libmongocrypt-helper 1.8.0.0.1001 → 1.11.0.0.1001

data/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eux
+
+LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
+if [ $(command -v podman) ]; then
+    DOCKER=podman
+else
+    DOCKER=docker
+fi
+
+echo "pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION" > purls.txt
+$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json
+rm purls.txt

data/ext/libmongocrypt/libmongocrypt/cmake/FetchMongoC.cmake

@@ -1,12 +1,30 @@
 include (FetchContent)
 
 # Set the tag that we will fetch.
-set (MONGOC_FETCH_TAG_FOR_LIBBSON "1.17.7" CACHE STRING "The Git tag of mongo-c-driver that will be fetched to obtain libbson")
+# When updating the version of libbson, also update the version in etc/purls.txt
+set (MONGOC_FETCH_TAG_FOR_LIBBSON "1.27.1" CACHE STRING "The Git tag of mongo-c-driver that will be fetched to obtain libbson")
+
+# Add an option to disable patching if a patch command is unavailable.
+option (LIBBSON_PATCH_ENABLED "Whether to apply patches to the libbson library" ON)
+set (patch_disabled OFF)
+if (NOT LIBBSON_PATCH_ENABLED)
+    set (patch_disabled ON)
+endif ()
+
+include (Patch)
+make_patch_command (patch_command
+    STRIP_COMPONENTS 1
+    DIRECTORY "<SOURCE_DIR>"
+    DISABLED "${patch_disabled}"
+    PATCHES
+        ${PROJECT_SOURCE_DIR}/etc/libbson-remove-GCC-diagnostic-pragma.patch
+    )
 
 # Fetch the source archive for the requested tag from GitHub
 FetchContent_Declare (
     embedded_mcd
     URL "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/${MONGOC_FETCH_TAG_FOR_LIBBSON}.tar.gz"
+    PATCH_COMMAND ${patch_command} --verbose
     )
 # Populate it:
 FetchContent_GetProperties (embedded_mcd)

data/ext/libmongocrypt/libmongocrypt/cmake/ImportBSON.cmake

@@ -132,6 +132,8 @@ function (_import_bson)
       set (ENABLE_MONGODB_AWS_AUTH OFF CACHE BOOL "Disable kms-message content in mongoc for libmongocrypt" FORCE)
       # Disable install() for the libbson static library. We'll do it ourselves
       set (ENABLE_STATIC BUILD_ONLY)
+      # Disable zlib, which isn't necessary for libmongocrypt and isn't necessarily available.
+      set (ENABLE_ZLIB OFF CACHE BOOL "Toggle zlib for the mongoc subproject (not required by libmongocrypt)")
       # Disable libzstd, which isn't necessary for libmongocrypt and isn't necessarily available.
       set (ENABLE_ZSTD OFF CACHE BOOL "Toggle libzstd for the mongoc subproject (not required by libmongocrypt)")
       # Disable snappy, which isn't necessary for libmongocrypt and isn't necessarily available.
@@ -142,6 +144,21 @@ function (_import_bson)
       set (ENABLE_EXTRA_ALIGNMENT ${_extra_alignment_default} CACHE BOOL "Toggle extra alignment of bson_t")
       # We don't want the subproject to find libmongocrypt
       set (ENABLE_CLIENT_SIDE_ENCRYPTION OFF CACHE BOOL "Disable client-side encryption for the libmongoc subproject")
+      # Clear `BUILD_VERSION` so C driver does not use a `BUILD_VERSION` meant for libmongocrypt.
+      # Both libmongocrypt and C driver support setting a `BUILD_VERSION` to override the version.
+      if (DEFINED CACHE{BUILD_VERSION})
+         set (saved_cached_build_version "${BUILD_VERSION}")
+         unset (BUILD_VERSION CACHE) # Undefine cache variable.
+      endif ()
+      if (DEFINED BUILD_VERSION)
+         set (saved_build_version "${BUILD_VERSION}")
+         unset (BUILD_VERSION) # Undefine normal variable.
+      endif ()
+      # Disable building tests in C driver:
+      set (ENABLE_TESTS OFF)
+      set (BUILD_TESTING OFF)
+      # Disable counters in C driver. Counters are not supported on all platforms.
+      set (ENABLE_SHM_COUNTERS OFF)
       # Add the subdirectory as a project. EXCLUDE_FROM_ALL to inhibit building and installing of components unless requested
       # SYSTEM (on applicable CMake versions) to prevent warnings (particularly from -Wconversion/-Wsign-conversion) from the C driver code
       if (CMAKE_VERSION VERSION_GREATER 3.25)
@@ -149,6 +166,12 @@ function (_import_bson)
       else ()
          add_subdirectory ("${MONGOCRYPT_MONGOC_DIR}" _mongo-c-driver EXCLUDE_FROM_ALL)
       endif ()
+      if (DEFINED saved_cached_build_version)
+         set (BUILD_VERSION "${saved_cached_build_version}" CACHE STRING "Library version")
+      endif ()
+      if (DEFINED saved_build_version)
+         set (BUILD_VERSION "${saved_build_version}")
+      endif ()
       if (TARGET mongoc_static)
          # Workaround: Embedded mongoc_static does not set its INCLUDE_DIRECTORIES for user targets
          target_include_directories (mongoc_static

data/ext/libmongocrypt/libmongocrypt/cmake/IntelDFP.cmake

@@ -1,8 +1,7 @@
 
 include (FetchContent)
-find_program (GIT_EXECUTABLE git)
-find_program (PATCH_EXECUTABLE patch)
 
+# When updating the version of IntelDFP, also update the version in etc/purls.txt
 set (_default_url "${PROJECT_SOURCE_DIR}/third-party/IntelRDFPMathLib20U2.tar.xz")
 
 set (INTEL_DFP_LIBRARY_URL "${_default_url}"
@@ -18,16 +17,23 @@ if (NOT INTEL_DFP_LIBRARY_URL_SHA256 STREQUAL "no-verify")
     set (_hash_arg URL_HASH "${INTEL_DFP_LIBRARY_URL_HASH}")
 endif ()
 
-# Make the PATCH_COMMAND a no-op if it was disabled
-set (patch_command)
+set (patch_disabled OFF)
 if (NOT INTEL_DFP_LIBRARY_PATCH_ENABLED)
-    set (patch_command "${CMAKE_COMMAND}" -E true)
-elseif (GIT_EXECUTABLE)
-    set (patch_command "${GIT_EXECUTABLE}" --work-tree=<SOURCE_DIR> apply)
-else ()
-    set (patch_command "${PATCH_EXECUTABLE}" --dir=<SOURCE_DIR>)
+    set (patch_disabled ON)
 endif ()
 
+include (Patch)
+make_patch_command (patch_command
+    STRIP_COMPONENTS 4
+    DIRECTORY "<SOURCE_DIR>"
+    DISABLED "${patch_disabled}"
+    PATCHES
+        "${PROJECT_SOURCE_DIR}/etc/mongo-inteldfp-s390x.patch"
+        "${PROJECT_SOURCE_DIR}/etc/mongo-inteldfp-MONGOCRYPT-571.patch"
+        "${PROJECT_SOURCE_DIR}/etc/mongo-inteldfp-libmongocrypt-pr-625.patch"
+        "${PROJECT_SOURCE_DIR}/etc/mongo-inteldfp-alpine-arm-fix.patch"
+    )
+
 # NOTE: The applying of the patch expects the correct input directly from the
 #       expanded archive. If the patch needs to be reapplied, you may see errors
 #       about trying to update the intel_dfp component. If you are seeing such
@@ -37,13 +43,7 @@ FetchContent_Declare (
     intel_dfp
     URL "${_default_url}"
     ${_hash_arg}
-    PATCH_COMMAND
-        ${patch_command}
-            -p 4 # Strip four path components
-            "${PROJECT_SOURCE_DIR}/etc/mongo-inteldfp-s390x.patch"
-            "${PROJECT_SOURCE_DIR}/etc/mongo-inteldfp-MONGOCRYPT-571.patch"
-            "${PROJECT_SOURCE_DIR}/etc/mongo-inteldfp-libmongocrypt-pr-625.patch"
-            --verbose
+    PATCH_COMMAND ${patch_command} --verbose
     )
 
 FetchContent_GetProperties (intel_dfp)
@@ -52,247 +52,39 @@ if (NOT intel_dfp_POPULATED)
     FetchContent_Populate (intel_dfp)
 endif ()
 
-# This list of sources matches the ones used within MongoDB server. The
-# "<library>" prefix is replaced below.
+# This list of sources was generated by copying the MongoDB server and removing any unnecessary.
+# Carefully add sources if more functionality is needed. Bundled sources are checked by static analysis, and may result in a larger binary.
+# The "<library>" prefix is replaced below.
 # Refer: https://github.com/mongodb/mongo/blob/e9be40f47a77af1931773ad671d4927c0fe6969a/src/third_party/IntelRDFPMathLib20U1/SConscript
 set (_dfp_sources
     "<library>/float128/dpml_exception.c"
-    "<library>/float128/dpml_four_over_pi.c"
-    "<library>/float128/dpml_ux_bessel.c"
     "<library>/float128/dpml_ux_bid.c"
-    "<library>/float128/dpml_ux_cbrt.c"
-    "<library>/float128/dpml_ux_erf.c"
-    "<library>/float128/dpml_ux_exp.c"
-    "<library>/float128/dpml_ux_int.c"
-    "<library>/float128/dpml_ux_inv_hyper.c"
-    "<library>/float128/dpml_ux_inv_trig.c"
-    "<library>/float128/dpml_ux_lgamma.c"
     "<library>/float128/dpml_ux_log.c"
-    "<library>/float128/dpml_ux_mod.c"
     "<library>/float128/dpml_ux_ops.c"
     "<library>/float128/dpml_ux_ops_64.c"
-    "<library>/float128/dpml_ux_pow.c"
-    "<library>/float128/dpml_ux_powi.c"
-    "<library>/float128/dpml_ux_sqrt.c"
-    "<library>/float128/dpml_ux_trig.c"
-    "<library>/float128/sqrt_tab_t.c"
     "<library>/src/bid128.c"
     "<library>/src/bid128_2_str_tables.c"
-    "<library>/src/bid128_acos.c"
-    "<library>/src/bid128_acosh.c"
     "<library>/src/bid128_add.c"
-    "<library>/src/bid128_asin.c"
-    "<library>/src/bid128_asinh.c"
-    "<library>/src/bid128_atan.c"
-    "<library>/src/bid128_atan2.c"
-    "<library>/src/bid128_atanh.c"
-    "<library>/src/bid128_cbrt.c"
     "<library>/src/bid128_compare.c"
-    "<library>/src/bid128_cos.c"
-    "<library>/src/bid128_cosh.c"
     "<library>/src/bid128_div.c"
-    "<library>/src/bid128_erf.c"
-    "<library>/src/bid128_erfc.c"
-    "<library>/src/bid128_exp.c"
-    "<library>/src/bid128_exp10.c"
-    "<library>/src/bid128_exp2.c"
-    "<library>/src/bid128_expm1.c"
-    "<library>/src/bid128_fdimd.c"
     "<library>/src/bid128_fma.c"
     "<library>/src/bid128_fmod.c"
-    "<library>/src/bid128_frexp.c"
-    "<library>/src/bid128_hypot.c"
-    "<library>/src/bid128_ldexp.c"
-    "<library>/src/bid128_lgamma.c"
-    "<library>/src/bid128_llrintd.c"
-    "<library>/src/bid128_log.c"
     "<library>/src/bid128_log10.c"
-    "<library>/src/bid128_log1p.c"
     "<library>/src/bid128_log2.c"
-    "<library>/src/bid128_logb.c"
-    "<library>/src/bid128_logbd.c"
-    "<library>/src/bid128_lrintd.c"
-    "<library>/src/bid128_lround.c"
-    "<library>/src/bid128_minmax.c"
     "<library>/src/bid128_modf.c"
     "<library>/src/bid128_mul.c"
-    "<library>/src/bid128_nearbyintd.c"
-    "<library>/src/bid128_next.c"
-    "<library>/src/bid128_nexttowardd.c"
     "<library>/src/bid128_noncomp.c"
-    "<library>/src/bid128_pow.c"
-    "<library>/src/bid128_quantexpd.c"
-    "<library>/src/bid128_quantize.c"
-    "<library>/src/bid128_rem.c"
     "<library>/src/bid128_round_integral.c"
     "<library>/src/bid128_scalb.c"
     "<library>/src/bid128_scalbl.c"
-    "<library>/src/bid128_sin.c"
-    "<library>/src/bid128_sinh.c"
-    "<library>/src/bid128_sqrt.c"
     "<library>/src/bid128_string.c"
-    "<library>/src/bid128_tan.c"
-    "<library>/src/bid128_tanh.c"
-    "<library>/src/bid128_tgamma.c"
-    "<library>/src/bid128_to_int16.c"
-    "<library>/src/bid128_to_int32.c"
     "<library>/src/bid128_to_int64.c"
-    "<library>/src/bid128_to_int8.c"
-    "<library>/src/bid128_to_uint16.c"
-    "<library>/src/bid128_to_uint32.c"
-    "<library>/src/bid128_to_uint64.c"
-    "<library>/src/bid128_to_uint8.c"
-    "<library>/src/bid32_acos.c"
-    "<library>/src/bid32_acosh.c"
-    "<library>/src/bid32_add.c"
-    "<library>/src/bid32_asin.c"
-    "<library>/src/bid32_asinh.c"
-    "<library>/src/bid32_atan.c"
-    "<library>/src/bid32_atan2.c"
-    "<library>/src/bid32_atanh.c"
-    "<library>/src/bid32_cbrt.c"
-    "<library>/src/bid32_compare.c"
-    "<library>/src/bid32_cos.c"
-    "<library>/src/bid32_cosh.c"
-    "<library>/src/bid32_div.c"
-    "<library>/src/bid32_erf.c"
-    "<library>/src/bid32_erfc.c"
-    "<library>/src/bid32_exp.c"
-    "<library>/src/bid32_exp10.c"
-    "<library>/src/bid32_exp2.c"
-    "<library>/src/bid32_expm1.c"
-    "<library>/src/bid32_fdimd.c"
-    "<library>/src/bid32_fma.c"
-    "<library>/src/bid32_fmod.c"
-    "<library>/src/bid32_frexp.c"
-    "<library>/src/bid32_hypot.c"
-    "<library>/src/bid32_ldexp.c"
-    "<library>/src/bid32_lgamma.c"
-    "<library>/src/bid32_llrintd.c"
-    "<library>/src/bid32_log.c"
-    "<library>/src/bid32_log10.c"
-    "<library>/src/bid32_log1p.c"
-    "<library>/src/bid32_log2.c"
-    "<library>/src/bid32_logb.c"
-    "<library>/src/bid32_logbd.c"
-    "<library>/src/bid32_lrintd.c"
-    "<library>/src/bid32_lround.c"
-    "<library>/src/bid32_minmax.c"
-    "<library>/src/bid32_modf.c"
-    "<library>/src/bid32_mul.c"
-    "<library>/src/bid32_nearbyintd.c"
-    "<library>/src/bid32_next.c"
-    "<library>/src/bid32_nexttowardd.c"
-    "<library>/src/bid32_noncomp.c"
-    "<library>/src/bid32_pow.c"
-    "<library>/src/bid32_quantexpd.c"
-    "<library>/src/bid32_quantize.c"
-    "<library>/src/bid32_rem.c"
-    "<library>/src/bid32_round_integral.c"
-    "<library>/src/bid32_scalb.c"
-    "<library>/src/bid32_scalbl.c"
-    "<library>/src/bid32_sin.c"
-    "<library>/src/bid32_sinh.c"
-    "<library>/src/bid32_sqrt.c"
-    "<library>/src/bid32_string.c"
-    "<library>/src/bid32_sub.c"
-    "<library>/src/bid32_tan.c"
-    "<library>/src/bid32_tanh.c"
-    "<library>/src/bid32_tgamma.c"
-    "<library>/src/bid32_to_bid128.c"
-    "<library>/src/bid32_to_bid64.c"
-    "<library>/src/bid32_to_int16.c"
-    "<library>/src/bid32_to_int32.c"
-    "<library>/src/bid32_to_int64.c"
-    "<library>/src/bid32_to_int8.c"
-    "<library>/src/bid32_to_uint16.c"
-    "<library>/src/bid32_to_uint32.c"
-    "<library>/src/bid32_to_uint64.c"
-    "<library>/src/bid32_to_uint8.c"
-    "<library>/src/bid64_acos.c"
-    "<library>/src/bid64_acosh.c"
-    "<library>/src/bid64_add.c"
-    "<library>/src/bid64_asin.c"
-    "<library>/src/bid64_asinh.c"
-    "<library>/src/bid64_atan.c"
-    "<library>/src/bid64_atan2.c"
-    "<library>/src/bid64_atanh.c"
-    "<library>/src/bid64_cbrt.c"
-    "<library>/src/bid64_compare.c"
-    "<library>/src/bid64_cos.c"
-    "<library>/src/bid64_cosh.c"
-    "<library>/src/bid64_div.c"
-    "<library>/src/bid64_erf.c"
-    "<library>/src/bid64_erfc.c"
-    "<library>/src/bid64_exp.c"
-    "<library>/src/bid64_exp10.c"
-    "<library>/src/bid64_exp2.c"
-    "<library>/src/bid64_expm1.c"
-    "<library>/src/bid64_fdimd.c"
-    "<library>/src/bid64_fma.c"
-    "<library>/src/bid64_fmod.c"
-    "<library>/src/bid64_frexp.c"
-    "<library>/src/bid64_hypot.c"
-    "<library>/src/bid64_ldexp.c"
-    "<library>/src/bid64_lgamma.c"
-    "<library>/src/bid64_llrintd.c"
-    "<library>/src/bid64_log.c"
-    "<library>/src/bid64_log10.c"
-    "<library>/src/bid64_log1p.c"
-    "<library>/src/bid64_log2.c"
-    "<library>/src/bid64_logb.c"
-    "<library>/src/bid64_logbd.c"
-    "<library>/src/bid64_lrintd.c"
-    "<library>/src/bid64_lround.c"
-    "<library>/src/bid64_minmax.c"
-    "<library>/src/bid64_modf.c"
-    "<library>/src/bid64_mul.c"
-    "<library>/src/bid64_nearbyintd.c"
-    "<library>/src/bid64_next.c"
-    "<library>/src/bid64_nexttowardd.c"
-    "<library>/src/bid64_noncomp.c"
-    "<library>/src/bid64_pow.c"
-    "<library>/src/bid64_quantexpd.c"
-    "<library>/src/bid64_quantize.c"
-    "<library>/src/bid64_rem.c"
-    "<library>/src/bid64_round_integral.c"
-    "<library>/src/bid64_scalb.c"
-    "<library>/src/bid64_scalbl.c"
-    "<library>/src/bid64_sin.c"
-    "<library>/src/bid64_sinh.c"
-    "<library>/src/bid64_sqrt.c"
-    "<library>/src/bid64_string.c"
-    "<library>/src/bid64_tan.c"
-    "<library>/src/bid64_tanh.c"
-    "<library>/src/bid64_tgamma.c"
     "<library>/src/bid64_to_bid128.c"
-    "<library>/src/bid64_to_int16.c"
-    "<library>/src/bid64_to_int32.c"
-    "<library>/src/bid64_to_int64.c"
-    "<library>/src/bid64_to_int8.c"
-    "<library>/src/bid64_to_uint16.c"
-    "<library>/src/bid64_to_uint32.c"
-    "<library>/src/bid64_to_uint64.c"
-    "<library>/src/bid64_to_uint8.c"
     "<library>/src/bid_binarydecimal.c"
     "<library>/src/bid_convert_data.c"
     "<library>/src/bid_decimal_data.c"
-    "<library>/src/bid_decimal_globals.c"
-    "<library>/src/bid_dpd.c"
-    "<library>/src/bid_feclearexcept.c"
-    "<library>/src/bid_fegetexceptflag.c"
-    "<library>/src/bid_feraiseexcept.c"
-    "<library>/src/bid_fesetexceptflag.c"
-    "<library>/src/bid_fetestexcept.c"
     "<library>/src/bid_flag_operations.c"
-    "<library>/src/bid_from_int.c"
     "<library>/src/bid_round.c"
-    "<library>/src/strtod128.c"
-    "<library>/src/strtod32.c"
-    "<library>/src/strtod64.c"
-    "<library>/src/wcstod128.c"
-    "<library>/src/wcstod32.c"
-    "<library>/src/wcstod64.c"
     )
 # Put in the actual library path:
 string (REPLACE "<library>" "${intel_dfp_SOURCE_DIR}/LIBRARY" _dfp_sources "${_dfp_sources}")

data/ext/libmongocrypt/libmongocrypt/cmake/Patch.cmake

@@ -0,0 +1,54 @@
+find_program(GIT_EXECUTABLE git)
+find_program(PATCH_EXECUTABLE patch)
+
+#[[
+    Form a new Patch-applying command for the given inputs
+
+    make_patch_command(
+        <outvar>
+        [DISABLED <bool>]
+        [DIRECTORY <dir>]
+        [STRIP_COMPONENTS <N>]
+        PATCHES [<file> ...]
+    )
+]]
+function(make_patch_command out)
+    cmake_parse_arguments(PARSE_ARGV 1 patch "" "DIRECTORY;STRIP_COMPONENTS;DISABLED" "PATCHES")
+    if(patch_DISABLED)
+        # Use a placeholder "no-op" patch command.
+        set(cmd "${CMAKE_COMMAND}" "-E" "true")
+    elseif(GIT_EXECUTABLE)
+        # git ...
+        set(cmd ${GIT_EXECUTABLE})
+
+        if(patch_DIRECTORY)
+            # git --work-tree=...
+            list(APPEND cmd --work-tree=${patch_DIRECTORY})
+        endif()
+        # git ... apply ...
+        list(APPEND cmd apply)
+        # git ... apply -pN ...
+        if(patch_STRIP_COMPONENTS)
+            list(APPEND cmd -p${patch_STRIP_COMPONENTS})
+        endif()
+        # Ignore whitespace errors to fix patch errors on Windows: The patch file may be converted to \r\n by git, but libbson fetched with \n.
+        list(APPEND cmd "--ignore-whitespace")
+        # git accepts patch filepaths as positional arguments
+        list(APPEND cmd ${patch_PATCHES})
+    else()
+        # patch ...
+        set(cmd ${PATCH_EXECUTABLE})
+        if(patch_DIRECTORY)
+            # patch --dir=...
+            list(APPEND cmd --dir=${patch_DIRECTORY})
+        endif()
+        # patch ... -pN ...
+        if(patch_STRIP_COMPONENTS)
+            list(APPEND cmd -p${patch_STRIP_COMPONENTS})
+        endif()
+        # Prepend "--input=" to each patch filepath and add them to the argv
+        list(TRANSFORM patch_PATCHES PREPEND "--input=")
+        list(APPEND cmd ${patch_PATCHES})
+    endif()
+    set("${out}" "${cmd}" PARENT_SCOPE)
+endfunction()

data/ext/libmongocrypt/libmongocrypt/doc/releasing.md

@@ -0,0 +1,153 @@
+# Releasing libmongocrypt
+
+These steps describe releasing the libmongocrypt C library (not the language bindings).
+
+## Version number scheme ##
+Version numbers of libmongocrypt must follow the format 1.[0-9].[0-9] for releases and 1.[0-9].[0-9]-(alpha|beta|rc)[0-9] for pre-releases.  This ensures that Linux distribution packages built from each commit are published to the correct location.
+
+## Steps to release ##
+
+### Check for Vulnerabilities
+
+Snyk and Silk are used to satisfy vulnerability scanning requirements of [DRIVERS-714](https://jira.mongodb.org/browse/DRIVERS-714). Prior to releasing, ensure necessary reported vulnerabilities meet requirements described in: [MongoDB Software Security Development Lifecycle Policy](https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc/edit?tab=t.0#bookmark=id.l09k96qt24jm).
+
+#### Check Snyk
+
+Go to [Snyk](https://app.snyk.io/) and select the `dev-prod` organization. If access is needed, see [Snyk Onboarding](https://docs.google.com/document/d/1A38HvDvVFOwLtJQfQwIGcy5amAIpDwHUkNInwezLwXY/edit#heading=h.9ayipd2nt7xg). Check the CLI target named `mongodb/libmongocrypt`. The CLI targets may be identified by this icon: ![CLI icon](img/cli-icon.png). There are reference targets for each tracked branch:
+
+![Reference Targets](img/reference-targets.png)
+
+Copy the organization ID from [Snyk settings](https://app.snyk.io/org/dev-prod/manage/settings).
+
+##### Update Snyk
+
+Update the Snyk reference target tracking the to-be-released branch. For a patch release (e.g. x.y.z), check-out the `rx.y` branch and update the `rx.y` reference target. For a minor release (e.g. x.y.0), check out the `master` branch update the `master` reference target.
+
+Run `cmake` to ensure generated source files are present:
+```bash
+cmake -S. -Bcmake-build -D BUILD_TESTING=OFF
+cmake --build cmake-build --target mongocrypt
+```
+
+Print dependencies found by Snyk and verify libbson is found:
+```bash
+snyk test --unmanaged --print-dep-paths
+```
+
+Copy the organization ID from [Snyk settings](https://app.snyk.io/org/dev-prod/manage/settings). Create the new Snyk reference target to track the newly created release branch:
+```bash
+snyk auth
+snyk monitor \
+--org=$ORGANIZATION_ID \
+--target-reference="<rx.y or master>" \
+--unmanaged \
+--remote-repo-url=https://github.com/mongodb/libmongocrypt.git
+```
+
+```bash
+snyk auth
+snyk monitor \
+--org=$ORGANIZATION_ID \
+--target-reference=<rx.y or master> \
+--unmanaged \
+--remote-repo-url=https://github.com/mongodb/libmongocrypt.git
+```
+
+Check the updated reference targets in Snyk for detected vulnerabilities.
+
+#### Check Silk
+
+Get credentials for Silk from the `drivers/libmongocrypt` vault in [AWS Secrets Manager](https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets).
+
+Download the Augmented SBOM using:
+```bash
+./.evergreen/earthly.sh \
+   --secret silk_client_id=${silk_client_id} \
+   --secret silk_client_secret=${silk_client_secret} \
+   +sbom-download \
+   --out cyclonedx.augmented.sbom.json \
+   --branch <branch>
+```
+
+Check the contents of the "vulnerabilities" field (if present) in the Augmented SBOM.
+
+### Release
+
+Do the following when releasing:
+- If this is a feature release (e.g. `x.y.0` or `x.0.0`), follow these steps: [Creating SSDLC static analysis reports](https://docs.google.com/document/d/1rkFL8ymbkc0k8Apky9w5pTPbvKRm68wj17mPJt2_0yo/edit).
+- Check out the release branch. For a release `x.y.z`, the release branch is `rx.y`. If this is a new minor release (`x.y.0`), create the release branch.
+- Update CHANGELOG.md with the version being released.
+- Ensure `etc/purls.txt` is up-to-date.
+- Update `etc/third_party_vulnerabilities.md` with any updates to new or known vulnerabilities for third party dependencies that must be reported.
+- If this is a new minor release (e.g. `x.y.0`):
+   - Update the Linux distribution package installation instructions in the below sections to refer to the new version `x.y`.
+   - Update the [libmongocrypt-release](https://spruce.mongodb.com/project/libmongocrypt-release/settings/general) Evergreen project (requires auth) to set `Branch Name` to `rx.y`.
+- Commit the changes on the `rx.y` branch with a message like "Update CHANGELOG.md for x.y.z".
+- Tag the commit with `git tag -a <tag>`.
+   - Push both the branch ref and tag ref in the same command: `git push origin master 1.8.0-alpha0` or `git push origin r1.8 1.8.4`
+   - Pushing the branch ref and the tag ref in the same command eliminates the possibility of a race condition in Evergreen (for building resources based on the presence of a release tag)
+   - Note that in the future (e.g., if we move to a PR-based workflow for releases, or if we simply want to take better advantage of advanced Evergreen features), it is possible to use Evergreen's "Trigger Versions With Git Tags" feature by updating both `config.yml` and the project's settings in Evergreen
+- Ensure the version on Evergreen with the tagged commit is scheduled. The following tasks must pass to complete the release:
+   - `upload-all`
+   - `windows-upload-release`
+   - All `publish-packages` tasks.
+      - If the `publish-packages` tasks fail with an error like `[curator] 2024/01/02 13:56:17 [p=emergency]: problem submitting repobuilder job: 404 (Not Found)`, this suggests the published path does not yet exist. Barque (the Linux package publishing service) has protection to avoid unintentional publishes. File a DEVPROD ticket ([example](https://jira.mongodb.org/browse/DEVPROD-4053)) and assign to the team called Release Infrastructure to request the path be created. Then re-run the failing `publish-packages` task. Ask in the slack channel `#devprod-release-tools` for further help with `Barque` or `curator`.
+- Create the release from the GitHub releases page from the new tag.
+   - Attach the tarball and signature file from the Files tab of the `windows-upload-release` task. [Example](https://github.com/mongodb/libmongocrypt/releases/tag/1.10.0).
+   - Attach the Augmented SBOM file. Download the Augmented SBOM using:
+     ```bash
+     ./.evergreen/earthly.sh \
+        --secret silk_client_id=${silk_client_id} \
+        --secret silk_client_secret=${silk_client_secret} \
+        +sbom-download \
+        --out cyclonedx.augmented.sbom.json \
+        --branch <branch>
+     ```
+     For a new minor release, use `master` for `--branch`. For a patch release, use the release branch (e.g. `rx.y`).
+     Secrets can be obtained from [AWS Secrets Manager](https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets) under `drivers/libmongocrypt`.
+   - Attach `etc/third_party_vulnerabilities.md` to the release.
+   - Attach `ssdlc_compliance_report.md` to the release.
+
+- If this is a new minor release (e.g. `x.y.0`):
+   - File a DOCSP ticket to update the installation instructions on [Install libmongocrypt](https://www.mongodb.com/docs/manual/core/csfle/reference/libmongocrypt/). ([Example](https://jira.mongodb.org/browse/DOCSP-36863))
+   - Create a new Silk asset group. Use the newly created release branch (e.g. `rx.y`) as the `--branch` argument:
+     ```bash
+     ./.evergreen/earthly.sh \
+        --secret silk_client_id=${silk_client_id} \
+        --secret silk_client_secret=${silk_client_secret} \
+        +silk-create-asset-group \
+        --branch <branch>
+     ```
+   - Create a new Snyk reference target. The following instructions use the example branch `rx.y`:
+
+     Run `cmake` to ensure generated source files are present:
+     ```bash
+     cmake -S. -Bcmake-build -D BUILD_TESTING=OFF
+     cmake --build cmake-build --target mongocrypt
+     ```
+
+     Print dependencies found by Snyk and verify libbson is found:
+     ```bash
+     snyk test --unmanaged --print-dep-paths
+     ```
+
+     Copy the organization ID from [Snyk settings](https://app.snyk.io/org/dev-prod/manage/settings). Create the new Snyk reference target to track the newly created release branch:
+     ```bash
+     snyk auth
+     snyk monitor \
+      --org=$ORGANIZATION_ID \
+      --target-reference=rx.y \
+      --unmanaged \
+      --remote-repo-url=https://github.com/mongodb/libmongocrypt.git
+     ```
+     Snyk reference targets for older release branches may be removed if no further releases are expected on the branch.
+- Make a PR to apply the "Update CHANGELOG.md for x.y.z" commit to the `master` branch.
+- Update the release on the [Jira releases page](https://jira.mongodb.org/projects/MONGOCRYPT/versions).
+- Record the release on [C/C++ Release Info](https://docs.google.com/spreadsheets/d/1yHfGmDnbA5-Qt8FX4tKWC5xk9AhzYZx1SKF4AD36ecY/edit?usp=sharing). This is done to meet SSDLC reporting requirements.
+- Add a link to the Evergreen waterfall for the tagged commit to [libmongocrypt Security Testing Summary](https://docs.google.com/document/d/1dc7uvBzu3okAIsA8LSW5sVQGkYIvwpBVdg5v4wb4c4s/edit#heading=h.5t79jwe4p0ss).
+
+## Homebrew steps ##
+Submit a PR to update the Homebrew package https://github.com/mongodb/homebrew-brew/blob/master/Formula/libmongocrypt.rb. ([Example](https://github.com/mongodb/homebrew-brew/pull/208)). If not on macOS, request a team member to do this step.
+
+## Debian steps ##
+Refer to the [Debian](https://github.com/mongodb/mongo-c-driver/blob/master/docs/dev/debian.rst) steps. If you are not a Debian maintainer on the team, request a team member to do this step.