Merge branch 'master' into godriver3397-remove-cr

Author: matthewdale

.github/workflows/scorecard.yml

@@ -0,0 +1,78 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '24 21 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

README.md

@@ -4,6 +4,9 @@
   <a href="https://pkg.go.dev/go.mongodb.org/mongo-driver/v2/mongo"><img src="etc/assets/godev-mongo-blue.svg" alt="docs"></a>
   <a href="https://pkg.go.dev/go.mongodb.org/mongo-driver/v2/bson"><img src="etc/assets/godev-bson-blue.svg" alt="docs"></a>
   <a href="https://www.mongodb.com/docs/drivers/go/current/"><img src="etc/assets/docs-mongodb-green.svg"></a>
+  <a href="https://securityscorecards.dev/viewer/?uri=github.com/mongodb/mongo-go-driver">
+    <img src="https://api.securityscorecards.dev/projects/github.com/mongodb/mongo-go-driver/badge" alt="OpenSSF Scorecard" />
+  </a>
 </p>
 
 # MongoDB Go Driver

bson/doc.go

@@ -4,30 +4,14 @@
 // not use this file except in compliance with the License. You may obtain
 // a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
 
-// Package bson is a library for reading, writing, and manipulating BSON. BSON is a binary serialization format used to
-// store documents and make remote procedure calls in MongoDB. The BSON specification is located at https://bsonspec.org.
-// The BSON library handles marshaling and unmarshaling of values through a configurable codec system. For a description
-// of the codec system and examples of registering custom codecs, see the bsoncodec package. For additional information
-// and usage examples, check out the [Work with BSON] page in the Go Driver docs site.
-//
-// # Raw BSON
-//
-// The Raw family of types is used to validate and retrieve elements from a slice of bytes. This
-// type is most useful when you want do lookups on BSON bytes without unmarshaling it into another
-// type.
-//
-// Example:
-//
-//	var raw bson.Raw = ... // bytes from somewhere
-//	err := raw.Validate()
-//	if err != nil { return err }
-//	val := raw.Lookup("foo")
-//	i32, ok := val.Int32OK()
-//	// do something with i32...
+// Package bson is a library for reading, writing, and manipulating BSON. BSON is a binary serialization
+// format used to store documents and make remote procedure calls in MongoDB. For more information about
+// the Go BSON library, including usage examples, check out the [Work with BSON] page in the Go Driver
+// docs site. For more information about BSON, see https://bsonspec.org.
 //
 // # Native Go Types
 //
-// The D and M types defined in this package can be used to build representations of BSON using native Go types. D is a
+// The [D] and [M] types defined in this package can be used to build representations of BSON using native Go types. D is a
 // slice and M is a map. For more information about the use cases for these types, see the documentation on the type
 // definitions.
 //
@@ -93,26 +77,16 @@
 //  5. When unmarshaling, a field of type interface{} will follow the D/M type mappings listed above. BSON documents
 //     unmarshaled into an interface{} field will be unmarshaled as a D.
 //
-// The encoding of each struct field can be customized by the "bson" struct tag.
-//
-// This tag behavior is configurable, and different struct tag behavior can be configured by initializing a new
-// bsoncodec.StructCodec with the desired tag parser and registering that StructCodec onto the Registry. By default, JSON
-// tags are not honored, but that can be enabled by creating a StructCodec with JSONFallbackStructTagParser, like below:
-//
-// Example:
-//
-//	structcodec, _ := bsoncodec.NewStructCodec(bsoncodec.JSONFallbackStructTagParser)
-//
-// The bson tag gives the name of the field, possibly followed by a comma-separated list of options.
-// The name may be empty in order to specify options without overriding the default field name. The following options can
-// be used to configure behavior:
+// The encoding of each struct field can be customized by the "bson" struct tag. The "bson" tag gives the name of the
+// field, followed by a comma-separated list of options. The name may be omitted in order to specify options without
+// overriding the default field name. The following options can be used to configure behavior:
 //
 //  1. omitempty: If the "omitempty" struct tag is specified on a field, the field will not be marshaled if it is set to
 //     an "empty" value. Numbers, booleans, and strings are considered empty if their value is equal to the zero value for
 //     the type (i.e. 0 for numbers, false for booleans, and "" for strings). Slices, maps, and arrays are considered
 //     empty if they are of length zero. Interfaces and pointers are considered empty if their value is nil. By default,
-//     structs are only considered empty if the struct type implements [bsoncodec.Zeroer] and the IsZero
-//     method returns true. Struct types that do not implement [bsoncodec.Zeroer] are never considered empty and will be
+//     structs are only considered empty if the struct type implements [Zeroer] and the "IsZero"
+//     method returns true. Struct types that do not implement [Zeroer] are never considered empty and will be
 //     marshaled as embedded documents. NOTE: It is recommended that this tag be used for all slice and map fields.
 //
 //  2. minsize: If the minsize struct tag is specified on a field of type int64, uint, uint32, or uint64 and the value of
@@ -134,22 +108,34 @@
 //     error will be returned. This tag can be used with fields that are pointers to structs. If an inlined pointer field
 //     is nil, it will not be marshaled. For fields that are not maps or structs, this tag is ignored.
 //
-// # Marshaling and Unmarshaling
+// # Raw BSON
 //
-// Manually marshaling and unmarshaling can be done with the Marshal and Unmarshal family of functions.
+// The Raw family of types is used to validate and retrieve elements from a slice of bytes. This
+// type is most useful when you want do lookups on BSON bytes without unmarshaling it into another
+// type.
 //
-// bsoncodec code provides a system for encoding values to BSON representations and decoding
-// values from BSON representations. This package considers both binary BSON and ExtendedJSON as
-// BSON representations. The types in this package enable a flexible system for handling this
-// encoding and decoding.
+// Example:
 //
-// The codec system is composed of two parts:
+//	var raw bson.Raw = ... // bytes from somewhere
+//	err := raw.Validate()
+//	if err != nil { return err }
+//	val := raw.Lookup("foo")
+//	i32, ok := val.Int32OK()
+//	// do something with i32...
+//
+// # Custom Registry
+//
+// The Go BSON library uses a [Registry] to define encoding and decoding behavior for different data types.
+// The default encoding and decoding behavior can be customized or extended by using a modified Registry.
+// The custom registry system is composed of two parts:
 //
 // 1) [ValueEncoder] and [ValueDecoder] that handle encoding and decoding Go values to and from BSON
 // representations.
 //
 // 2) A [Registry] that holds these ValueEncoders and ValueDecoders and provides methods for
 // retrieving them.
 //
+// To use a custom Registry, use [Encoder.SetRegistry] or [Decoder.SetRegistry].
+//
 // [Work with BSON]: https://www.mongodb.com/docs/drivers/go/current/fundamentals/bson/
 package bson

internal/integration/unified/matches.go

@@ -242,19 +242,32 @@ func evaluateSpecialComparison(ctx context.Context, assertionDoc bson.Raw, actua
 			return fmt.Errorf("expected lsid %v, got %v", expectedID, actualID)
 		}
 	case "$$lte":
-		if assertionVal.Type != bson.TypeInt32 && assertionVal.Type != bson.TypeInt64 {
-			return fmt.Errorf("expected assertionVal to be an Int32 or Int64 but got a %s", assertionVal.Type)
+		if assertionVal.Type != bson.TypeInt32 && assertionVal.Type != bson.TypeInt64 && assertionVal.Type != bson.TypeDouble {
+			return fmt.Errorf("expected assertionVal to be an Int32, Int64, or Double but got a %s", assertionVal.Type)
 		}
-		if actual.Type != bson.TypeInt32 && actual.Type != bson.TypeInt64 {
-			return fmt.Errorf("expected value to be an Int32 or Int64 but got a %s", actual.Type)
+		if actual.Type != bson.TypeInt32 && actual.Type != bson.TypeInt64 && assertionVal.Type != bson.TypeDouble {
+			return fmt.Errorf("expected value to be an Int32, Int64, or Double but got a %s", actual.Type)
 		}
 
 		// Numeric values can be compared even if their types are different (e.g. if expected is an int32 and actual
 		// is an int64).
-		expectedInt64 := assertionVal.AsInt64()
-		actualInt64 := actual.AsInt64()
-		if actualInt64 > expectedInt64 {
-			return fmt.Errorf("expected numeric value %d to be less than or equal %d", actualInt64, expectedInt64)
+
+		// TODO(GODRIVER-3594): If we decide to add AsDoubleOK() as a method to RawValue, this following conversion should be updated.
+		var expectedF64 float64
+		if assertionVal.Type == bson.TypeDouble {
+			expectedF64 = assertionVal.Double()
+		} else {
+			expectedF64 = float64(assertionVal.AsInt64())
+		}
+		var actualF64 float64
+		if actual.Type == bson.TypeDouble {
+			actualF64 = actual.Double()
+		} else {
+			actualF64 = float64(actual.AsInt64())
+		}
+
+		if actualF64 > expectedF64 {
+			return fmt.Errorf("expected numeric value %f to be less than or equal %f", actualF64, expectedF64)
 		}
 		return nil
 	case "$$matchAsDocument":

internal/integtest/integtest.go

@@ -223,6 +223,10 @@ func AddServerlessAuthCredentials(uri string) (string, error) {
 
 // ConnString gets the globally configured connection string.
 func ConnString(t *testing.T) *connstring.ConnString {
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
+
 	connectionStringOnce.Do(func() {
 		uri, err := MongoDBURI()
 		require.NoError(t, err, "error constructing mongodb URI: %v", err)

internal/spectest/skip.go

@@ -11,10 +11,6 @@ import "testing"
 // skipTests is a map of "fully-qualified test name" to "the reason for skipping
 // the test".
 var skipTests = map[string][]string{
-	// TODO(GODRIVER-3518): Test flexible numeric comparisons with $$lte
-	"Modifies $$lte operator test to also use floating point and Int64 types (GODRIVER-3518)": {
-		"TestUnifiedSpec/unified-test-format/tests/valid-pass/operator-lte.json/special_lte_matching_operator",
-	},
 
 	// SPEC-1403: This test checks to see if the correct error is thrown when auto
 	// encrypting with a server < 4.2. Currently, the test will fail because a

internal/test/aws/aws_test.go

@@ -20,9 +20,11 @@ import (
 
 func TestAWS(t *testing.T) {
 	uri := os.Getenv("MONGODB_URI")
+	if uri == "" {
+		t.Skip("Skipping test: MONGODB_URI environment variable is not set")
+	}
 
 	client, err := mongo.Connect(options.Client().ApplyURI(uri))
-	require.NoError(t, err, "Connect error")
 
 	defer func() {
 		err = client.Disconnect(context.Background())

internal/test/compilecheck/compile_check_test.go

@@ -8,36 +8,38 @@ package main
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"io"
-	"net/http"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
-	"golang.org/x/mod/semver"
 )
 
 // TODO(GODRIVER-3515): This module cannot be included in the workspace since it
 // requires a version of klauspost/compress that is not compatible with the Go
 // Driver. Must use GOWORK=off to run this test.
 
-const minSupportedVersion = "1.19"
+// TODO(GODRIVER-3592): Add "1.25" to the list when Go 1.25 is released.
+// Estimated release date is August 2025.
+var versions = []string{
+	"1.19",
+	"1.20",
+	"1.21",
+	"1.22",
+	"1.23",
+	"1.24",
+}
 
 func TestCompileCheck(t *testing.T) {
 	cwd, err := os.Getwd()
 	require.NoError(t, err)
 
 	rootDir := filepath.Dir(filepath.Dir(filepath.Dir(cwd)))
 
-	versions, err := getDockerGolangImages()
-	require.NoError(t, err)
-
 	for _, version := range versions {
 		version := version // Capture range variable.
 
@@ -85,67 +87,3 @@ func TestCompileCheck(t *testing.T) {
 		})
 	}
 }
-
-// getDockerGolangImages retrieves the available Golang Docker image tags from
-// Docker Hub that are considered valid and meet the specified version
-// condition. It returns a slice of version strings in the MajorMinor format and
-// an error, if any.
-func getDockerGolangImages() ([]string, error) {
-	// URL to fetch the Golang tags from Docker Hub with a page size of 100
-	// records.
-	var url = "https://hub.docker.com/v2/repositories/library/golang/tags?page_size=100"
-
-	versionSet := map[string]bool{}
-	versions := []string{}
-
-	// Iteratively fetch and process tags from Docker Hub as long as there is a
-	// valid next page URL.
-	for url != "" {
-		resp, err := http.Get(url)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get response from Docker Hub: %w", err)
-		}
-
-		var data struct {
-			Results []struct {
-				Name string `json:"name"`
-			} `json:"results"`
-			Next string `json:"next"` // URL of the next page for pagination.
-		}
-
-		if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
-			resp.Body.Close()
-
-			return nil, fmt.Errorf("failed to decode response Body from Docker Hub: %w", err)
-		}
-
-		resp.Body.Close()
-
-		for _, tag := range data.Results {
-			// Skip tags that don't start with a digit (typically version numbers).
-			if len(tag.Name) == 0 || tag.Name[0] < '0' || tag.Name[0] > '9' {
-				continue
-			}
-
-			// Split the tag name and extract the base version part.
-			// This handles tags like `1.18.1-alpine` by extracting `1.18.1`.
-			base := strings.Split(tag.Name, "-")[0]
-
-			// Reduce the base version to MajorMinor format (e.g., `v1.18`).
-			baseMajMin := semver.MajorMinor("v" + base)
-			if !semver.IsValid(baseMajMin) || versionSet[baseMajMin] {
-				continue
-			}
-
-			if semver.Compare(baseMajMin, "v"+minSupportedVersion) >= 0 {
-				versionSet[baseMajMin] = true
-				versions = append(versions, baseMajMin[1:])
-			}
-		}
-
-		// Move to the next page of results, set by the `Next` field.
-		url = data.Next
-	}
-
-	return versions, nil
-}

internal/test/compilecheck/go.mod

@@ -7,7 +7,6 @@ toolchain go1.23.1
 require (
 	github.com/stretchr/testify v1.10.0
 	github.com/testcontainers/testcontainers-go v0.35.0
-	golang.org/x/mod v0.24.0
 )
 
 require (