From 676a78d2a5e5086b7a846ff6a5ca1bb23045eaec Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 10:52:26 -0600 Subject: [PATCH 1/2] CXX-3228 update scripts for SilkBomb 2.0 --- .evergreen/check-augmented-sbom.sh | 58 ----------- .evergreen/silk-check-augmented-sbom.sh | 62 ++++++++++++ .evergreen/silk-upload-sbom-lite.sh | 29 ++++++ .mci.yml | 127 +++++++++++++++++++++--- 4 files changed, 202 insertions(+), 74 deletions(-) delete mode 100755 .evergreen/check-augmented-sbom.sh create mode 100755 .evergreen/silk-check-augmented-sbom.sh create mode 100755 .evergreen/silk-upload-sbom-lite.sh diff --git a/.evergreen/check-augmented-sbom.sh b/.evergreen/check-augmented-sbom.sh deleted file mode 100755 index 4ceb2a520c..0000000000 --- a/.evergreen/check-augmented-sbom.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail - -command -v podman >/dev/null || { - echo "missing required program podman" 1>&2 - exit 1 -} - -command -v jq >/dev/null || { - echo "missing required program jq" 1>&2 - exit 1 -} - -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 - -silkbomb_download_flags=( - # Avoid bumping version or timestamp in diff. - --no-update-sbom-version - --no-update-timestamp - - --silk-asset-group mongo-cxx-driver-3.11 - -o /pwd/etc/augmented.sbom.json.new -) - -podman run \ - --env-file <( - echo "SILK_CLIENT_ID=${SILK_CLIENT_ID:?}" - echo "SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET:?}" - ) \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \ - download "${silkbomb_download_flags[@]:?}" - -[[ -f ./etc/augmented.sbom.json.new ]] || { - echo "failed to download Augmented SBOM from Silk" 1>&2 - exit 1 -} - -echo "Comparing Augmented SBOM..." - -jq -S '.' ./etc/augmented.sbom.json >|old.json -jq -S '.' ./etc/augmented.sbom.json.new >|new.json - -# Allow task to upload the augmented SBOM despite failed diff. -if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then - declare status - status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' - curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true -fi - -cat diff.txt - -echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/silk-check-augmented-sbom.sh b/.evergreen/silk-check-augmented-sbom.sh new file mode 100755 index 0000000000..e8d83b2107 --- /dev/null +++ b/.evergreen/silk-check-augmented-sbom.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +command -v jq >/dev/null || { + echo "missing required program jq" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +silkbomb_augment_flags=( + --repo mongodb/mongo-cxx-driver + --branch "${branch_name:?}" + --sbom-in /pwd/etc/cyclonedx.sbom.json + --sbom-out /pwd/etc/augmented.sbom.json.new + + # Any notable updates to the Augmented SBOM version should be done manually after careful inspection. + # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`. + --no-update-sbom-version +) + +# Allow the timestamp to be updated in the Augmented SBOM for update purposes. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" + +[[ -f ./etc/augmented.sbom.json.new ]] || { + echo "failed to download Augmented SBOM" 1>&2 + exit 1 +} + +echo "Comparing Augmented SBOM..." + +# Format for easier diff while ignoring the timestamp field. +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json >|old.json +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json.new >|new.json + +# Allow the task to upload the Augmented SBOM even if the diff failed. +if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then + declare status + status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' + curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true +fi + +cat diff.txt + +echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/silk-upload-sbom-lite.sh b/.evergreen/silk-upload-sbom-lite.sh new file mode 100755 index 0000000000..705f4d9a59 --- /dev/null +++ b/.evergreen/silk-upload-sbom-lite.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +# First validate the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ + validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira + +# Then upload the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" \ + upload --repo mongodb/mongo-cxx-driver --branch "${branch_name:?}" --sbom-in /pwd/etc/cyclonedx.sbom.json diff --git a/.mci.yml b/.mci.yml index 138dab2c97..0d32acd7a8 100644 --- a/.mci.yml +++ b/.mci.yml @@ -697,40 +697,127 @@ functions: content_type: text/html display_name: Scan Build Report - "check augmented sbom": + "upload sbom lite": + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml - command: subprocess.exec type: test params: - working_dir: "mongo-cxx-driver" binary: bash + working_dir: mongo-cxx-driver include_expansions_in_env: - ARTIFACTORY_USER - ARTIFACTORY_PASSWORD - - SILK_CLIENT_ID - - SILK_CLIENT_SECRET - args: [-c, .evergreen/check-augmented-sbom.sh] + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/silk-upload-sbom-lite.sh + + "check augmented sbom": + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: mongo-cxx-driver + include_expansions_in_env: + - ARTIFACTORY_PASSWORD + - ARTIFACTORY_USER + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/silk-check-augmented-sbom.sh "upload augmented sbom": - command: s3.put + type: system params: + display_name: Augmented SBOM (Old) aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json bucket: mciuploads - permissions: public-read - local_file: mongo-cxx-driver/etc/augmented.sbom.json.new content_type: application/json - display_name: Augmented SBOM + local_file: mongo-cxx-driver/old.json + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/old.json - command: s3.put + type: system params: + display_name: Augmented SBOM (New) aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff bucket: mciuploads + content_type: application/json + local_file: mongo-cxx-driver/new.json permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/new.json + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Diff) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json local_file: mongo-cxx-driver/diff.txt + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/diff.txt + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Updated) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads content_type: application/json - display_name: Augmented SBOM (Diff) + local_file: mongo-cxx-driver/etc/augmented.sbom.json.new + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json ####################################### # Post Task # @@ -1262,13 +1349,21 @@ tasks: BSONCXX_POLYFILL: std - func: "upload scan artifacts" + - name: silk-upload-sbom-lite + run_on: rhel80-small + tags: [silk, rhel80] + commands: + - func: setup + - func: upload sbom lite + - name: silk-check-augmented-sbom - run_on: rhel8-latest-small - tags: [silk] + run_on: rhel80-small + tags: [silk, rhel80] + depends_on: [{ name: silk-upload-sbom-lite }] commands: - - func: "setup" - - func: "check augmented sbom" - - func: "upload augmented sbom" + - func: setup + - func: check augmented sbom + - func: upload augmented sbom task_groups: - name: tg-abi-stability From 9e96b3dc0a1b924dc28bd7ad5940195a64d20fcf Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 13:37:25 -0600 Subject: [PATCH 2/2] Upload SBOM Lite using the augment command --- .../{silk-check-augmented-sbom.sh => sbom.sh} | 4 ++ .evergreen/silk-upload-sbom-lite.sh | 29 -------- .mci.yml | 70 ++++--------------- 3 files changed, 16 insertions(+), 87 deletions(-) rename .evergreen/{silk-check-augmented-sbom.sh => sbom.sh} (91%) delete mode 100755 .evergreen/silk-upload-sbom-lite.sh diff --git a/.evergreen/silk-check-augmented-sbom.sh b/.evergreen/sbom.sh similarity index 91% rename from .evergreen/silk-check-augmented-sbom.sh rename to .evergreen/sbom.sh index e8d83b2107..2791c5fcde 100755 --- a/.evergreen/silk-check-augmented-sbom.sh +++ b/.evergreen/sbom.sh @@ -36,6 +36,10 @@ silkbomb_augment_flags=( --no-update-sbom-version ) +# First validate the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ + validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira + # Allow the timestamp to be updated in the Augmented SBOM for update purposes. podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" diff --git a/.evergreen/silk-upload-sbom-lite.sh b/.evergreen/silk-upload-sbom-lite.sh deleted file mode 100755 index 705f4d9a59..0000000000 --- a/.evergreen/silk-upload-sbom-lite.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail - -: "${ARTIFACTORY_USER:?}" -: "${ARTIFACTORY_PASSWORD:?}" -: "${branch_name:?}" -: "${KONDUKTO_TOKEN:?}" - -command -v podman >/dev/null || { - echo "missing required program podman" 1>&2 - exit 1 -} - -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" - -# Ensure latest version of SilkBomb is being used. -podman pull "${silkbomb:?}" - -# First validate the SBOM Lite. -podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ - validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira - -# Then upload the SBOM Lite. -podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" \ - upload --repo mongodb/mongo-cxx-driver --branch "${branch_name:?}" --sbom-in /pwd/etc/cyclonedx.sbom.json diff --git a/.mci.yml b/.mci.yml index 0d32acd7a8..acb2fa50f4 100644 --- a/.mci.yml +++ b/.mci.yml @@ -697,45 +697,7 @@ functions: content_type: text/html display_name: Scan Build Report - "upload sbom lite": - - command: ec2.assume_role - type: setup - params: - role_arn: ${KONDUKTO_ROLE_ARN} - - command: subprocess.exec - type: setup - params: - binary: bash - include_expansions_in_env: - - AWS_ACCESS_KEY_ID - - AWS_SECRET_ACCESS_KEY - - AWS_SESSION_TOKEN - args: - - -c - - | - set -o errexit - set -o pipefail - kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" - printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml - - command: expansions.update - type: setup - params: - file: expansions.kondukto.yml - - command: subprocess.exec - type: test - params: - binary: bash - working_dir: mongo-cxx-driver - include_expansions_in_env: - - ARTIFACTORY_USER - - ARTIFACTORY_PASSWORD - - branch_name - - KONDUKTO_TOKEN - args: - - -c - - .evergreen/silk-upload-sbom-lite.sh - - "check augmented sbom": + check augmented sbom: - command: ec2.assume_role type: setup params: @@ -771,9 +733,9 @@ functions: - KONDUKTO_TOKEN args: - -c - - .evergreen/silk-check-augmented-sbom.sh + - .evergreen/sbom.sh - "upload augmented sbom": + upload augmented sbom: - command: s3.put type: system params: @@ -784,7 +746,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/old.json permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/old.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json - command: s3.put type: system params: @@ -795,7 +757,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/new.json permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/new.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json - command: s3.put type: system params: @@ -806,7 +768,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/diff.txt permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/diff.txt + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt - command: s3.put type: system params: @@ -817,7 +779,7 @@ functions: content_type: application/json local_file: mongo-cxx-driver/etc/augmented.sbom.json.new permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json ####################################### # Post Task # @@ -1349,17 +1311,9 @@ tasks: BSONCXX_POLYFILL: std - func: "upload scan artifacts" - - name: silk-upload-sbom-lite - run_on: rhel80-small - tags: [silk, rhel80] - commands: - - func: setup - - func: upload sbom lite - - - name: silk-check-augmented-sbom + - name: sbom run_on: rhel80-small - tags: [silk, rhel80] - depends_on: [{ name: silk-upload-sbom-lite }] + tags: [sbom, rhel80] commands: - func: setup - func: check augmented sbom @@ -2284,10 +2238,10 @@ buildvariants: tasks: - name: .scan-build-matrix - - name: silk - display_name: silk + - name: sbom + display_name: SBOM tasks: - - name: .silk + - name: .sbom - name: rhel79-compile display_name: "RHEL 7.9 (gcc 4.8.5)"