --dependencies=.sbom/dependencies.json > THIRD_PARTY_NOTICES.md",
+    "update-third-party-notices": "mongodb-sbom-tools generate-3rd-party-notices --product='mongosh' --dependencies=.sbom/mongosh/dependencies.json > THIRD_PARTY_NOTICES.md",
     "update-node-js-versions": "npx @pkgjs/nv ls v20 > .evergreen/node-20-latest.json",
     "update-evergreen-config": "npm run test-evergreen-expansions && node .evergreen/generate-evergreen-yml.js .evergreen/evergreen.yml.in > .evergreen.yml",
     "update-cli-usage-text": "node scripts/update-cli-usage-text.js",
     "update-security-test-summary": "ts-node scripts/generate-security-test-summary.ts > docs/security-test-summary.md",
     "mark-ci-required-optional-dependencies": "ts-node scripts/mark-ci-required-optional-dependencies.ts",
-    "write-node-js-dep": "node scripts/write-nodejs-dep > .sbom/node-js-dep.json",
     "scan-node-js": "mongodb-sbom-tools scan-node-js --version=$NODE_JS_VERSION > .sbom/node-js-vuln.json",
     "snyk-test": "node scripts/snyk-test.js",
     "pregenerate-vulnerability-report": "npm run create-dependency-sbom-lists && npm run snyk-test && npm run scan-node-js",
-    "generate-vulnerability-report": "mongodb-sbom-tools generate-vulnerability-report --snyk-reports=.sbom/snyk-test-result.json,.sbom/node-js-vuln.json --dependencies=.sbom/dependencies.json,.sbom/node-js-dep.json --fail-on=high > .sbom/vulnerability-report.md",
-    "create-vulnerability-tickets": "mongodb-sbom-tools generate-vulnerability-report --snyk-reports=.sbom/snyk-test-result.json,.sbom/node-js-vuln.json --dependencies=.sbom/dependencies.json,.sbom/node-js-dep.json --create-jira-issues",
+    "generate-vulnerability-report": "mongodb-sbom-tools generate-vulnerability-report --snyk-reports=.sbom/snyk-test-result.json,.sbom/node-js-vuln.json --dependencies=.sbom/mongosh/dependencies.json,.sbom/node-js-dep.json --fail-on=high > .sbom/vulnerability-report.md",
+    "create-vulnerability-tickets": "mongodb-sbom-tools generate-vulnerability-report --snyk-reports=.sbom/snyk-test-result.json,.sbom/node-js-vuln.json --dependencies=.sbom/mongosh/dependencies.json,.sbom/node-js-dep.json --create-jira-issues",
     "create-static-analysis-report": "mongodb-sbom-tools fetch-codeql-results --sarif-dest=.sbom/codeql.sarif.json",
     "postcreate-static-analysis-report": "mongodb-sbom-tools sarif-to-markdown --sarif=.sbom/codeql.sarif.json --md=.sbom/codeql.md",
     "where": "monorepo-where",