From 7f8f97d321b729928e2149bc355130c7af3f8e72 Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 10:03:18 -0600 Subject: [PATCH 1/7] evg: update scripts for SilkBomb 2.0 --- .../config_generator/components/silk.py | 163 ++++++++++++++---- .evergreen/config_generator/etc/distros.py | 1 - .evergreen/generated_configs/functions.yml | 116 +++++++++++-- .evergreen/generated_configs/tasks.yml | 11 +- .evergreen/scripts/check-augmented-sbom.sh | 58 ------- .../scripts/silk-check-augmented-sbom.sh | 62 +++++++ .evergreen/scripts/silk-upload-sbom-lite.sh | 29 ++++ 7 files changed, 332 insertions(+), 108 deletions(-) delete mode 100755 .evergreen/scripts/check-augmented-sbom.sh create mode 100755 .evergreen/scripts/silk-check-augmented-sbom.sh create mode 100755 .evergreen/scripts/silk-upload-sbom-lite.sh diff --git a/.evergreen/config_generator/components/silk.py b/.evergreen/config_generator/components/silk.py index f133024eff..139061fc2b 100644 --- a/.evergreen/config_generator/components/silk.py +++ b/.evergreen/config_generator/components/silk.py @@ -5,42 +5,122 @@ from config_generator.etc.utils import bash_exec from shrub.v3.evg_build_variant import BuildVariant -from shrub.v3.evg_command import EvgCommandType, s3_put -from shrub.v3.evg_task import EvgTask, EvgTaskRef +from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, expansions_update, s3_put +from shrub.v3.evg_task import EvgTask, EvgTaskRef, EvgTaskDependency + +from pydantic import ConfigDict +from typing import Optional TAG = 'silk' +class CustomCommand(BuiltInCommand): + command: str + model_config = ConfigDict(arbitrary_types_allowed=True) + + +def ec2_assume_role( + role_arn: Optional[str] = None, + policy: Optional[str] = None, + duration_seconds: Optional[int] = None, + command_type: Optional[EvgCommandType] = None, +) -> CustomCommand: + return CustomCommand( + command="ec2.assume_role", + params={ + "role_arn": role_arn, + "policy": policy, + "duration_seconds": duration_seconds, + }, + type=command_type, + ) + + +EC2_ASSUME_ROLE_COMMANDS = [ + ec2_assume_role( + command_type=EvgCommandType.SETUP, + role_arn='${KONDUKTO_ROLE_ARN}', + ), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'], + script='''\ + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml + ''' + ), + expansions_update( + command_type=EvgCommandType.SETUP, + file='expansions.kondukto.yml' + ), +] + + +class UploadSBOMLite(Function): + name = 'upload sbom lite' + commands = EC2_ASSUME_ROLE_COMMANDS + [ + bash_exec( + command_type=EvgCommandType.TEST, + working_dir='mongo-cxx-driver', + include_expansions_in_env=[ + 'ARTIFACTORY_USER', + 'ARTIFACTORY_PASSWORD', + 'branch_name', + 'KONDUKTO_TOKEN', + ], + script='.evergreen/scripts/silk-upload-sbom-lite.sh', + ), + ] + + class CheckAugmentedSBOM(Function): name = 'check augmented sbom' - commands = bash_exec( - command_type=EvgCommandType.TEST, - working_dir='mongo-cxx-driver', - include_expansions_in_env=[ - 'ARTIFACTORY_USER', - 'ARTIFACTORY_PASSWORD', - 'SILK_CLIENT_ID', - 'SILK_CLIENT_SECRET', - ], - script='.evergreen/scripts/check-augmented-sbom.sh', - ) + commands = EC2_ASSUME_ROLE_COMMANDS + [ + bash_exec( + command_type=EvgCommandType.TEST, + working_dir='mongo-cxx-driver', + include_expansions_in_env=[ + 'ARTIFACTORY_PASSWORD', + 'ARTIFACTORY_USER', + 'branch_name', + 'KONDUKTO_TOKEN', + ], + script='.evergreen/scripts/silk-check-augmented-sbom.sh', + ), + ] class UploadAugmentedSBOM(Function): name = 'upload augmented sbom' commands = [ + # The current Augmented SBOM, ignoring version and timestamp fields. s3_put( command_type=EvgCommandType.SYSTEM, aws_key='${aws_key}', aws_secret='${aws_secret}', bucket='mciuploads', content_type='application/json', - display_name='Augmented SBOM', - local_file='mongo-cxx-driver/etc/augmented.sbom.json.new', + display_name='Augmented SBOM (Old)', + local_file='mongo-cxx-driver/old.json', permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/old.json', ), + # The updated Augmented SBOM, ignoring version and timestamp fields. + s3_put( + command_type=EvgCommandType.SYSTEM, + aws_key='${aws_key}', + aws_secret='${aws_secret}', + bucket='mciuploads', + content_type='application/json', + display_name='Augmented SBOM (New)', + local_file='mongo-cxx-driver/new.json', + permissions='public-read', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/new.json', + ), + # The difference between the current and updated Augmented SBOM. s3_put( command_type=EvgCommandType.SYSTEM, aws_key='${aws_key}', @@ -50,34 +130,57 @@ class UploadAugmentedSBOM(Function): display_name='Augmented SBOM (Diff)', local_file='mongo-cxx-driver/diff.txt', permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/diff.txt', + ), + # The updated Augmented SBOM without any filtering or modifications. + s3_put( + command_type=EvgCommandType.SYSTEM, + aws_key='${aws_key}', + aws_secret='${aws_secret}', + bucket='mciuploads', + content_type='application/json', + display_name='Augmented SBOM (Updated)', + local_file='mongo-cxx-driver/etc/augmented.sbom.json.new', + permissions='public-read', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json', ), ] def functions(): return merge_defns( + UploadSBOMLite.defn(), CheckAugmentedSBOM.defn(), UploadAugmentedSBOM.defn(), ) def tasks(): - distro_name = 'rhel8-latest' + distro_name = 'rhel80' distro = find_small_distro(distro_name) - return [ - EvgTask( - name='silk-check-augmented-sbom', - tags=[TAG, distro_name], - run_on=distro.name, - commands=[ - Setup.call(), - CheckAugmentedSBOM.call(), - UploadAugmentedSBOM.call(), - ], - ), - ] + upload_task = EvgTask( + name='silk-upload-sbom-lite', + tags=[TAG, distro_name], + run_on=distro.name, + commands=[ + Setup.call(), + UploadSBOMLite.call(), + ], + ) + + yield upload_task + yield EvgTask( + name='silk-check-augmented-sbom', + tags=[TAG, distro_name], + depends_on=[EvgTaskDependency(name=upload_task.name)], + run_on=distro.name, + commands=[ + Setup.call(), + CheckAugmentedSBOM.call(), + UploadAugmentedSBOM.call(), + ], + ) def variants(): diff --git a/.evergreen/config_generator/etc/distros.py b/.evergreen/config_generator/etc/distros.py index b624b092c9..c2d137bf6f 100644 --- a/.evergreen/config_generator/etc/distros.py +++ b/.evergreen/config_generator/etc/distros.py @@ -64,7 +64,6 @@ def ls_distro(name, **kwargs): RHEL_DISTROS = [] + \ ls_distro(name='rhel80', os='rhel', os_type='linux', os_ver='8.0') + \ ls_distro(name='rhel95', os='rhel', os_type='linux', os_ver='9.5') + \ - ls_distro(name='rhel8-latest', os='rhel', os_type='linux', os_ver='latest') + \ [] RHEL_ARM64_DISTROS = [] + \ diff --git a/.evergreen/generated_configs/functions.yml b/.evergreen/generated_configs/functions.yml index d5c0a69b0d..4fd79db58c 100644 --- a/.evergreen/generated_configs/functions.yml +++ b/.evergreen/generated_configs/functions.yml @@ -203,19 +203,42 @@ functions: .evergreen/atlas_data_lake/pull-mongohouse-image.sh check augmented sbom: - command: subprocess.exec - type: test - params: - binary: bash - working_dir: mongo-cxx-driver - include_expansions_in_env: - - ARTIFACTORY_USER - - ARTIFACTORY_PASSWORD - - SILK_CLIENT_ID - - SILK_CLIENT_SECRET - args: - - -c - - .evergreen/scripts/check-augmented-sbom.sh + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: mongo-cxx-driver + include_expansions_in_env: + - ARTIFACTORY_PASSWORD + - ARTIFACTORY_USER + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/scripts/silk-check-augmented-sbom.sh clang-tidy: command: subprocess.exec type: test @@ -675,14 +698,25 @@ functions: - command: s3.put type: system params: - display_name: Augmented SBOM + display_name: Augmented SBOM (Old) aws_key: ${aws_key} aws_secret: ${aws_secret} bucket: mciuploads content_type: application/json - local_file: mongo-cxx-driver/etc/augmented.sbom.json.new + local_file: mongo-cxx-driver/old.json permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/old.json + - command: s3.put + type: system + params: + display_name: Augmented SBOM (New) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json + local_file: mongo-cxx-driver/new.json + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/new.json - command: s3.put type: system params: @@ -693,7 +727,18 @@ functions: content_type: application/json local_file: mongo-cxx-driver/diff.txt permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/diff.txt + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Updated) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json + local_file: mongo-cxx-driver/etc/augmented.sbom.json.new + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json upload code coverage: command: subprocess.exec type: system @@ -732,6 +777,43 @@ functions: optional: true permissions: public-read remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/logs/${task_id}-${execution}-mongodb-logs.tar.gz + upload sbom lite: + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: mongo-cxx-driver + include_expansions_in_env: + - ARTIFACTORY_USER + - ARTIFACTORY_PASSWORD + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/scripts/silk-upload-sbom-lite.sh upload scan artifacts: - command: subprocess.exec type: test diff --git a/.evergreen/generated_configs/tasks.yml b/.evergreen/generated_configs/tasks.yml index 34c63de528..87048d74c5 100644 --- a/.evergreen/generated_configs/tasks.yml +++ b/.evergreen/generated_configs/tasks.yml @@ -17259,12 +17259,19 @@ tasks: CXX_STANDARD: 17 - func: upload scan artifacts - name: silk-check-augmented-sbom - run_on: rhel8-latest-small - tags: [silk, rhel8-latest] + run_on: rhel80-small + tags: [silk, rhel80] + depends_on: [{ name: silk-upload-sbom-lite }] commands: - func: setup - func: check augmented sbom - func: upload augmented sbom + - name: silk-upload-sbom-lite + run_on: rhel80-small + tags: [silk, rhel80] + commands: + - func: setup + - func: upload sbom lite - name: test_mongohouse run_on: ubuntu2204-large tags: [mongohouse, ubuntu2204] diff --git a/.evergreen/scripts/check-augmented-sbom.sh b/.evergreen/scripts/check-augmented-sbom.sh deleted file mode 100755 index f59aa51c89..0000000000 --- a/.evergreen/scripts/check-augmented-sbom.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail - -command -v podman >/dev/null || { - echo "missing required program podman" 1>&2 - exit 1 -} - -command -v jq >/dev/null || { - echo "missing required program jq" 1>&2 - exit 1 -} - -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 - -silkbomb_download_flags=( - # Avoid bumping version or timestamp in diff. - --no-update-sbom-version - --no-update-timestamp - - --silk-asset-group mongo-cxx-driver - -o /pwd/etc/augmented.sbom.json.new -) - -podman run \ - --env-file <( - echo "SILK_CLIENT_ID=${SILK_CLIENT_ID:?}" - echo "SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET:?}" - ) \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \ - download "${silkbomb_download_flags[@]:?}" - -[[ -f ./etc/augmented.sbom.json.new ]] || { - echo "failed to download Augmented SBOM from Silk" 1>&2 - exit 1 -} - -echo "Comparing Augmented SBOM..." - -jq -S '.' ./etc/augmented.sbom.json >|old.json -jq -S '.' ./etc/augmented.sbom.json.new >|new.json - -# Allow task to upload the augmented SBOM despite failed diff. -if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then - declare status - status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' - curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true -fi - -cat diff.txt - -echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/scripts/silk-check-augmented-sbom.sh b/.evergreen/scripts/silk-check-augmented-sbom.sh new file mode 100755 index 0000000000..e8d83b2107 --- /dev/null +++ b/.evergreen/scripts/silk-check-augmented-sbom.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +command -v jq >/dev/null || { + echo "missing required program jq" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +silkbomb_augment_flags=( + --repo mongodb/mongo-cxx-driver + --branch "${branch_name:?}" + --sbom-in /pwd/etc/cyclonedx.sbom.json + --sbom-out /pwd/etc/augmented.sbom.json.new + + # Any notable updates to the Augmented SBOM version should be done manually after careful inspection. + # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`. + --no-update-sbom-version +) + +# Allow the timestamp to be updated in the Augmented SBOM for update purposes. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" + +[[ -f ./etc/augmented.sbom.json.new ]] || { + echo "failed to download Augmented SBOM" 1>&2 + exit 1 +} + +echo "Comparing Augmented SBOM..." + +# Format for easier diff while ignoring the timestamp field. +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json >|old.json +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json.new >|new.json + +# Allow the task to upload the Augmented SBOM even if the diff failed. +if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then + declare status + status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' + curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true +fi + +cat diff.txt + +echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/scripts/silk-upload-sbom-lite.sh b/.evergreen/scripts/silk-upload-sbom-lite.sh new file mode 100755 index 0000000000..705f4d9a59 --- /dev/null +++ b/.evergreen/scripts/silk-upload-sbom-lite.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +# First validate the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ + validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira + +# Then upload the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" \ + upload --repo mongodb/mongo-cxx-driver --branch "${branch_name:?}" --sbom-in /pwd/etc/cyclonedx.sbom.json From 023bd4eebc3d5e8f88df961358514c6cd25b6a4d Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 10:03:18 -0600 Subject: [PATCH 2/7] Update release instructions for SilkBomb 2.0 --- etc/releasing.md | 129 +++++------------------------------------------ 1 file changed, 12 insertions(+), 117 deletions(-) diff --git a/etc/releasing.md b/etc/releasing.md index 1e5da4c8c1..01478f3477 100644 --- a/etc/releasing.md +++ b/etc/releasing.md @@ -74,13 +74,6 @@ Some release steps require one or more of the following secrets. GRS_CONFIG_USER1_USERNAME= GRS_CONFIG_USER1_PASSWORD= ``` -- Silk credentials. - - Location: `~/.secrets/silk-creds.txt` - - Format: - ```bash - SILK_CLIENT_ID= - SILK_CLIENT_SECRET= - ``` - Snyk credentials. - Location: `~/.secrets/snyk-creds.txt` - Format: @@ -131,57 +124,27 @@ Ensure the list of bundled dependencies in `etc/purls.txt` is up-to-date. If not If `etc/purls.txt` was updated, update the SBOM Lite document using the following command(s): ```bash -# Artifactory and Silk credentials. +# Artifactory credentials. . $HOME/.secrets/artifactory-creds.txt -. $HOME/.secrets/silk-creds.txt # Output: "Login succeeded!" podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" # Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 +podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 # Output: "... writing sbom to file" -podman run \ - --env-file "$HOME/.secrets/silk-creds.txt" \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 \ - update -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" +podman run -it --rm -v "$(pwd):/pwd" silkbomb:2.0 \ + update --refresh --no-update-sbom-version -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" ``` -Commit the latest version of the SBOM Lite document into the repo as `etc/cyclonedx.sbom.json`. (This may just be a modification of the timestamp.) +Run a patch build which executes the `silk-check-augmented-sbom` task and, if necessary (when the task fails), download the "Augmented SBOM (Updated)" file as `etc/augmented.sbom.json` (see below). -Generate an updated Augmented SBOM as described below. - -> [!IMPORTANT] -> If the SBOM Lite was updated, generate an updated Augmented SBOM as described below even if the `silk-check-augmented-sbom` is currently passing on Evergreen! +Commit the updated SBOM documents if there are any substantial changes. ### Augmented SBOM -Ensure the `silk-check-augmented-sbom` task is passing on Evergreen for the relevant release branch. If it is passing, nothing needs to be done (unless the SBOM Lite was updated as described above). - -#### Regular Update - -Update the Augmented SBOM document using the following command(s): - -```bash -# Artifactory and Silk credentials. -. $HOME/.secrets/artifactory-creds.txt -. $HOME/.secrets/silk-creds.txt - -# Output: "Login succeeded!" -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 - -# Output: "... writing sbom to file" -podman run \ - --env-file "$HOME/.secrets/silk-creds.txt" \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 \ - download --silk-asset-group "mongo-cxx-driver" -o "/pwd/etc/augmented.sbom.json" -``` +Ensure the `silk-check-augmented-sbom` task is passing on Evergreen for the relevant release branch. Review the contents of the new Augmented SBOM and ensure any new or known vulnerabilities with severity "Medium" or greater have a corresponding JIRA ticket (CXX or VULN) that is scheduled to be resolved within its remediation timeline. @@ -189,45 +152,7 @@ Update the [SSDLC Report spreadsheet](https://docs.google.com/spreadsheets/d/1sp Update `etc/third_party_vulnerabilities.md` with any updates to new or known vulnerabilities for third party dependencies that have not yet been fixed by the upcoming release. -Commit the latest version of the Augmented SBOM document into the repo as `etc/augmented.sbom.json`. The Augmented SBOM document does not need to be updated if the `silk-check-augmented-sbom` was not failing (in which case the only changes present would a version bump or timestamp update). - -#### Instant Update - -If the Augmented SBOM has not yet been updated in time for a release, a temporary Silk Asset Group may be used instead: - -```bash -# Artifactory and Silk credentials. -. $HOME/.secrets/artifactory-creds.txt -. $HOME/.secrets/silk-creds.txt - -# Name of the temporary Silk Asset Group. Do NOT use an existing Silk Asset Group! -asset_group_id="mongo-cxx-driver-tmp-releasing" - -# Output: "Login succeeded!" -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 - -# Common flags to podman. -silkbomb_flags=( - --env-file "$HOME/.secrets/silk-creds.txt" - -it --rm -v "$(pwd):/pwd" - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 -) - -# Create a new and temporary Silk Asset Group. -podman run "${silkbomb_flags[@]:?}" asset-group --asset-cmd create --silk-asset-group "${asset_group_id:?}" --name "${asset_group_id:?}" - -# Upload the SBOM Lite. -podman run "${silkbomb_flags[@]:?}" upload --silk-asset-group "${asset_group_id:?}" -i /pwd/etc/cyclonedx.sbom.json - -# Download the Augmented SBOM. -podman run "${silkbomb_flags[@]:?}" download --silk-asset-group "${asset_group_id:?}" -o /pwd/etc/augmented.sbom.json - -# Remove the temporary Silk Asset Group. -podman run "${silkbomb_flags[@]:?}" asset-group --asset-cmd delete --silk-asset-group "${asset_group_id:?}" -``` +Download the "Augmented SBOM (Updated)" file from the latest EVG commit build in the `silk-sbom-check-augmented` task and commit it into the repo as `etc/augmented.sbom.json` (even if the only notable change is the timestamp field). ### Check Snyk @@ -532,41 +457,9 @@ git push upstream releases/vX.Y The new branch should be continuously tested on Evergreen. Update the "Display Name" and "Branch Name" of the [mongo-cxx-driver-latest-release Evergreen project](https://spruce.mongodb.com/project/mongo-cxx-driver-latest-release/settings/general) to refer to the new release branch. -The new branch should be tracked by Silk. Use the [create-silk-asset-group.py script](https://github.com/mongodb/mongo-c-driver/blob/master/tools/create-silk-asset-group.py) in the C Driver to create a new Silk asset group: - -```bash -# Snyk credentials. Ask for these from a team member. -. ~/.secrets/silk-creds.txt - -# Ensure correct release version number! -version="X.Y" - -create_args=( - --silk-client-id "${SILK_CLIENT_ID:?}" - --silk-client-secret "${SILK_CLIENT_SECRET:?}" - --asset-id "mongo-cxx-driver-${version:?}" # Avoid '/' in Asset ID field. - --project "mongo-cxx-driver-${version:?}" - --branch "releases/v${version:?}" - --code-repo-url "https://github.com/mongodb/mongo-cxx-driver" - --sbom-lite-path="etc/cyclonedx.sbom.json" -) - -python path/to/tools/create-silk-asset-group.py "${create_args[@]:?}" -``` - -Verify the new asset group (`mongo-cxx-driver-X.Y`) is present in the [Silk Asset Inventory](https://us1.app.silk.security/inventory/all). +Update the `etc/cyclonedx.sbom.json` file with a new unique serial number for the next upcoming patch release (e.g. for `1.2.4` following the release of `1.2.3`). This can be done by running the `silkbomb:2.0 update` command described above in [SBOM Lite](#sbom-lite) without the `-i` flag, or by manually inserting the result of running the `uuidgen` CLI command. Ensure any existing `copyright`, `licenses`, and other manually inserted or modified fields are preserved during the update. Update `etc/augmented.sbom.json` as described above in [Augmented SBOM](#augmented-sbom). -Update the Silk asset group identifier in `.evergreen/scripts/check-augmented-sbom.sh` to refer to the new silk asset group created above: - -```bash -silkbomb_download_flags=( - ... - --silk-asset-group mongo-cxx-driver-X.Y # <-- - ... -) -``` - -Commit and push this change on the `releases/vX.Y` branch. +Commit and push these changes to the `releases/vX.Y` branch. ### Update Snyk @@ -630,6 +523,8 @@ In `etc/apidocmenu.md`, update the list of versions under "Driver Documentation In `README.md`, sync the "Driver Development Status" table with the updated table from `etc/apidocmenu.md`. +Update the `etc/cyclonedx.sbom.json` file with a new unique serial number for the next upcoming non-patch release (e.g. for `1.3.0` or `2.0.0` following the release of `1.2.3`). This can be done by running the `silkbomb:2.0 update` command described above in [SBOM Lite](#sbom-lite) without the `-i` flag, or by manually inserting the result of running the `uuidgen` CLI command. Ensure any existing `copyright`, `licenses`, and other manually inserted or modified fields are preserved during the update. Update `etc/augmented.sbom.json` as described above in [Augmented SBOM](#augmented-sbom). + Commit these changes to the `post-release-changes` branch: ```bash From 109a9ed9009e416d0c927ffede73f3ad8929a055 Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 13:06:03 -0600 Subject: [PATCH 3/7] Upload SBOM Lite as part of augment command --- .../config_generator/components/silk.py | 66 +++++-------------- .evergreen/generated_configs/functions.yml | 37 ----------- .evergreen/generated_configs/tasks.yml | 7 -- .../scripts/silk-check-augmented-sbom.sh | 4 ++ .evergreen/scripts/silk-upload-sbom-lite.sh | 29 -------- 5 files changed, 20 insertions(+), 123 deletions(-) delete mode 100755 .evergreen/scripts/silk-upload-sbom-lite.sh diff --git a/.evergreen/config_generator/components/silk.py b/.evergreen/config_generator/components/silk.py index 139061fc2b..ff047258ac 100644 --- a/.evergreen/config_generator/components/silk.py +++ b/.evergreen/config_generator/components/silk.py @@ -37,48 +37,27 @@ def ec2_assume_role( ) -EC2_ASSUME_ROLE_COMMANDS = [ - ec2_assume_role( - command_type=EvgCommandType.SETUP, - role_arn='${KONDUKTO_ROLE_ARN}', - ), - bash_exec( - command_type=EvgCommandType.SETUP, - include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'], - script='''\ +class CheckAugmentedSBOM(Function): + name = 'check augmented sbom' + commands = [ + ec2_assume_role( + command_type=EvgCommandType.SETUP, + role_arn='${KONDUKTO_ROLE_ARN}', + ), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'], + script='''\ set -o errexit set -o pipefail kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml - ''' - ), - expansions_update( - command_type=EvgCommandType.SETUP, - file='expansions.kondukto.yml' - ), -] - - -class UploadSBOMLite(Function): - name = 'upload sbom lite' - commands = EC2_ASSUME_ROLE_COMMANDS + [ - bash_exec( - command_type=EvgCommandType.TEST, - working_dir='mongo-cxx-driver', - include_expansions_in_env=[ - 'ARTIFACTORY_USER', - 'ARTIFACTORY_PASSWORD', - 'branch_name', - 'KONDUKTO_TOKEN', - ], - script='.evergreen/scripts/silk-upload-sbom-lite.sh', + ''', + ), + expansions_update( + command_type=EvgCommandType.SETUP, + file='expansions.kondukto.yml', ), - ] - - -class CheckAugmentedSBOM(Function): - name = 'check augmented sbom' - commands = EC2_ASSUME_ROLE_COMMANDS + [ bash_exec( command_type=EvgCommandType.TEST, working_dir='mongo-cxx-driver', @@ -149,7 +128,6 @@ class UploadAugmentedSBOM(Function): def functions(): return merge_defns( - UploadSBOMLite.defn(), CheckAugmentedSBOM.defn(), UploadAugmentedSBOM.defn(), ) @@ -159,21 +137,9 @@ def tasks(): distro_name = 'rhel80' distro = find_small_distro(distro_name) - upload_task = EvgTask( - name='silk-upload-sbom-lite', - tags=[TAG, distro_name], - run_on=distro.name, - commands=[ - Setup.call(), - UploadSBOMLite.call(), - ], - ) - - yield upload_task yield EvgTask( name='silk-check-augmented-sbom', tags=[TAG, distro_name], - depends_on=[EvgTaskDependency(name=upload_task.name)], run_on=distro.name, commands=[ Setup.call(), diff --git a/.evergreen/generated_configs/functions.yml b/.evergreen/generated_configs/functions.yml index 4fd79db58c..30970cfee3 100644 --- a/.evergreen/generated_configs/functions.yml +++ b/.evergreen/generated_configs/functions.yml @@ -777,43 +777,6 @@ functions: optional: true permissions: public-read remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/logs/${task_id}-${execution}-mongodb-logs.tar.gz - upload sbom lite: - - command: ec2.assume_role - type: setup - params: - role_arn: ${KONDUKTO_ROLE_ARN} - - command: subprocess.exec - type: setup - params: - binary: bash - include_expansions_in_env: - - AWS_ACCESS_KEY_ID - - AWS_SECRET_ACCESS_KEY - - AWS_SESSION_TOKEN - args: - - -c - - | - set -o errexit - set -o pipefail - kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" - printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml - - command: expansions.update - type: setup - params: - file: expansions.kondukto.yml - - command: subprocess.exec - type: test - params: - binary: bash - working_dir: mongo-cxx-driver - include_expansions_in_env: - - ARTIFACTORY_USER - - ARTIFACTORY_PASSWORD - - branch_name - - KONDUKTO_TOKEN - args: - - -c - - .evergreen/scripts/silk-upload-sbom-lite.sh upload scan artifacts: - command: subprocess.exec type: test diff --git a/.evergreen/generated_configs/tasks.yml b/.evergreen/generated_configs/tasks.yml index 87048d74c5..e5e50bbf21 100644 --- a/.evergreen/generated_configs/tasks.yml +++ b/.evergreen/generated_configs/tasks.yml @@ -17261,17 +17261,10 @@ tasks: - name: silk-check-augmented-sbom run_on: rhel80-small tags: [silk, rhel80] - depends_on: [{ name: silk-upload-sbom-lite }] commands: - func: setup - func: check augmented sbom - func: upload augmented sbom - - name: silk-upload-sbom-lite - run_on: rhel80-small - tags: [silk, rhel80] - commands: - - func: setup - - func: upload sbom lite - name: test_mongohouse run_on: ubuntu2204-large tags: [mongohouse, ubuntu2204] diff --git a/.evergreen/scripts/silk-check-augmented-sbom.sh b/.evergreen/scripts/silk-check-augmented-sbom.sh index e8d83b2107..2791c5fcde 100755 --- a/.evergreen/scripts/silk-check-augmented-sbom.sh +++ b/.evergreen/scripts/silk-check-augmented-sbom.sh @@ -36,6 +36,10 @@ silkbomb_augment_flags=( --no-update-sbom-version ) +# First validate the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ + validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira + # Allow the timestamp to be updated in the Augmented SBOM for update purposes. podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" diff --git a/.evergreen/scripts/silk-upload-sbom-lite.sh b/.evergreen/scripts/silk-upload-sbom-lite.sh deleted file mode 100755 index 705f4d9a59..0000000000 --- a/.evergreen/scripts/silk-upload-sbom-lite.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail - -: "${ARTIFACTORY_USER:?}" -: "${ARTIFACTORY_PASSWORD:?}" -: "${branch_name:?}" -: "${KONDUKTO_TOKEN:?}" - -command -v podman >/dev/null || { - echo "missing required program podman" 1>&2 - exit 1 -} - -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" - -# Ensure latest version of SilkBomb is being used. -podman pull "${silkbomb:?}" - -# First validate the SBOM Lite. -podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ - validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira - -# Then upload the SBOM Lite. -podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" \ - upload --repo mongodb/mongo-cxx-driver --branch "${branch_name:?}" --sbom-in /pwd/etc/cyclonedx.sbom.json From 4cd9b654cbdc8780ace80ed6a80594caab60917c Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 13:06:04 -0600 Subject: [PATCH 4/7] Rename tasks to sbom for consistency --- .evergreen/config_generator/components/silk.py | 16 ++++++++-------- .evergreen/generated_configs/functions.yml | 10 +++++----- .evergreen/generated_configs/tasks.yml | 14 +++++++------- .evergreen/generated_configs/variants.yml | 8 ++++---- .../{silk-check-augmented-sbom.sh => sbom.sh} | 0 etc/releasing.md | 6 +++--- 6 files changed, 27 insertions(+), 27 deletions(-) rename .evergreen/scripts/{silk-check-augmented-sbom.sh => sbom.sh} (100%) diff --git a/.evergreen/config_generator/components/silk.py b/.evergreen/config_generator/components/silk.py index ff047258ac..be51041b96 100644 --- a/.evergreen/config_generator/components/silk.py +++ b/.evergreen/config_generator/components/silk.py @@ -12,7 +12,7 @@ from typing import Optional -TAG = 'silk' +TAG = 'sbom' class CustomCommand(BuiltInCommand): @@ -67,7 +67,7 @@ class CheckAugmentedSBOM(Function): 'branch_name', 'KONDUKTO_TOKEN', ], - script='.evergreen/scripts/silk-check-augmented-sbom.sh', + script='.evergreen/scripts/sbom.sh', ), ] @@ -85,7 +85,7 @@ class UploadAugmentedSBOM(Function): display_name='Augmented SBOM (Old)', local_file='mongo-cxx-driver/old.json', permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/old.json', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json', ), # The updated Augmented SBOM, ignoring version and timestamp fields. s3_put( @@ -97,7 +97,7 @@ class UploadAugmentedSBOM(Function): display_name='Augmented SBOM (New)', local_file='mongo-cxx-driver/new.json', permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/new.json', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json', ), # The difference between the current and updated Augmented SBOM. s3_put( @@ -109,7 +109,7 @@ class UploadAugmentedSBOM(Function): display_name='Augmented SBOM (Diff)', local_file='mongo-cxx-driver/diff.txt', permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/diff.txt', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt', ), # The updated Augmented SBOM without any filtering or modifications. s3_put( @@ -121,7 +121,7 @@ class UploadAugmentedSBOM(Function): display_name='Augmented SBOM (Updated)', local_file='mongo-cxx-driver/etc/augmented.sbom.json.new', permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json', ), ] @@ -138,7 +138,7 @@ def tasks(): distro = find_small_distro(distro_name) yield EvgTask( - name='silk-check-augmented-sbom', + name='sbom', tags=[TAG, distro_name], run_on=distro.name, commands=[ @@ -153,7 +153,7 @@ def variants(): return [ BuildVariant( name=TAG, - display_name='Silk', + display_name='SBOM', tasks=[EvgTaskRef(name=f'.{TAG}')], ), ] diff --git a/.evergreen/generated_configs/functions.yml b/.evergreen/generated_configs/functions.yml index 30970cfee3..c22ffb1d22 100644 --- a/.evergreen/generated_configs/functions.yml +++ b/.evergreen/generated_configs/functions.yml @@ -238,7 +238,7 @@ functions: - KONDUKTO_TOKEN args: - -c - - .evergreen/scripts/silk-check-augmented-sbom.sh + - .evergreen/scripts/sbom.sh clang-tidy: command: subprocess.exec type: test @@ -705,7 +705,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/old.json permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/old.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json - command: s3.put type: system params: @@ -716,7 +716,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/new.json permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/new.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json - command: s3.put type: system params: @@ -727,7 +727,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/diff.txt permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/diff.txt + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt - command: s3.put type: system params: @@ -738,7 +738,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/etc/augmented.sbom.json.new permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json upload code coverage: command: subprocess.exec type: system diff --git a/.evergreen/generated_configs/tasks.yml b/.evergreen/generated_configs/tasks.yml index e5e50bbf21..20096b2a83 100644 --- a/.evergreen/generated_configs/tasks.yml +++ b/.evergreen/generated_configs/tasks.yml @@ -17195,6 +17195,13 @@ tasks: example_projects_cxx: clang++ example_projects_cxxflags: -fsanitize=undefined -fno-sanitize-recover=undefined -fno-omit-frame-pointer example_projects_ldflags: -fsanitize=undefined -fno-sanitize-recover=undefined -static-libsan + - name: sbom + run_on: rhel80-small + tags: [sbom, rhel80] + commands: + - func: setup + - func: check augmented sbom + - func: upload augmented sbom - name: scan-build-rhel80-std11-default run_on: rhel80-large tags: [scan-build, rhel80, std11] @@ -17258,13 +17265,6 @@ tasks: BSONCXX_POLYFILL: impls CXX_STANDARD: 17 - func: upload scan artifacts - - name: silk-check-augmented-sbom - run_on: rhel80-small - tags: [silk, rhel80] - commands: - - func: setup - - func: check augmented sbom - - func: upload augmented sbom - name: test_mongohouse run_on: ubuntu2204-large tags: [mongohouse, ubuntu2204] diff --git a/.evergreen/generated_configs/variants.yml b/.evergreen/generated_configs/variants.yml index 7fb57928f5..4235179898 100644 --- a/.evergreen/generated_configs/variants.yml +++ b/.evergreen/generated_configs/variants.yml @@ -124,6 +124,10 @@ buildvariants: - .sanitizers tasks: - name: .sanitizers + - name: sbom + display_name: SBOM + tasks: + - name: .sbom - name: scan-build-matrix display_name: scan-build-matrix display_tasks: @@ -132,10 +136,6 @@ buildvariants: - .scan-build tasks: - name: .scan-build - - name: silk - display_name: Silk - tasks: - - name: .silk - name: uninstall-check display_name: Uninstall Check display_tasks: diff --git a/.evergreen/scripts/silk-check-augmented-sbom.sh b/.evergreen/scripts/sbom.sh similarity index 100% rename from .evergreen/scripts/silk-check-augmented-sbom.sh rename to .evergreen/scripts/sbom.sh diff --git a/etc/releasing.md b/etc/releasing.md index 01478f3477..0bbbbbca65 100644 --- a/etc/releasing.md +++ b/etc/releasing.md @@ -138,13 +138,13 @@ podman run -it --rm -v "$(pwd):/pwd" silkbomb:2.0 \ update --refresh --no-update-sbom-version -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" ``` -Run a patch build which executes the `silk-check-augmented-sbom` task and, if necessary (when the task fails), download the "Augmented SBOM (Updated)" file as `etc/augmented.sbom.json` (see below). +Run a patch build which executes the `sbom` task and, if necessary (when the task fails), download the "Augmented SBOM (Updated)" file as `etc/augmented.sbom.json` (see below). Commit the updated SBOM documents if there are any substantial changes. ### Augmented SBOM -Ensure the `silk-check-augmented-sbom` task is passing on Evergreen for the relevant release branch. +Ensure the `sbom` task is passing on Evergreen for the relevant release branch. Review the contents of the new Augmented SBOM and ensure any new or known vulnerabilities with severity "Medium" or greater have a corresponding JIRA ticket (CXX or VULN) that is scheduled to be resolved within its remediation timeline. @@ -152,7 +152,7 @@ Update the [SSDLC Report spreadsheet](https://docs.google.com/spreadsheets/d/1sp Update `etc/third_party_vulnerabilities.md` with any updates to new or known vulnerabilities for third party dependencies that have not yet been fixed by the upcoming release. -Download the "Augmented SBOM (Updated)" file from the latest EVG commit build in the `silk-sbom-check-augmented` task and commit it into the repo as `etc/augmented.sbom.json` (even if the only notable change is the timestamp field). +Download the "Augmented SBOM (Updated)" file from the latest EVG commit build in the `sbom` task and commit it into the repo as `etc/augmented.sbom.json` (even if the only notable change is the timestamp field). ### Check Snyk From c2f7e49b1ca13ce8ff0bb7e3e0c0480a4dc90fc6 Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 15:37:19 -0600 Subject: [PATCH 5/7] Also rename component for consistency --- .evergreen/config_generator/components/{silk.py => sbom.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .evergreen/config_generator/components/{silk.py => sbom.py} (100%) diff --git a/.evergreen/config_generator/components/silk.py b/.evergreen/config_generator/components/sbom.py similarity index 100% rename from .evergreen/config_generator/components/silk.py rename to .evergreen/config_generator/components/sbom.py From 9e675cd0d8d352abc0c540a79052709eff7d07c5 Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 15:37:20 -0600 Subject: [PATCH 6/7] Remove unused import --- .evergreen/config_generator/components/sbom.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/config_generator/components/sbom.py b/.evergreen/config_generator/components/sbom.py index be51041b96..5922c108dc 100644 --- a/.evergreen/config_generator/components/sbom.py +++ b/.evergreen/config_generator/components/sbom.py @@ -6,7 +6,7 @@ from shrub.v3.evg_build_variant import BuildVariant from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, expansions_update, s3_put -from shrub.v3.evg_task import EvgTask, EvgTaskRef, EvgTaskDependency +from shrub.v3.evg_task import EvgTask, EvgTaskRef from pydantic import ConfigDict from typing import Optional From d089d1dff375ae8225694ac7048b66b6ec73396a Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 15:37:20 -0600 Subject: [PATCH 7/7] Fully qualify the silkbomb container in podman commands --- etc/releasing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/releasing.md b/etc/releasing.md index 0bbbbbca65..bd3556313a 100644 --- a/etc/releasing.md +++ b/etc/releasing.md @@ -134,7 +134,7 @@ podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.cor podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 # Output: "... writing sbom to file" -podman run -it --rm -v "$(pwd):/pwd" silkbomb:2.0 \ +podman run -it --rm -v "$(pwd):/pwd" artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \ update --refresh --no-update-sbom-version -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" ```