From 21560647ec4ddea561b8763bdbcccd30327ba64d Mon Sep 17 00:00:00 2001 From: Jason Hills Date: Fri, 5 Dec 2025 10:50:05 -0500 Subject: [PATCH] SERVER-114893 Improve SBOM CPE accuracy for protobuf (#44834) GitOrigin-RevId: 1c2c314ceff79432e69c4fcaa4d40f610a7e6f7c --- buildscripts/sbom/metadata.cdx.json | 2 +- src/third_party/protobuf/scripts/import.sh | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/buildscripts/sbom/metadata.cdx.json b/buildscripts/sbom/metadata.cdx.json index 09a5a161f28..8acab48eef5 100644 --- a/buildscripts/sbom/metadata.cdx.json +++ b/buildscripts/sbom/metadata.cdx.json @@ -1798,7 +1798,7 @@ } ], "copyright": "Copyright 2008 Google Inc. Copyright 2023 Google LLC. All rights reserved.", - "cpe": "cpe:2.3:a:google:protobuf:{{VERSION}}:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:a:google:protobuf-cpp:{{VERSION}}:*:*:*:*:*:*:*", "purl": "pkg:github/protocolbuffers/protobuf@{{VERSION}}", "externalReferences": [ { diff --git a/src/third_party/protobuf/scripts/import.sh b/src/third_party/protobuf/scripts/import.sh index 83944775263..1af36a9ba78 100755 --- a/src/third_party/protobuf/scripts/import.sh +++ b/src/third_party/protobuf/scripts/import.sh @@ -7,9 +7,7 @@ IFS=$'\n\t' set -vx NAME=protobuf -REVISION="v4.25.0" -# VERSION variable is not used in this script, but is in here for SBOM generation. Should match the official release tag -VERSION="v25.0" +VERSION="v4.25.0" DEST_DIR=$(git rev-parse --show-toplevel)/src/third_party/protobuf PATCH_DIR=$(git rev-parse --show-toplevel)/src/third_party/protobuf/patches @@ -18,7 +16,7 @@ if [[ -d $DEST_DIR/dist ]]; then exit 1 fi -git clone --branch $REVISION https://github.com/mongodb-forks/protobuf.git $DEST_DIR/dist +git clone --branch $VERSION https://github.com/mongodb-forks/protobuf.git $DEST_DIR/dist pushd $DEST_DIR/dist git apply $PATCH_DIR/*.patch rm -rf benchmarks