SERVER-107852 SBOM rebuild to master (resubmit) (#39261)

GitOrigin-RevId: 010c023d2294f9afccbe0f327ad8e69158551de2
2025-07-29 11:23:21 -04:00 · 2025-07-29 11:23:21 -04:00 · e557d558b4
parent 8ba95d16fd
commit e557d558b4
21 changed files with 1598 additions and 477 deletions
--- a/buildscripts/BUILD.bazel
+++ b/buildscripts/BUILD.bazel
@ -150,6 +150,10 @@ py_binary(
            "jsonschema",
            group = "build-metrics",
        ),
        dependency(
            "license-expression",
            group = "lint",
        ),
    ],
 )
--- a/buildscripts/sbom_linter.py
+++ b/buildscripts/sbom_linter.py
@ -5,6 +5,7 @@ import sys
 from typing import List
 import jsonschema
 from license_expression import get_spdx_licensing
 from referencing import Registry, Resource
 BOM_SCHEMA_LOCATION = os.path.join("buildscripts", "tests", "sbom_linter", "bom-1.5.schema.json")
@ -32,6 +33,7 @@ MISSING_TEAM_ERROR = "Component must include a 'internal:team_responsible' prope
 SCHEMA_MATCH_FAILURE = "File did not match the CycloneDX schema"
 MISSING_VERSION_IN_SBOM_COMPONENT_ERROR = "Component must include a version."
 MISSING_VERSION_IN_IMPORT_FILE_ERROR = "Missing version in the import file: "
 MISSING_LICENSE_IN_SBOM_COMPONENT_ERROR = "Component must include a license."
 COULD_NOT_FIND_OR_READ_SCRIPT_FILE_ERROR = "Could not find or read the import script file"
 VERSION_MISMATCH_ERROR = "Version mismatch: "
@ -114,31 +116,48 @@ def get_script_version(
 def strip_extra_prefixes(string_with_prefix: str) -> str:
    return string_with_prefix.removeprefix("mongo/").removeprefix("v")
 def validate_license(component: dict, error_manager: ErrorManager) -> None:
    if "licenses" not in component:
        error_manager.append_full_error_message(MISSING_LICENSE_IN_SBOM_COMPONENT_ERROR)
        return
    valid_license = False
    for license in component["licenses"]:
        if "expression" in license:
            expression = license.get("expression")
        elif "license" in license:
            if "id" in license["license"]:
                # Should be a valid SPDX license ID
                expression = license["license"].get("id")
            elif "name" in license["license"]:
                # If SPDX does not define the license used, the name field may be used to provide the license name
                valid_license = True
        if not valid_license:
            licensing_validate = get_spdx_licensing().validate( expression, validate=True )
            # ExpressionInfo(
            #   original_expression='',
            #   normalized_expression='',
            #   errors=[],
            #   invalid_symbols=[]
            #)
            valid_license = not licensing_validate.errors or not licensing_validate.invalid_symbols
            if not valid_license:
                error_manager.append_full_error_message(licensing_validate)
                return
 def validate_evidence(component: dict, third_party_libs: set, error_manager: ErrorManager) -> None:
-    if "evidence" not in component or "occurrences" not in component["evidence"]:
+    if component["scope"] == "required":
-        error_manager.append_full_error_message(MISSING_EVIDENCE_ERROR)
+        if "evidence" not in component or "occurrences" not in component["evidence"]:
-        return
+            error_manager.append_full_error_message(MISSING_EVIDENCE_ERROR)
            return
-    occurrences = component["evidence"]["occurrences"]
+    validate_location(component, third_party_libs, error_manager)
    if not occurrences:
        error_manager.append_full_error_message(
            "'evidence.occurrences' field must include at least one location."
        )
    for occurrence in occurrences:
        location = occurrence["location"]
        if not os.path.exists(location) and not SKIP_FILE_CHECKING:
            error_manager.append_full_error_message("location does not exist in repo.")
        if location.startswith(THIRD_PARTY_LOCATION_PREFIX):
            lib = location.removeprefix(THIRD_PARTY_LOCATION_PREFIX)
            if lib in third_party_libs:
                third_party_libs.remove(lib)
 def validate_properties(component: dict, error_manager: ErrorManager) -> None:
-    has_team_responsible_property = False
+    has_team_responsible_property = False or component["scope"] == "excluded"
    script_path = ""
    if "properties" in component:
        for prop in component["properties"]:
@ -159,14 +178,22 @@ def validate_properties(component: dict, error_manager: ErrorManager) -> None:
    if comp_version == "Unknown" or script_path == "":
        return
    # Include the .pedigree.descendants[0] version for version matching
    if "pedigree" in component and "descendants" in component["pedigree"] and "version" in component["pedigree"]["descendants"][0]:
        comp_pedigree_version = component["pedigree"]["descendants"][0]["version"]
    else:
        comp_pedigree_version = ""
    # At this point a version is attempted to be read from the import script file
    script_version = get_script_version(script_path, "VERSION", error_manager)
    if script_version == "":
        error_manager.append_full_error_message(MISSING_VERSION_IN_IMPORT_FILE_ERROR + script_path)
-    elif strip_extra_prefixes(script_version) != strip_extra_prefixes(comp_version):
+    elif strip_extra_prefixes(script_version) != strip_extra_prefixes(comp_version) and \
        strip_extra_prefixes(script_version) != strip_extra_prefixes(comp_pedigree_version):
        error_manager.append_full_error_message(
            VERSION_MISMATCH_ERROR
-            + f"\nscript version:{script_version}\nsbom version:{comp_version}"
+            + f"\nscript version:{script_version}\nsbom component version:{comp_version}\nsbom component pedigree version:{comp_pedigree_version}"
        )
@ -174,15 +201,37 @@ def validate_component(component: dict, third_party_libs: set, error_manager: Er
    error_manager.update_component_attribute(component["name"])
    if "scope" not in component:
        error_manager.append_full_error_message("component must include a scope.")
-    elif component["scope"] != "optional":
+    else:
        validate_evidence(component, third_party_libs, error_manager)
    validate_properties(component, error_manager)
    validate_license(component, error_manager)
    if "purl" not in component and "cpe" not in component:
        error_manager.append_full_error_message(MISSING_PURL_CPE_ERROR)
    error_manager.update_component_attribute("")
 def validate_location(component: dict, third_party_libs: set, error_manager: ErrorManager) -> None:
    if "evidence" in component:
        if "occurrences" not in component["evidence"]:
            error_manager.append_full_error_message(
                "'evidence.occurrences' field must include at least one location."
            )
        occurrences = component["evidence"]["occurrences"]
        for occurrence in occurrences:
            if "location" in occurrence:
                location = occurrence["location"]
                if not os.path.exists(location) and not SKIP_FILE_CHECKING:
                    error_manager.append_full_error_message("location does not exist in repo.")
                if location.startswith(THIRD_PARTY_LOCATION_PREFIX):
                    lib = location.removeprefix(THIRD_PARTY_LOCATION_PREFIX)
                    if lib in third_party_libs:
                        third_party_libs.remove(lib)
 def lint_sbom(
    input_file: str, output_file: str, third_party_libs: set, should_format: bool
 ) -> ErrorManager:
@ -257,8 +306,6 @@ def main() -> int:
    )
    # the only files in this dir that are not third party libs
    third_party_libs.remove("scripts")
    # wiredtiger will not be included in the sbom since it is considered part of the server
    third_party_libs.remove("wiredtiger")
    # the only files in the sasl dir are BUILD files to setup the sasl library in Windows
    third_party_libs.remove("sasl")
    error_manager = lint_sbom(input_file, output_file, third_party_libs, should_format)
@ -268,4 +315,4 @@ def main() -> int:
 if __name__ == "__main__":
-    sys.exit(main())
+    sys.exit(main())
--- a/buildscripts/tests/sbom_linter/inputs/sbom_component_empty_version.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_component_empty_version.json
@ -2,11 +2,11 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
@ -14,6 +14,11 @@
      "name": "kafka",
      "version": "",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "properties": [
        {
@ -34,4 +39,4 @@
      }
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_component_name_missing.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_component_name_missing.json
@ -2,11 +2,11 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
@ -14,6 +14,11 @@
      "version": "v2.0.2",
      "scope": "required",
      "cpe": "test_cpe",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "properties": [
        {
          "name": "internal:team_responsible",
@ -33,4 +38,4 @@
      }
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_invalid_format.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_invalid_format.json
@ -2,11 +2,11 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
@ -16,6 +16,11 @@
      "name": "kafka",
      "version": "2.0.2",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "properties": [
        {
@ -36,6 +41,13 @@
      "name": "protobuf",
      "version": "v4.25.0",
      "scope": "required",
      "licenses": [
        {
          "license": {
            "id": "BSD-3-Clause"
          }
        }
      ],
      "purl": "test_purl",
      "properties": [
        {
@ -58,6 +70,13 @@
      "name": "unicode",
      "version": "8.0",
      "scope": "optional",
      "licenses": [
        {
          "license": {
            "id": "Unicode-DFS-2016"
          }
        }
      ],
      "purl": "test_purl",
      "properties": [
        {
@ -67,4 +86,4 @@
      ]
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_invalid_license_expression.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_invalid_license_expression.json
@ -0,0 +1,43 @@
 {
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "properties": [
    {
      "name": "comment",
      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "kafka",
      "version": "v2.0.2",
      "licenses": [
        {
          "expression": "xBSD-3-Clause"
        }
      ],
      "scope": "required",
      "cpe": "test_cpe",
      "properties": [
        {
          "name": "internal:team_responsible",
          "value": "server_security"
        },
        {
          "name": "import_script_path",
          "value": "buildscripts/tests/sbom_linter/inputs/kafka_valid_import.sh"
        }
      ],
      "evidence": {
        "occurrences": [
          {
            "location": "src/third_party/librdkafka"
          }
        ]
      }
    }
  ]
 }
--- a/buildscripts/tests/sbom_linter/inputs/sbom_missing_evidence.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_missing_evidence.json
@ -2,11 +2,11 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
@ -14,6 +14,11 @@
      "name": "kafka",
      "scope": "required",
      "cpe": "test_cpe",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "properties": [
        {
          "name": "internal:team_responsible",
@ -53,4 +58,4 @@
      ]
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_missing_license.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_missing_license.json
@ -0,0 +1,74 @@
 {
  "properties": [
    {
      "name": "comment",
      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "kafka",
      "version": "v2.0.2",
      "scope": "required",
      "cpe": "test_cpe",
      "properties": [
        {
          "name": "internal:team_responsible",
          "value": "server_security"
        },
        {
          "name": "import_script_path",
          "value": "buildscripts/tests/sbom_linter/inputs/kafka_valid_import.sh"
        }
      ],
      "evidence": {
        "occurrences": [
          {
            "location": "src/third_party/librdkafka"
          }
        ]
      }
    },
    {
      "type": "library",
      "name": "protobuf",
      "version": "v4.25.0",
      "scope": "required",
      "purl": "test_purl",
      "properties": [
        {
          "name": "internal:team_responsible",
          "value": "server_security"
        },
        {
          "name": "import_script_path",
          "value": "buildscripts/tests/sbom_linter/inputs/import_script_with_mongo_prefix_version.sh"
        }
      ],
      "evidence": {
        "occurrences": [
          {
            "location": "src/third_party/protobuf"
          }
        ]
      }
    },
    {
      "type": "library",
      "name": "unicode",
      "version": "8.0",
      "scope": "optional",
      "purl": "test_purl",
      "properties": [
        {
          "name": "internal:team_responsible",
          "value": "server_security"
        }
      ]
    }
  ]
 }
--- a/buildscripts/tests/sbom_linter/inputs/sbom_missing_purl.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_missing_purl.json
@ -2,17 +2,22 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "kafka",
      "scope": "required",
       "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "properties": [
        {
@ -59,4 +64,4 @@
      ]
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_missing_team.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_missing_team.json
@ -2,17 +2,22 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "kafka",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "evidence": {
        "occurrences": [
@ -54,4 +59,4 @@
      ]
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_missing_version.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_missing_version.json
@ -2,17 +2,22 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "kafka",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "properties": [
        {
@ -29,4 +34,4 @@
      }
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_named_license.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_named_license.json
@ -0,0 +1,51 @@
 {
  "properties": [
    {
      "name": "comment",
      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
      "supplier": {
        "name": "Austin Appleby"
      },
      "author": "Austin Appleby",
      "group": "aappleby",
      "name": "MurmurHash3",
      "version": "a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
      "licenses": [
        {
          "license": {
            "name": "Public Domain"
          }
        }
      ],
      "copyright": "MurmurHash3 was written by Austin Appleby, and is placed in the public domain. The author hereby disclaims copyright to this source code.",
      "purl": "pkg:github/aappleby/smhasher@a6bd3ce7be8ad147ea820a7cf6229a975c0c96bb",
      "properties": [
        {
          "name": "internal:team_responsible",
          "value": "Storage Execution"
        },
        {
          "name": "info_link",
          "value": "https://github.com/aappleby/smhasher/blob/a6bd3ce/"
        }
      ],
      "evidence": {
        "occurrences": [
          {
            "location": "src/third_party/murmurhash3"
          }
        ]
      },
      "scope": "required"
    }
  ]
 }
--- a/buildscripts/tests/sbom_linter/inputs/sbom_pedigree_version_match.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_pedigree_version_match.json
@ -0,0 +1,51 @@
 {
  "properties": [
    {
      "name": "comment",
      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "kafka",
      "version": "v2.0.0",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "pedigree": {
        "descendants": [
          {
            "type": "library",
            "name": "kafka-fork",
            "version": "v2.0.2"
          }
        ]
      },
      "properties": [
        {
          "name": "internal:team_responsible",
          "value": "server_security"
        },
        {
          "name": "import_script_path",
          "value": "buildscripts/tests/sbom_linter/inputs/kafka_valid_import.sh"
        }
      ],
      "evidence": {
        "occurrences": [
          {
            "location": "src/third_party/kafka"
          }
        ]
      }
    }
  ]
 }
--- a/buildscripts/tests/sbom_linter/inputs/sbom_script_file_missing.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_script_file_missing.json
@ -2,11 +2,11 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
@ -14,6 +14,11 @@
      "name": "kafka",
      "version": "2.0.2",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "properties": [
        {
@ -34,4 +39,4 @@
      }
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_script_missing_version.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_script_missing_version.json
@ -2,11 +2,11 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
@ -14,6 +14,11 @@
      "name": "kafka",
      "version": "2.0.2",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "properties": [
        {
@ -34,4 +39,4 @@
      }
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/sbom_version_mismatch.json
+++ b/buildscripts/tests/sbom_linter/inputs/sbom_version_mismatch.json
@ -2,11 +2,11 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
@ -14,6 +14,11 @@
      "name": "kafka",
      "version": "v4.25.0",
      "scope": "required",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "cpe": "test_cpe",
      "properties": [
        {
@ -34,4 +39,4 @@
      }
    }
  ]
-}
+}
--- a/buildscripts/tests/sbom_linter/inputs/valid_sbom.json
+++ b/buildscripts/tests/sbom_linter/inputs/valid_sbom.json
@ -2,17 +2,22 @@
  "properties": [
    {
      "name": "comment",
-      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.6/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
+      "value": "SBOM for MDB server product; this file should comply with the format specified here: https://cyclonedx.org/docs/1.5/json/#components_items_publisher; This file is still in development; see https://jira.mongodb.org/browse/DEVPROD-2623 for details."
    }
  ],
  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
+  "specVersion": "1.5",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "kafka",
      "version": "v2.0.2",
      "licenses": [
        {
          "expression": "BSD-3-Clause"
        }
      ],
      "scope": "required",
      "cpe": "test_cpe",
      "properties": [
@ -38,6 +43,13 @@
      "name": "protobuf",
      "version": "v4.25.0",
      "scope": "required",
      "licenses": [
        {
          "license": {
            "id": "BSD-3-Clause"
          }
        }
      ],
      "purl": "test_purl",
      "properties": [
        {
@ -61,6 +73,13 @@
      "type": "library",
      "name": "unicode",
      "version": "8.0",
      "licenses": [
        {
          "license": {
            "id": "Unicode-DFS-2016"
          }
        }
      ],
      "scope": "optional",
      "purl": "test_purl",
      "properties": [
--- a/buildscripts/tests/sbom_linter/test_sbom.py
+++ b/buildscripts/tests/sbom_linter/test_sbom.py
@ -102,6 +102,14 @@ class TestSbom(unittest.TestCase):
        third_party_libs = {"librdkafka"}
        error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
        self.assert_message_in_errors(error_manager, sbom_linter.VERSION_MISMATCH_ERROR)
    def test_pedigree_version_match(self):
        test_file = os.path.join(self.input_dir, "sbom_pedigree_version_match.json")
        third_party_libs = {"kafka"}
        error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
        if not error_manager.zero_error():
            error_manager.print_errors()
        self.assertTrue(error_manager.zero_error())
    def test_schema_match_failure(self):
        test_file = os.path.join(self.input_dir, "sbom_component_name_missing.json")
@ -116,3 +124,28 @@ class TestSbom(unittest.TestCase):
        self.assert_message_in_errors(
            error_manager, sbom_linter.MISSING_VERSION_IN_SBOM_COMPONENT_ERROR
        )
    def test_missing_license(self):
        test_file = os.path.join(self.input_dir, "sbom_missing_license.json")
        third_party_libs = {"librdkafka"}
        error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
        self.assert_message_in_errors(
            error_manager, sbom_linter.MISSING_LICENSE_IN_SBOM_COMPONENT_ERROR
        )
    def test_invalid_license_expression(self):
        test_file = os.path.join(self.input_dir, "sbom_invalid_license_expression.json")
        third_party_libs = {"librdkafka"}
        error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
        #print(error_manager.errors)
        self.assert_message_in_errors(
            error_manager, "ExpressionInfo"
        )
    def test_named_license(self):
        test_file = os.path.join(self.input_dir, "sbom_named_license.json")
        third_party_libs = {"murmurhash3"}
        error_manager = sbom_linter.lint_sbom(test_file, test_file, third_party_libs, False)
        if not error_manager.zero_error():
            error_manager.print_errors()
        self.assertTrue(error_manager.zero_error())
--- a/poetry.lock
+++ b/poetry.lock
@ -96,6 +96,25 @@ files = [
    {file = "blinker-1.9.0.tar.gz", hash = "sha256:b4ce2265a7abece45e7cc896e98dbebe6cead56bcf805a3d23136d145f5445bf"},
 ]
 [[package]]
 name = "boolean-py"
 version = "5.0"
 description = "Define boolean algebras, create and parse boolean expressions and create custom boolean DSL."
 optional = false
 python-versions = "*"
 groups = ["lint"]
 markers = "platform_machine != \"s390x\" and platform_machine != \"ppc64le\" or platform_machine == \"s390x\" or platform_machine == \"ppc64le\""
 files = [
    {file = "boolean_py-5.0-py3-none-any.whl", hash = "sha256:ef28a70bd43115208441b53a045d1549e2f0ec6e3d08a9d142cbc41c1938e8d9"},
    {file = "boolean_py-5.0.tar.gz", hash = "sha256:60cbc4bad079753721d32649545505362c754e121570ada4658b852a3a318d95"},
 ]
 [package.extras]
 dev = ["build", "twine"]
 docs = ["Sphinx (>=3.3.1)", "doc8 (>=0.8.1)", "sphinx-rtd-theme (>=0.5.0)", "sphinxcontrib-apidoc (>=0.3.0)"]
 linting = ["black", "isort", "pycodestyle"]
 testing = ["pytest (>=6,!=7.0.0)", "pytest-xdist (>=2)"]
 [[package]]
 name = "boto3"
 version = "1.36.18"
@ -1718,6 +1737,25 @@ six = ">=1.7"
 Twisted = "*"
 "zope.interface" = "*"
 [[package]]
 name = "license-expression"
 version = "30.4.4"
 description = "license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic."
 optional = false
 python-versions = ">=3.9"
 groups = ["lint"]
 markers = "platform_machine != \"s390x\" and platform_machine != \"ppc64le\" or platform_machine == \"s390x\" or platform_machine == \"ppc64le\""
 files = [
    {file = "license_expression-30.4.4-py3-none-any.whl", hash = "sha256:421788fdcadb41f049d2dc934ce666626265aeccefddd25e162a26f23bcbf8a4"},
    {file = "license_expression-30.4.4.tar.gz", hash = "sha256:73448f0aacd8d0808895bdc4b2c8e01a8d67646e4188f887375398c761f340fd"},
 ]
 [package.dependencies]
 "boolean.py" = ">=4.0"
 [package.extras]
 dev = ["Sphinx (>=5.0.2)", "doc8 (>=0.11.2)", "pytest (>=7.0.1)", "pytest-xdist (>=2)", "ruff", "sphinx-autobuild", "sphinx-copybutton", "sphinx-reredirects (>=0.1.2)", "sphinx-rtd-dark-mode (>=1.3.0)", "sphinx-rtd-theme (>=1.0.0)", "sphinxcontrib-apidoc (>=0.4.0)", "twine"]
 [[package]]
 name = "linkify-it-py"
 version = "2.0.3"
@ -5459,4 +5497,4 @@ libdeps = ["cxxfilt", "eventlet", "flask", "flask-cors", "gevent", "lxml", "prog
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10,<4.0"
-content-hash = "622c4368619483bbf23d0e5d482c6905d2e947952135e3b13f688fa9b748f825"
+content-hash = "ef2e57da22cc4cd89c4839944accd7e412853dc56bcbb6410cb73769a6db6518"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -120,6 +120,7 @@ tqdm = "*"
 colorama = "^0.4.6"
 evergreen-lint = "^0.1.10"
 ruff = "^0.6.7"
 license-expression = "^30.4.4"
 [tool.poetry.group.modules_poc.dependencies]
 codeowners = { version = "^0.8.0", markers = "platform_machine != 's390x' and platform_machine != 'ppc64le'" }
--- a/sbom.json
+++ b/sbom.json