PYTHON-4389 Add SBOM and CodeQL for Python (#823)

* PYTHON-4389 Add SBOM and CodeQL for Python

* fix shell script

* lint

* include sbom

* update manifest

* update manifest

.github/dependabot.yml

@@ -9,6 +9,12 @@ updates:
       actions:
         patterns:
           - "*"
-    # Add assignees
+    assignees:
+      - "@mongodb/dbx-python"
+  # Python
+  - package-ecosystem: "pip"
+    directory: "/bindings/python"
+    schedule:
+      interval: "weekly"
     assignees:
       - "@mongodb/dbx-python"

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master"]
+    tags: ['*']
+  pull_request:
+    paths:
+      - bindings/python/**/*.py
+  schedule:
+    - cron: '17 10 * * 2'
+
+jobs:
+  analyze-python:
+    name: Analyze Python
+    runs-on: "ubuntu-latest"
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - uses: actions/setup-python@v3
+      with:
+        python-version: 3.x
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: python
+        build-mode: manual
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: security-extended
+        config: |
+          paths:
+            - bindings/python/pymongocrypt
+
+    - name: Install package
+      run: |
+        cd bindings/python
+        bash release.sh
+        pip install dist/*.whl
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:python"

bindings/python/.evergreen/test.sh

@@ -99,3 +99,13 @@ for PYTHON_BINARY in "${PYTHONS[@]}"; do
     deactivate
     rm -rf .venv
 done
+
+# Verify the sbom file
+LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
+EXPECTED="pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION"
+if grep -q $EXPECTED sbom.json; then
+  echo "SBOM is up to date!"
+else
+  echo "SBOM is out of date! Run the \"update-sbom.sh\" script."
+  exit 1
+fi

bindings/python/MANIFEST.in

@@ -2,11 +2,13 @@ include README.rst
 include LICENSE
 include pyproject.toml
 include *requirements.txt
+include sbom.json
 include CHANGELOG.rst
 recursive-include pymongocrypt *.py
 recursive-include requirements *.txt
 exclude build-manylinux-wheel.sh
-exclude release.sh
+exclude *.sh
+exclude libmongocrypt-version.txt
 exclude RELEASE.rst
 exclude strip_header.py
 exclude synchro.py

bindings/python/libmongocrypt-version.txt

@@ -0,0 +1 @@
+1.9.0

bindings/python/release.sh

@@ -16,7 +16,8 @@ set -o xtrace   # Write all commands first to stderr
 set -o errexit  # Exit the script with error if any of the commands fail
 
 # The libmongocrypt git revision release to embed in our wheels.
-REVISION=$(git rev-list -n 1 1.9.0)
+LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
+REVISION=$(git rev-list -n 1 $LIBMONGOCRYPT_VERSION)
 # The libmongocrypt release branch.
 BRANCH="r1.9"
 # The python executable to use.

bindings/python/sbom.json

@@ -0,0 +1,76 @@
+{
+  "components": [
+    {
+      "bom-ref": "pkg:github/mongodb/libmongocrypt@1.9.0",
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://github.com/mongodb/libmongocrypt/archive/refs/tags/1.9.0.tar.gz"
+        },
+        {
+          "type": "website",
+          "url": "https://github.com/mongodb/libmongocrypt/tree/1.9.0"
+        }
+      ],
+      "group": "mongodb",
+      "name": "libmongocrypt",
+      "purl": "pkg:github/mongodb/libmongocrypt@1.9.0",
+      "type": "library",
+      "version": "1.9.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:github/mongodb/libmongocrypt@1.9.0"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2024-06-03T13:55:11.135812+00:00",
+    "tools": [
+      {
+        "externalReferences": [
+          {
+            "type": "build-system",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
+          },
+          {
+            "type": "distribution",
+            "url": "https://pypi.org/project/cyclonedx-python-lib/"
+          },
+          {
+            "type": "documentation",
+            "url": "https://cyclonedx-python-library.readthedocs.io/"
+          },
+          {
+            "type": "issue-tracker",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
+          },
+          {
+            "type": "license",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
+          },
+          {
+            "type": "release-notes",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
+          },
+          {
+            "type": "vcs",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
+          },
+          {
+            "type": "website",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
+          }
+        ],
+        "name": "cyclonedx-python-lib",
+        "vendor": "CycloneDX",
+        "version": "6.4.4"
+      }
+    ]
+  },
+  "serialNumber": "urn:uuid:e7358393-f4d3-4856-98bb-22547b234979",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5"
+}

bindings/python/update-sbom.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eux
+
+LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
+if [ $(command -v podman) ]; then
+    DOCKER=podman
+else
+    DOCKER=docker
+fi
+
+echo "pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION" > purls.txt
+$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json
+rm purls.txt