From 688180fff13c26155badfa925982d56054765b8a Mon Sep 17 00:00:00 2001 From: wbradmoore Date: Tue, 30 Jul 2024 14:46:12 -0400 Subject: [PATCH] SERVER-91464: Generate README.third_party.md from sbom.json (#24780) GitOrigin-RevId: 3412ce4befa333c3f43fe166d0e7f635e92a1281 --- README.third_party.md | 199 +++++----- sbom.json | 340 ++++++++++++++++++ .../scripts/README.third_party.md.template | 72 ++++ .../scripts/gen_thirdpartyreadme.py | 204 +++++++++++ 4 files changed, 723 insertions(+), 92 deletions(-) create mode 100644 src/third_party/scripts/README.third_party.md.template create mode 100644 src/third_party/scripts/gen_thirdpartyreadme.py diff --git a/README.third_party.md b/README.third_party.md index 374e456d5e7..3f28a0eae3e 100644 --- a/README.third_party.md +++ b/README.third_party.md @@ -1,3 +1,5 @@ +[DO NOT MODIFY THIS FILE MANUALLY. It is generated by src/third_party/tools/gen_thirdpartyreadme.py]: # + # MongoDB Third Party Dependencies MongoDB depends on third party libraries to implement some @@ -19,94 +21,107 @@ not authored by MongoDB, and has a license which requires reproduction, a notice will be included in `THIRD-PARTY-NOTICES`. -| Name | License | Vendored Version | Emits persisted data | Distributed in Release Binaries | -| -------------------------- | -------------------------------------------------------------- | -------------------------------------------------- | :------------------: | :-----------------------------: | -| [abseil-cpp] | Apache-2.0 | 20230802.1 | | ✗ | -| [Aladdin MD5] | Zlib | Unknown | ✗ | ✗ | -| [ASIO] | BSL-1.0 | 1.12.2 | | ✗ | -| [benchmark] | Apache-2.0 | 1.5.2 | | | -| [Boost] | BSL-1.0 | 1.79.0 | | ✗ | -| [c-ares] | MIT | 1.19.1 | | ✗ | -| [CRoaring] | Apache-2.0/ MIT | 2.1.2.1 | | ✗ | -| [fmt] | BSD-2-Clause | 7.1.3 | | ✗ | -| [GPerfTools] | BSD-3-Clause | 2.9.1 | | ✗ | -| [gRPC] | Apache-2.0 | 1.59.2 | | ✗ | -| [ICU4] | ICU | 57.1 | ✗ | ✗ | -| [immer] | BSL-1.0 | d98a68c + changes | | ✗ | -| [Intel Decimal FP Library] | BSD-3-Clause | 2.0 Update 1 | | ✗ | -| [JSON-Schema-Test-Suite] | MIT | 728066f9c5 | | | -| [libstemmer] | BSD-3-Clause | Unknown | ✗ | ✗ | -| [librdkafka] | BSD-2-Clause | 2.0.2 | | | -| [libmongocrypt] | Apache-2.0 | 1.8.4 | ✗ | ✗ | -| [linenoise] | BSD-3-Clause | 6cdc775 + changes | | ✗ | -| [mongo-c-driver] | Apache-2.0 | 1.27.1 | ✗ | ✗ | -| [MozJS] | MPL-2.0 | ESR 115.7 | | ✗ | -| [MurmurHash3] | Public Domain | a6bd3ce + changes | ✗ | ✗ | -| [ocspbuilder] | MIT | 0.10.2 | | | -| [ocspresponder] | Apache-2.0 | 0.5.0 | | | -| [pcre2] | BSD-3-Clause | 10.40 | | ✗ | -| [protobuf] | BSD-3-Clause | 4.25.0 | | ✗ | -| [re2] | BSD-3-Clause | 2021-09-01 | | ✗ | -| [S2] | Apache-2.0 | c872048da5d1 + changes | ✗ | ✗ | -| [SafeInt] | MIT | 3.0.26 | | | -| [schemastore.org] | Apache-2.0 | 6847cfc3a1 | | | -| [scons] | MIT | 3.1.2 | | | -| [Snappy] | BSD-3-Clause | 1.1.10 | ✗ | ✗ | -| [TCMalloc] | Apache-2.0 | 093ba93 + changes | | ✗ | -| [timelib] | MIT | 2022.10 | | ✗ | -| [TomCrypt] | Public Domain | 1.18.2 | ✗ | ✗ | -| [Unicode] | Unicode-DFS-2015 | 8.0.0 | ✗ | ✗ | -| [libunwind] | MIT | 1.6.2 + changes | | ✗ | -| [lz4] | BSD-2-Clause | 1.9.3 | | ✗ | -| [Valgrind] | BSD-4-Clause\[1] | 3.17.0 | | ✗ | -| [wiredtiger] | | \[2] | ✗ | ✗ | -| [xxHash] | BSD-2-Clause | 0.8.0 | | ✗ | -| [yaml-cpp] | MIT | 0.6.3 | | ✗ | -| [Zlib] | Zlib | 1.3 | ✗ | ✗ | -| [Zstandard] | BSD-3-Clause | 1.5.5 | ✗ | ✗ | -| [zydis] | MIT | 4d4fe4c293c5438f32688b14b29017ae3f48369e | | ✗ | +| Name | License | Vendored Version | Emits persisted data | Distributed in Release Binaries | +| ---------------------------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------------- | -------------------- | ------------------------------- | +| [Abseil] | Apache-2.0 | 20230802.1 | | ✗ | +| [arximboldi/immer] | BSL-1.0 | Unknown | | ✗ | +| [Asio C++ Library] | BSL-1.0 | 1.12.2 | | ✗ | +| [benchmark] | Apache-2.0 | v1.5.2 | | | +| [Boost C++ Libraries - boost] | BSL-1.0 | 1.79.0 | | ✗ | +| [c-ares] | MIT | 1.19.1 | | ✗ | +| [concurrencytest] | GPL-3.0-or-later | 0.1.2 | unknown | | +| [Cyrus SASL] | BSD-Attribution-HPND-disclaimer | 2.1.26 | unknown | | +| [dcleblanc/SafeInt] | MIT | 3.0.26 | | ✗ | +| [derickr/timelib] | MIT | 2022.10 | | ✗ | +| [discover] | BSD-3-Clause | 0.4.0 | unknown | | +| [fmtlib/fmt] | MIT | 7.1.3 | | ✗ | +| [google-re2] | BSD-3-Clause | 2023-11-01 | | ✗ | +| [google-snappy] | BSD-3-Clause | 1.1.10 | ✗ | ✗ | +| [google/s2geometry] | Apache-2.0 | Unknown | ✗ | ✗ | +| [gperftools] | BSD-3-Clause | 2.9.1 | | ✗ | +| [grpc] | Apache-2.0 | 1.59.2 | | ✗ | +| [ICU for C/C++ (ICU4C)] | BSD-3-Clause, MIT v2 with Ad Clause License, Public Domain, BSD-2-Clause | 57.1 | ✗ | ✗ | +| [Intel Decimal Floating-Point Math Library] | BSD-3-Clause | v2.0 U1 | | ✗ | +| [jbeder/yaml-cpp] | MIT | 0.6.3 | | ✗ | +| [JSON-Schema-Test-Suite] | Unknown License | Unknown | | | +| [libmongocrypt] | Apache-2.0 | 1.8.4 | ✗ | ✗ | +| [librdkafka - the Apache Kafka C/C++ client library] | BSD-3-Clause, Xmlproc License, ISC, MIT, Public Domain, Zlib, BSD-2-Clause, Andreas Stolcke License | 2.0.2 | | ✗ | +| [LibTomCrypt] | WTFPL, Public Domain | 1.18.2 | ✗ | ✗ | +| [libunwind/libunwind] | MIT | v1.6.2 | | ✗ | +| [linenoise] | BSD-2-Clause | Unknown | | ✗ | +| [MongoDB C Driver] | Apache-2.0 | 1.27.1 | ✗ | ✗ | +| [Mozilla Firefox] | MPL-2.0 | 115.7.0esr | unknown | ✗ | +| [nlohmann.json.decomposed] | MIT | 3.10.5 | unknown | | +| [node] | ISC | 22.1.0 | unknown | | +| [ocspbuilder] | MIT | 0.10.2 | | | +| [ocspresponder] | Apache-2.0 | 0.5.0 | | | +| [PCRE2] | BSD-3-Clause, Public Domain | 10.40 | | ✗ | +| [Protobuf] | BSD-3-Clause | v4.25.0 | | ✗ | +| [pyiso8601] | MIT | 2.1.0 | unknown | | +| [RoaringBitmap/CRoaring] | Unknown License | v3.0.1 | | ✗ | +| [SchemaStore/schemastore] | Apache-2.0 | Unknown | | | +| [SCons - a Software Construction tool] | MIT | 3.1.2 | | ✗ | +| [smhasher] | Unknown License | Unknown | unknown | ✗ | +| [Snowball Stemming Algorithms] | BSD-3-Clause | Unknown | unknown | ✗ | +| [subunit] | BSD-3-Clause, Apache-2.0 | 1.4.4 | unknown | | +| [tcmalloc] | Apache-2.0 | 20230227-snapshot-093ba93c | | ✗ | +| [testing-cabal/extras] | MIT | 0.0.3 | unknown | | +| [testscenarios] | BSD-3-Clause, Apache-2.0 | 0.4 | unknown | | +| [testtools] | MIT | 2.7.1 | unknown | | +| [unicode-data] | Unicode-DFS-2016 | 8.0 | ✗ | ✗ | +| [valgrind] | GPL-2.0-or-later | Unknown | | ✗ | +| [zlib] | Zlib | v1.3 | ✗ | ✗ | +| [zstd] | BSD-3-Clause, GPL-2.0-or-later | 1.5.5 | ✗ | ✗ | -[abseil-cpp]: https://github.com/abseil/abseil-cpp -[ASIO]: https://github.com/chriskohlhoff/asio -[benchmark]: https://github.com/google/benchmark -[Boost]: http://www.boost.org/ -[CRoaring]: https://github.com/RoaringBitmap/CRoaring -[fmt]: http://fmtlib.net/ -[GPerfTools]: https://github.com/gperftools/gperftools -[gRPC]: https://github.com/grpc/grpc -[ICU4]: http://site.icu-project.org/download/ -[immer]: https://github.com/arximboldi/immer -[Intel Decimal FP Library]: https://software.intel.com/en-us/articles/intel-decimal-floating-point-math-library +[Abseil]: https://github.com/abseil/abseil-cpp +[Asio C++ Library]: https://github.com/chriskohlhoff/asio +[Boost C++ Libraries - boost]: http://www.boost.org/ +[Cyrus SASL]: https://www.cyrusimap.org/sasl/ +[ICU for C/C++ (ICU4C)]: http://site.icu-project.org/download/ +[Intel Decimal Floating-Point Math Library]: https://software.intel.com/en-us/articles/intel-decimal-floating-point-math-library [JSON-Schema-Test-Suite]: https://github.com/json-schema-org/JSON-Schema-Test-Suite -[libstemmer]: https://github.com/snowballstem/snowball -[librdkafka]: https://github.com/confluentinc/librdkafka +[LibTomCrypt]: https://github.com/libtom/libtomcrypt/releases +[MongoDB C Driver]: https://github.com/mongodb/mongo-c-driver +[Mozilla Firefox]: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr +[PCRE2]: http://www.pcre.org/ +[Protobuf]: https://github.com/protocolbuffers/protobuf +[RoaringBitmap/CRoaring]: https://github.com/RoaringBitmap/CRoaring +[SCons - a Software Construction tool]: https://github.com/SCons/scons +[SchemaStore/schemastore]: https://www.schemastore.org/json/ +[Snowball Stemming Algorithms]: https://github.com/snowballstem/snowball +[arximboldi/immer]: https://github.com/arximboldi/immer +[benchmark]: https://github.com/google/benchmark +[c-ares]: https://c-ares.org/ +[concurrencytest]: https://pypi.org/project/concurrencytest/ +[dcleblanc/SafeInt]: https://github.com/dcleblanc/SafeInt +[derickr/timelib]: https://github.com/derickr/timelib +[discover]: https://pypi.org/project/discover/ +[fmtlib/fmt]: http://fmtlib.net/ +[google-re2]: https://github.com/google/re2 +[google-snappy]: https://github.com/google/snappy/releases +[google/s2geometry]: https://github.com/google/s2geometry +[gperftools]: https://github.com/gperftools/gperftools +[grpc]: https://github.com/grpc/grpc +[jbeder/yaml-cpp]: https://github.com/jbeder/yaml-cpp/releases [libmongocrypt]: https://github.com/mongodb/libmongocrypt +[librdkafka - the Apache Kafka C/C++ client library]: https://github.com/confluentinc/librdkafka +[libunwind/libunwind]: http://www.nongnu.org/libunwind/ [linenoise]: https://github.com/antirez/linenoise -[lz4]: https://github.com/lz4/lz4 -[mongo-c-driver]: https://github.com/mongodb/mongo-c-driver -[MozJS]: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr -[MurmurHash3]: https://github.com/aappleby/smhasher/blob/a6bd3ce/ +[nlohmann.json.decomposed]: https://www.nuget.org/packages/nlohmann.json.decomposed +[node]: https://nodejs.org/en/blog/release [ocspbuilder]: https://github.com/wbond/ocspbuilder [ocspresponder]: https://github.com/threema-ch/ocspresponder -[pcre2]: http://www.pcre.org/ -[protobuf]: https://github.com/protocolbuffers/protobuf -[S2]: https://github.com/google/s2geometry -[SafeInt]: https://github.com/dcleblanc/SafeInt -[schemastore.org]: https://www.schemastore.org/json/ -[scons]: https://github.com/SCons/scons -[Snappy]: https://github.com/google/snappy/releases -[TCMalloc]: https://github.com/google/tcmalloc -[timelib]: https://github.com/derickr/timelib -[TomCrypt]: https://github.com/libtom/libtomcrypt/releases -[Unicode]: http://www.unicode.org/versions/enumeratedversions.html -[libunwind]: http://www.nongnu.org/libunwind/ -[Valgrind]: http://valgrind.org/downloads/current.html -[wiredtiger]: https://github.com/wiredtiger/wiredtiger -[xxHash]: https://github.com/Cyan4973/xxHash -[yaml-cpp]: https://github.com/jbeder/yaml-cpp/releases -[Zlib]: https://zlib.net/ -[Zstandard]: https://github.com/facebook/zstd -[zydis]: https://github.com/zyantific/zydis +[pyiso8601]: https://pypi.org/project/iso8601/ +[smhasher]: https://github.com/aappleby/smhasher/blob/a6bd3ce/ +[subunit]: https://github.com/testing-cabal/subunit +[tcmalloc]: https://github.com/google/tcmalloc +[testing-cabal/extras]: https://github.com/testing-cabal/extras +[testscenarios]: https://pypi.org/project/testscenarios/ +[testtools]: https://github.com/testing-cabal/testtools +[unicode-data]: http://www.unicode.org/versions/enumeratedversions.html +[valgrind]: http://valgrind.org/downloads/current.html +[zlib]: https://zlib.net/ +[zstd]: https://github.com/facebook/zstd ## WiredTiger Vendored Test Libraries @@ -114,16 +129,16 @@ The following Python libraries are transitively included by WiredTiger, and are used by that component for testing. They don't appear in released binary artifacts. -| Name | -| :-------------- | -| concurrencytest | -| discover | -| extras | -| iso8601 | -| nlohmann/json | -| python-subunit | -| testscenarios | -| testtools | +| Name | +| ------------------------ | +| concurrencytest | +| discover | +| nlohmann.json.decomposed | +| pyiso8601 | +| subunit | +| testing-cabal/extras | +| testscenarios | +| testtools | ## Dynamically Linked Libraries diff --git a/sbom.json b/sbom.json index ec02442cf27..46cc1e35079 100644 --- a/sbom.json +++ b/sbom.json @@ -36,6 +36,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/abseil/abseil-cpp" } ], "type": "library", @@ -66,6 +74,14 @@ { "name": "internal:team_responsible", "value": "Storage Execution" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/arximboldi/immer" } ], "type": "library", @@ -98,6 +114,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/chriskohlhoff/asio" } ], "type": "library", @@ -129,6 +153,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/google/benchmark" } ], "type": "library", @@ -160,6 +192,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "http://www.boost.org/" } ], "type": "library", @@ -191,6 +231,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://c-ares.org/" } ], "type": "library", @@ -222,6 +270,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://pypi.org/project/concurrencytest/" } ], "type": "library", @@ -253,6 +305,10 @@ { "name": "internal:team_responsible", "value": "Build" + }, + { + "name": "info_link", + "value": "https://www.cyrusimap.org/sasl/" } ], "type": "library", @@ -277,6 +333,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/dcleblanc/SafeInt" } ], "type": "library", @@ -307,6 +371,14 @@ { "name": "internal:team_responsible", "value": "Query Execution" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/derickr/timelib" } ], "type": "library", @@ -339,6 +411,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://pypi.org/project/discover/" } ], "type": "library", @@ -370,6 +446,14 @@ { "name": "internal:team_responsible", "value": "Server Security" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "http://fmtlib.net/" } ], "type": "library", @@ -401,6 +485,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/google/re2" } ], "type": "library", @@ -431,6 +523,14 @@ { "name": "internal:team_responsible", "value": "Query Integration" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "https://github.com/google/s2geometry" } ], "type": "library", @@ -463,6 +563,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "https://github.com/google/snappy/releases" } ], "type": "library", @@ -494,6 +602,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/gperftools/gperftools" } ], "type": "library", @@ -525,6 +641,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/grpc/grpc" } ], "type": "library", @@ -571,6 +695,14 @@ { "name": "internal:team_responsible", "value": "Query Execution" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "http://site.icu-project.org/download/" } ], "type": "library", @@ -601,6 +733,14 @@ { "name": "internal:team_responsible", "value": "Storage Execution" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://software.intel.com/en-us/articles/intel-decimal-floating-point-math-library" } ], "type": "library", @@ -633,6 +773,14 @@ { "name": "internal:team_responsible", "value": "Server Security" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/jbeder/yaml-cpp/releases" } ], "type": "library", @@ -663,6 +811,14 @@ { "name": "internal:team_responsible", "value": "Query Optimization" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/json-schema-org/JSON-Schema-Test-Suite" } ], "type": "library", @@ -695,6 +851,14 @@ { "name": "internal:team_responsible", "value": "Server Security" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "https://github.com/mongodb/libmongocrypt" } ], "type": "library", @@ -761,6 +925,14 @@ { "name": "internal:team_responsible", "value": "Atlas Streams" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/confluentinc/librdkafka" } ], "type": "library", @@ -797,6 +969,14 @@ { "name": "internal:team_responsible", "value": "Server Security" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "https://github.com/libtom/libtomcrypt/releases" } ], "type": "library", @@ -828,6 +1008,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "http://www.nongnu.org/libunwind/" } ], "type": "library", @@ -858,6 +1046,14 @@ { "name": "internal:team_responsible", "value": "Build" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/antirez/linenoise" } ], "type": "library", @@ -893,6 +1089,14 @@ { "name": "internal:team_responsible", "value": "Server Security" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "https://github.com/mongodb/mongo-c-driver" } ], "type": "library", @@ -924,6 +1128,10 @@ { "name": "internal:team_responsible", "value": "Query Integration" + }, + { + "name": "info_link", + "value": "https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr" } ], "type": "library", @@ -955,6 +1163,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://www.nuget.org/packages/nlohmann.json.decomposed" } ], "type": "library", @@ -986,6 +1198,10 @@ { "name": "internal:team_responsible", "value": "Workload Scheduling" + }, + { + "name": "info_link", + "value": "https://nodejs.org/en/blog/release" } ], "type": "library", @@ -1017,6 +1233,14 @@ { "name": "internal:team_responsible", "value": "Server Security" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/wbond/ocspbuilder" } ], "type": "library", @@ -1048,6 +1272,14 @@ { "name": "internal:team_responsible", "value": "Server Security" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/threema-ch/ocspresponder" } ], "type": "library", @@ -1084,6 +1316,14 @@ { "name": "internal:team_responsible", "value": "Query Execution" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "http://www.pcre.org/" } ], "type": "library", @@ -1115,6 +1355,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/protocolbuffers/protobuf" } ], "type": "library", @@ -1146,6 +1394,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://pypi.org/project/iso8601/" } ], "type": "library", @@ -1177,6 +1429,14 @@ { "name": "internal:team_responsible", "value": "Query Execution" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/RoaringBitmap/CRoaring" } ], "type": "library", @@ -1207,6 +1467,14 @@ { "name": "internal:team_responsible", "value": "Query Optimization" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://www.schemastore.org/json/" } ], "type": "library", @@ -1239,6 +1507,14 @@ { "name": "internal:team_responsible", "value": "Build" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/SCons/scons" } ], "type": "library", @@ -1269,6 +1545,10 @@ { "name": "internal:team_responsible", "value": "Storage Execution" + }, + { + "name": "info_link", + "value": "https://github.com/aappleby/smhasher/blob/a6bd3ce/" } ], "type": "library", @@ -1300,6 +1580,10 @@ { "name": "internal:team_responsible", "value": "Query Integration" + }, + { + "name": "info_link", + "value": "https://github.com/snowballstem/snowball" } ], "type": "library", @@ -1337,6 +1621,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://github.com/testing-cabal/subunit" } ], "type": "library", @@ -1368,6 +1656,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "https://github.com/google/tcmalloc" } ], "type": "library", @@ -1399,6 +1695,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://github.com/testing-cabal/extras" } ], "type": "library", @@ -1435,6 +1735,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://pypi.org/project/testscenarios/" } ], "type": "library", @@ -1466,6 +1770,10 @@ { "name": "internal:team_responsible", "value": "Storage Engines" + }, + { + "name": "info_link", + "value": "https://github.com/testing-cabal/testtools" } ], "type": "library", @@ -1496,6 +1804,14 @@ { "name": "internal:team_responsible", "value": "Query Execution" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "http://www.unicode.org/versions/enumeratedversions.html" } ], "type": "library", @@ -1527,6 +1843,14 @@ { "name": "internal:team_responsible", "value": "Build" + }, + { + "name": "emits_persisted_data", + "value": "false" + }, + { + "name": "info_link", + "value": "http://valgrind.org/downloads/current.html" } ], "type": "library", @@ -1559,6 +1883,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "https://zlib.net/" } ], "type": "library", @@ -1595,6 +1927,14 @@ { "name": "internal:team_responsible", "value": "Service Arch" + }, + { + "name": "emits_persisted_data", + "value": "true" + }, + { + "name": "info_link", + "value": "https://github.com/facebook/zstd" } ], "type": "library", diff --git a/src/third_party/scripts/README.third_party.md.template b/src/third_party/scripts/README.third_party.md.template new file mode 100644 index 00000000000..9d535cd16e7 --- /dev/null +++ b/src/third_party/scripts/README.third_party.md.template @@ -0,0 +1,72 @@ +# MongoDB Third Party Dependencies + +MongoDB depends on third party libraries to implement some +functionality. This document describes which libraries are depended +upon, and how. It is maintained by and for humans, and so while it is a +best effort attempt to describe the server's dependencies, it is subject +to change as libraries are added or removed. + +## Server Vendored Libraries + +This is the list of third party libraries vendored into the server +codebase, and the upstream source where updates may be obtained. These +sources are periodically consulted, and the existence of new versions is +reflected in this list. A ticket is filed in Jira if a determination is +made to upgrade a vendored library. + +Whenever a vendored library is included in released binary artifacts, is +not authored by MongoDB, and has a license which requires reproduction, +a notice will be included in +`THIRD-PARTY-NOTICES`. + +{{ component_chart }} + +{{ component_links }} + +## WiredTiger Vendored Test Libraries + +The following Python libraries are transitively included by WiredTiger, +and are used by that component for testing. They don't appear in +released binary artifacts. + +{{ wiredtiger_chart }} + +## Dynamically Linked Libraries + +Sometimes MongoDB needs to load libraries provided and managed by the +runtime environment. These libraries are not vendored into the MongoDB +source directory, and are not compiled into release artifacts. Because +they are provided by the runtime environment, the precise versions of +these libraries cannot be known in advance. Further, these libraries may +themselves load other libraries. The full set of transitively linked +libraries will depend on the runtime environment, and cannot be outlined +here. On Windows and Mac OS, other libraries and components provided by +the Operating System may be loaded. + +For Windows Enterprise, we may ship precompiled DLLs containing some of +these libraries. Releases prepared in this fashion will include a copy +of these libraries' license in a file named +`THIRD-PARTY-NOTICES.windows`. + +| Name | Enterprise Only | Has Windows DLLs | +| :--------- | :-------------: | :-----------------------------------------------------: | +| Cyrus SASL | Yes | Yes | +| libldap | Yes | No | +| net-snmp | Yes | Yes | +| OpenSSL | No | Yes\[3] | +| libcurl | No | No | + +## Notes: + +1. ^ + The majority of Valgrind is licensed under the GPL, with the exception of a single + header file which is licensed under a BSD license. This BSD licensed header is the only + file from Valgrind which is vendored and consumed by MongoDB. + +2. ^ + WiredTiger is maintained by MongoDB in a separate repository. As a part of our + development process, we periodically ingest the latest snapshot of that repository. + +3. ^ + OpenSSL is only shipped as a dependency of the MongoDB tools written in Go. The MongoDB + shell and server binaries use Windows' cryptography APIs. diff --git a/src/third_party/scripts/gen_thirdpartyreadme.py b/src/third_party/scripts/gen_thirdpartyreadme.py new file mode 100644 index 00000000000..9851e405405 --- /dev/null +++ b/src/third_party/scripts/gen_thirdpartyreadme.py @@ -0,0 +1,204 @@ +from jinja2 import Environment, FileSystemLoader +import sys +import os +import json +import bisect +import logging +from functools import reduce + +SBOM_PATH = "../../../sbom.json" +TEMPLATE_PATH = "README.third_party.md.template" +README_PATH = "../../../README.third_party.md" + +logging.basicConfig(level=logging.INFO, + format='%(asctime)s - %(levelname)s - %(message)s') + + +def main(): + test_filepaths() + sbom = load_sbom() + + component_chart = sbom_to_component_chart(sbom) + right_pad_chart_values(component_chart) + component_chart_string = chart_to_string(component_chart) + + component_links_string = sbom_to_component_links_string(sbom) + + wiredtiger_chart = sbom_to_wiredtiger_chart(sbom) + right_pad_chart_values(wiredtiger_chart) + wiredtiger_chart_string = chart_to_string(wiredtiger_chart) + + template_data = { + "component_chart": component_chart_string, + "component_links": component_links_string, + "wiredtiger_chart": wiredtiger_chart_string + } + create_markdown_with_template(template_data) + + +def test_filepaths() -> None: + for filepath in [SBOM_PATH, TEMPLATE_PATH]: + if not os.path.exists(filepath): + logging.error("Error: %s does not exist. Exiting.", filepath) + sys.exit(1) + + +def load_sbom() -> dict: + try: + with open(SBOM_PATH, 'r') as file: + sbom = json.load(file) + logging.info("%s JSON data loaded.", SBOM_PATH) + return sbom + except json.JSONDecodeError as e: + logging.error("Error decoding %s JSON: %e Exiting.", SBOM_PATH, e) + sys.exit(1) + + +def sbom_to_component_chart(sbom: dict) -> list[list[str]]: + components = sbom["components"] + component_chart = [] + + for component in components: + check_component_validity(component) + name = component["name"] + license_string = [] + for lic in component["licenses"]: + for key in ["id", "name"]: + if key in lic["license"]: + license_string.append(lic["license"][key]) + license_string = ", ".join(license_string) + version = component["version"] + emits_persisted_data = "unknown" + for prop in component["properties"]: + k, v = prop["name"], prop["value"] + if k == "emits_persisted_data": + emits_persisted_data = ("", "✗")[v == "true"] + distributed_in_release_binaries = ( + "", "✗")[component["scope"] == "required"] + + row = [ + item.replace( + "|", + "") for item in [ + f"[{name}]", + license_string, + version, + emits_persisted_data, + distributed_in_release_binaries]] + bisect.insort(component_chart, row, key=lambda c: c[0].lower()) + + component_chart.insert(0, + ["Name", + "License", + "Vendored Version", + "Emits persisted data", + "Distributed in Release Binaries"]) + return component_chart + + +def sbom_to_component_links_string(sbom: dict) -> list[list[str]]: + components = sbom["components"] + link_list = [] + + for component in components: + check_component_validity(component) + info_link = get_component_info_link(component) + bisect.insort( + link_list, + f"[{component['name'].replace('|','')}]: {info_link}") + + return "\n".join(link_list) + + +def sbom_to_wiredtiger_chart(sbom: dict) -> list[list[str]]: + components = sbom["components"] + wiredtiger_chart = [["Name"]] + + for component in components: + check_component_validity(component) + locations = get_component_locations(component) + for location in locations: + if location.startswith("src/third_party/wiredtiger/"): + bisect.insort( + wiredtiger_chart, [ + component["name"].replace( + "|", "")]) + + return wiredtiger_chart + + +def check_component_validity(component) -> None: + for required_key in ["name", "version", "licenses"]: + if required_key not in component: + logging.error( + "Error: no key %s found in json. Exiting. JSON dump:", + required_key) + logging.error(json.dumps(component)) + sys.exit(1) + + +def get_component_info_link(component) -> str: + name = component["name"] + links = [] + for prop in component["properties"]: + k, v = prop["name"], prop["value"] + if k == "info_link": + links.append(v) + if len(links) != 1: + logging.warning( + "Warning: Expected 1 info_link for %s. Got %d:", + name, + len(links)) + if len(links) > 1: + logging.warning(" ".join(links)) + logging.warning("Using first link only.") + else: + logging.warning( + "Falling back to `purl` value: %s", + component['purl']) + links.append(component["purl"]) + return links[0] + + +def get_component_locations(component) -> list[str]: + if "evidence" not in component or "occurrences" not in component["evidence"]: + return [] + return [occurence["location"] + for occurence in component["evidence"]["occurrences"]] + + +def right_pad_chart_values(chart: list[list[str]]) -> list[list[str]]: + h, w = len(chart), len(chart[0]) + max_lens = [3 for _ in range(w)] + for row in chart: + for c in range(0, w): + max_lens[c] = max(max_lens[c], len(row[c])) + + for r in range(0, h): + for c in range(0, w): + chart[r][c] = chart[r][c].ljust(max_lens[c]) + chart.insert(1, ["-" * max_len for max_len in max_lens]) + + +def chart_to_string(chart: list[list[str]]) -> str: + chart = [" | ".join(row) for row in chart] + chart = "\n".join(["| " + row + " |" for row in chart]) + return chart + + +def create_markdown_with_template(data: str) -> None: + file_loader = FileSystemLoader('.') + env = Environment(loader=file_loader) + template = env.get_template(TEMPLATE_PATH) + output = template.render(data) + + with open(README_PATH, 'w') as f: + f.write("[DO NOT MODIFY THIS FILE MANUALLY. It is generated by src/third_party/tools/gen_thirdpartyreadme.py]: #\n\n") + f.write(output) + f.write("\n") + + logging.info("Markdown file created successfully.") + + +if __name__ == "__main__": + main()