GODRIVER-3599: Add task script to generate CycloneDX SBOM

Added a `task` and `etc` bash script to generate a build lifecycle
CycloneDX SBOM using a pinned version of the `cyclonedx-gomod` tool. The
SBOM includes the aggregate of modules required by packages in the
mongo-go-driver library, excluding examples, tests and test packages.

The task will run only when go.mod is newer than sbom.cdx.json.

The file is saved as sbom.cdx.json (as opposed to the current sbom.json)
which is the preferred file extension for CycloneDX files. There is not
yet any code to commit the new SBOM to the repo. This is to allow for
evaluation of the new SBOM first without interfering with the current
workflow to upload the static sbom.json file to Kondukto.

TODOs:
- Once the SBOM generation process has been approved, the GitHub Action
in `mongodb-labs/drivers-github-tools` can be called with the updated
SBOM file name.
- Add libmongocrypt as an optional component via a merge once the
libmongocrypt SBOM is updated with newer automation

`task generate-sbom`

Author: jasonhills-mongodb

.evergreen/config.yml

@@ -647,6 +647,14 @@ tasks:
           binary: bash
           args: [*task-runner, check-fmt, check-license, check-modules, lint]
 
+  - name: generate-sbom
+    tags: ["ssdlc"]
+    commands:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args: [*task-runner, generate-sbom]
+
   - name: pull-request-helpers
     allowed_requesters: ["patch", "github_pr"]
     commands:

Taskfile.yml

@@ -85,6 +85,19 @@ tasks:
 
   update-notices: bash etc/generate_notices.pl > THIRD-PARTY-NOTICES
 
+  generate-sbom:
+    desc: Generate a CycloneDX SBOM
+    summary: |
+      The cyclonedx-gomod 'mod' subcommand is used to generate a CycloneDX SBOM with GOWORK=off to exclude example/test code.
+      The SBOM includes the aggregate of modules required by packages in the mongo-go-driver library, excluding examples, tests and test packages.
+      Task will run only when go.mod is newer than sbom.cdx.json.
+      TODO: Add libmongocrypt as an optional component via a merge once the libmongocrypt SBOM is updated with newer automation
+    method: timestamp
+    sources: [go.mod]
+    generates: [sbom.cdx.json]
+    cmd: |
+      GOWORK=off go run github.com/CycloneDX/cyclonedx-gomod/cmd/[email protected] mod -type library -licenses -assert-licenses -output-version 1.5 -json -output sbom.cdx.json .
+  
   ### Local testing tasks. ###
   test: go test ${BUILD_TAGS} -timeout {{.TEST_TIMEOUT}}s -p 1 ./...