diff --git a/.evergreen/config_generator/components/sbom.py b/.evergreen/config_generator/components/sbom.py new file mode 100644 index 0000000000..5922c108dc --- /dev/null +++ b/.evergreen/config_generator/components/sbom.py @@ -0,0 +1,159 @@ +from config_generator.components.funcs.setup import Setup + +from config_generator.etc.distros import find_small_distro +from config_generator.etc.function import Function, merge_defns +from config_generator.etc.utils import bash_exec + +from shrub.v3.evg_build_variant import BuildVariant +from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, expansions_update, s3_put +from shrub.v3.evg_task import EvgTask, EvgTaskRef + +from pydantic import ConfigDict +from typing import Optional + + +TAG = 'sbom' + + +class CustomCommand(BuiltInCommand): + command: str + model_config = ConfigDict(arbitrary_types_allowed=True) + + +def ec2_assume_role( + role_arn: Optional[str] = None, + policy: Optional[str] = None, + duration_seconds: Optional[int] = None, + command_type: Optional[EvgCommandType] = None, +) -> CustomCommand: + return CustomCommand( + command="ec2.assume_role", + params={ + "role_arn": role_arn, + "policy": policy, + "duration_seconds": duration_seconds, + }, + type=command_type, + ) + + +class CheckAugmentedSBOM(Function): + name = 'check augmented sbom' + commands = [ + ec2_assume_role( + command_type=EvgCommandType.SETUP, + role_arn='${KONDUKTO_ROLE_ARN}', + ), + bash_exec( + command_type=EvgCommandType.SETUP, + include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'], + script='''\ + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml + ''', + ), + expansions_update( + command_type=EvgCommandType.SETUP, + file='expansions.kondukto.yml', + ), + bash_exec( + command_type=EvgCommandType.TEST, + working_dir='mongo-cxx-driver', + include_expansions_in_env=[ + 'ARTIFACTORY_PASSWORD', + 'ARTIFACTORY_USER', + 'branch_name', + 'KONDUKTO_TOKEN', + ], + script='.evergreen/scripts/sbom.sh', + ), + ] + + +class UploadAugmentedSBOM(Function): + name = 'upload augmented sbom' + commands = [ + # The current Augmented SBOM, ignoring version and timestamp fields. + s3_put( + command_type=EvgCommandType.SYSTEM, + aws_key='${aws_key}', + aws_secret='${aws_secret}', + bucket='mciuploads', + content_type='application/json', + display_name='Augmented SBOM (Old)', + local_file='mongo-cxx-driver/old.json', + permissions='public-read', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json', + ), + # The updated Augmented SBOM, ignoring version and timestamp fields. + s3_put( + command_type=EvgCommandType.SYSTEM, + aws_key='${aws_key}', + aws_secret='${aws_secret}', + bucket='mciuploads', + content_type='application/json', + display_name='Augmented SBOM (New)', + local_file='mongo-cxx-driver/new.json', + permissions='public-read', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json', + ), + # The difference between the current and updated Augmented SBOM. + s3_put( + command_type=EvgCommandType.SYSTEM, + aws_key='${aws_key}', + aws_secret='${aws_secret}', + bucket='mciuploads', + content_type='application/json', + display_name='Augmented SBOM (Diff)', + local_file='mongo-cxx-driver/diff.txt', + permissions='public-read', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt', + ), + # The updated Augmented SBOM without any filtering or modifications. + s3_put( + command_type=EvgCommandType.SYSTEM, + aws_key='${aws_key}', + aws_secret='${aws_secret}', + bucket='mciuploads', + content_type='application/json', + display_name='Augmented SBOM (Updated)', + local_file='mongo-cxx-driver/etc/augmented.sbom.json.new', + permissions='public-read', + remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json', + ), + ] + + +def functions(): + return merge_defns( + CheckAugmentedSBOM.defn(), + UploadAugmentedSBOM.defn(), + ) + + +def tasks(): + distro_name = 'rhel80' + distro = find_small_distro(distro_name) + + yield EvgTask( + name='sbom', + tags=[TAG, distro_name], + run_on=distro.name, + commands=[ + Setup.call(), + CheckAugmentedSBOM.call(), + UploadAugmentedSBOM.call(), + ], + ) + + +def variants(): + return [ + BuildVariant( + name=TAG, + display_name='SBOM', + tasks=[EvgTaskRef(name=f'.{TAG}')], + ), + ] diff --git a/.evergreen/config_generator/components/silk.py b/.evergreen/config_generator/components/silk.py deleted file mode 100644 index f133024eff..0000000000 --- a/.evergreen/config_generator/components/silk.py +++ /dev/null @@ -1,90 +0,0 @@ -from config_generator.components.funcs.setup import Setup - -from config_generator.etc.distros import find_small_distro -from config_generator.etc.function import Function, merge_defns -from config_generator.etc.utils import bash_exec - -from shrub.v3.evg_build_variant import BuildVariant -from shrub.v3.evg_command import EvgCommandType, s3_put -from shrub.v3.evg_task import EvgTask, EvgTaskRef - - -TAG = 'silk' - - -class CheckAugmentedSBOM(Function): - name = 'check augmented sbom' - commands = bash_exec( - command_type=EvgCommandType.TEST, - working_dir='mongo-cxx-driver', - include_expansions_in_env=[ - 'ARTIFACTORY_USER', - 'ARTIFACTORY_PASSWORD', - 'SILK_CLIENT_ID', - 'SILK_CLIENT_SECRET', - ], - script='.evergreen/scripts/check-augmented-sbom.sh', - ) - - -class UploadAugmentedSBOM(Function): - name = 'upload augmented sbom' - commands = [ - s3_put( - command_type=EvgCommandType.SYSTEM, - aws_key='${aws_key}', - aws_secret='${aws_secret}', - bucket='mciuploads', - content_type='application/json', - display_name='Augmented SBOM', - local_file='mongo-cxx-driver/etc/augmented.sbom.json.new', - permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json', - ), - s3_put( - command_type=EvgCommandType.SYSTEM, - aws_key='${aws_key}', - aws_secret='${aws_secret}', - bucket='mciuploads', - content_type='application/json', - display_name='Augmented SBOM (Diff)', - local_file='mongo-cxx-driver/diff.txt', - permissions='public-read', - remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff', - ), - ] - - -def functions(): - return merge_defns( - CheckAugmentedSBOM.defn(), - UploadAugmentedSBOM.defn(), - ) - - -def tasks(): - distro_name = 'rhel8-latest' - distro = find_small_distro(distro_name) - - return [ - EvgTask( - name='silk-check-augmented-sbom', - tags=[TAG, distro_name], - run_on=distro.name, - commands=[ - Setup.call(), - CheckAugmentedSBOM.call(), - UploadAugmentedSBOM.call(), - ], - ), - ] - - -def variants(): - return [ - BuildVariant( - name=TAG, - display_name='Silk', - tasks=[EvgTaskRef(name=f'.{TAG}')], - ), - ] diff --git a/.evergreen/config_generator/etc/distros.py b/.evergreen/config_generator/etc/distros.py index b624b092c9..c2d137bf6f 100644 --- a/.evergreen/config_generator/etc/distros.py +++ b/.evergreen/config_generator/etc/distros.py @@ -64,7 +64,6 @@ def ls_distro(name, **kwargs): RHEL_DISTROS = [] + \ ls_distro(name='rhel80', os='rhel', os_type='linux', os_ver='8.0') + \ ls_distro(name='rhel95', os='rhel', os_type='linux', os_ver='9.5') + \ - ls_distro(name='rhel8-latest', os='rhel', os_type='linux', os_ver='latest') + \ [] RHEL_ARM64_DISTROS = [] + \ diff --git a/.evergreen/generated_configs/functions.yml b/.evergreen/generated_configs/functions.yml index d5c0a69b0d..c22ffb1d22 100644 --- a/.evergreen/generated_configs/functions.yml +++ b/.evergreen/generated_configs/functions.yml @@ -203,19 +203,42 @@ functions: .evergreen/atlas_data_lake/pull-mongohouse-image.sh check augmented sbom: - command: subprocess.exec - type: test - params: - binary: bash - working_dir: mongo-cxx-driver - include_expansions_in_env: - - ARTIFACTORY_USER - - ARTIFACTORY_PASSWORD - - SILK_CLIENT_ID - - SILK_CLIENT_SECRET - args: - - -c - - .evergreen/scripts/check-augmented-sbom.sh + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: mongo-cxx-driver + include_expansions_in_env: + - ARTIFACTORY_PASSWORD + - ARTIFACTORY_USER + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/scripts/sbom.sh clang-tidy: command: subprocess.exec type: test @@ -675,14 +698,25 @@ functions: - command: s3.put type: system params: - display_name: Augmented SBOM + display_name: Augmented SBOM (Old) aws_key: ${aws_key} aws_secret: ${aws_secret} bucket: mciuploads content_type: application/json - local_file: mongo-cxx-driver/etc/augmented.sbom.json.new + local_file: mongo-cxx-driver/old.json + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json + - command: s3.put + type: system + params: + display_name: Augmented SBOM (New) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json + local_file: mongo-cxx-driver/new.json permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json - command: s3.put type: system params: @@ -693,7 +727,18 @@ functions: content_type: application/json local_file: mongo-cxx-driver/diff.txt permissions: public-read - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Updated) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json + local_file: mongo-cxx-driver/etc/augmented.sbom.json.new + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json upload code coverage: command: subprocess.exec type: system diff --git a/.evergreen/generated_configs/tasks.yml b/.evergreen/generated_configs/tasks.yml index 34c63de528..20096b2a83 100644 --- a/.evergreen/generated_configs/tasks.yml +++ b/.evergreen/generated_configs/tasks.yml @@ -17195,6 +17195,13 @@ tasks: example_projects_cxx: clang++ example_projects_cxxflags: -fsanitize=undefined -fno-sanitize-recover=undefined -fno-omit-frame-pointer example_projects_ldflags: -fsanitize=undefined -fno-sanitize-recover=undefined -static-libsan + - name: sbom + run_on: rhel80-small + tags: [sbom, rhel80] + commands: + - func: setup + - func: check augmented sbom + - func: upload augmented sbom - name: scan-build-rhel80-std11-default run_on: rhel80-large tags: [scan-build, rhel80, std11] @@ -17258,13 +17265,6 @@ tasks: BSONCXX_POLYFILL: impls CXX_STANDARD: 17 - func: upload scan artifacts - - name: silk-check-augmented-sbom - run_on: rhel8-latest-small - tags: [silk, rhel8-latest] - commands: - - func: setup - - func: check augmented sbom - - func: upload augmented sbom - name: test_mongohouse run_on: ubuntu2204-large tags: [mongohouse, ubuntu2204] diff --git a/.evergreen/generated_configs/variants.yml b/.evergreen/generated_configs/variants.yml index 7fb57928f5..4235179898 100644 --- a/.evergreen/generated_configs/variants.yml +++ b/.evergreen/generated_configs/variants.yml @@ -124,6 +124,10 @@ buildvariants: - .sanitizers tasks: - name: .sanitizers + - name: sbom + display_name: SBOM + tasks: + - name: .sbom - name: scan-build-matrix display_name: scan-build-matrix display_tasks: @@ -132,10 +136,6 @@ buildvariants: - .scan-build tasks: - name: .scan-build - - name: silk - display_name: Silk - tasks: - - name: .silk - name: uninstall-check display_name: Uninstall Check display_tasks: diff --git a/.evergreen/scripts/check-augmented-sbom.sh b/.evergreen/scripts/check-augmented-sbom.sh deleted file mode 100755 index f59aa51c89..0000000000 --- a/.evergreen/scripts/check-augmented-sbom.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail - -command -v podman >/dev/null || { - echo "missing required program podman" 1>&2 - exit 1 -} - -command -v jq >/dev/null || { - echo "missing required program jq" 1>&2 - exit 1 -} - -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 - -silkbomb_download_flags=( - # Avoid bumping version or timestamp in diff. - --no-update-sbom-version - --no-update-timestamp - - --silk-asset-group mongo-cxx-driver - -o /pwd/etc/augmented.sbom.json.new -) - -podman run \ - --env-file <( - echo "SILK_CLIENT_ID=${SILK_CLIENT_ID:?}" - echo "SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET:?}" - ) \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \ - download "${silkbomb_download_flags[@]:?}" - -[[ -f ./etc/augmented.sbom.json.new ]] || { - echo "failed to download Augmented SBOM from Silk" 1>&2 - exit 1 -} - -echo "Comparing Augmented SBOM..." - -jq -S '.' ./etc/augmented.sbom.json >|old.json -jq -S '.' ./etc/augmented.sbom.json.new >|new.json - -# Allow task to upload the augmented SBOM despite failed diff. -if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then - declare status - status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' - curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true -fi - -cat diff.txt - -echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/scripts/sbom.sh b/.evergreen/scripts/sbom.sh new file mode 100755 index 0000000000..2791c5fcde --- /dev/null +++ b/.evergreen/scripts/sbom.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +command -v jq >/dev/null || { + echo "missing required program jq" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +silkbomb_augment_flags=( + --repo mongodb/mongo-cxx-driver + --branch "${branch_name:?}" + --sbom-in /pwd/etc/cyclonedx.sbom.json + --sbom-out /pwd/etc/augmented.sbom.json.new + + # Any notable updates to the Augmented SBOM version should be done manually after careful inspection. + # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`. + --no-update-sbom-version +) + +# First validate the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ + validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira + +# Allow the timestamp to be updated in the Augmented SBOM for update purposes. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" + +[[ -f ./etc/augmented.sbom.json.new ]] || { + echo "failed to download Augmented SBOM" 1>&2 + exit 1 +} + +echo "Comparing Augmented SBOM..." + +# Format for easier diff while ignoring the timestamp field. +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json >|old.json +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json.new >|new.json + +# Allow the task to upload the Augmented SBOM even if the diff failed. +if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then + declare status + status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' + curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true +fi + +cat diff.txt + +echo "Comparing Augmented SBOM... done." diff --git a/etc/releasing.md b/etc/releasing.md index 1e5da4c8c1..bd3556313a 100644 --- a/etc/releasing.md +++ b/etc/releasing.md @@ -74,13 +74,6 @@ Some release steps require one or more of the following secrets. GRS_CONFIG_USER1_USERNAME= GRS_CONFIG_USER1_PASSWORD= ``` -- Silk credentials. - - Location: `~/.secrets/silk-creds.txt` - - Format: - ```bash - SILK_CLIENT_ID= - SILK_CLIENT_SECRET= - ``` - Snyk credentials. - Location: `~/.secrets/snyk-creds.txt` - Format: @@ -131,57 +124,27 @@ Ensure the list of bundled dependencies in `etc/purls.txt` is up-to-date. If not If `etc/purls.txt` was updated, update the SBOM Lite document using the following command(s): ```bash -# Artifactory and Silk credentials. +# Artifactory credentials. . $HOME/.secrets/artifactory-creds.txt -. $HOME/.secrets/silk-creds.txt # Output: "Login succeeded!" podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" # Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 +podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 # Output: "... writing sbom to file" -podman run \ - --env-file "$HOME/.secrets/silk-creds.txt" \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 \ - update -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" +podman run -it --rm -v "$(pwd):/pwd" artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \ + update --refresh --no-update-sbom-version -p "/pwd/etc/purls.txt" -i "/pwd/etc/cyclonedx.sbom.json" -o "/pwd/etc/cyclonedx.sbom.json" ``` -Commit the latest version of the SBOM Lite document into the repo as `etc/cyclonedx.sbom.json`. (This may just be a modification of the timestamp.) +Run a patch build which executes the `sbom` task and, if necessary (when the task fails), download the "Augmented SBOM (Updated)" file as `etc/augmented.sbom.json` (see below). -Generate an updated Augmented SBOM as described below. - -> [!IMPORTANT] -> If the SBOM Lite was updated, generate an updated Augmented SBOM as described below even if the `silk-check-augmented-sbom` is currently passing on Evergreen! +Commit the updated SBOM documents if there are any substantial changes. ### Augmented SBOM -Ensure the `silk-check-augmented-sbom` task is passing on Evergreen for the relevant release branch. If it is passing, nothing needs to be done (unless the SBOM Lite was updated as described above). - -#### Regular Update - -Update the Augmented SBOM document using the following command(s): - -```bash -# Artifactory and Silk credentials. -. $HOME/.secrets/artifactory-creds.txt -. $HOME/.secrets/silk-creds.txt - -# Output: "Login succeeded!" -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 - -# Output: "... writing sbom to file" -podman run \ - --env-file "$HOME/.secrets/silk-creds.txt" \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 \ - download --silk-asset-group "mongo-cxx-driver" -o "/pwd/etc/augmented.sbom.json" -``` +Ensure the `sbom` task is passing on Evergreen for the relevant release branch. Review the contents of the new Augmented SBOM and ensure any new or known vulnerabilities with severity "Medium" or greater have a corresponding JIRA ticket (CXX or VULN) that is scheduled to be resolved within its remediation timeline. @@ -189,45 +152,7 @@ Update the [SSDLC Report spreadsheet](https://docs.google.com/spreadsheets/d/1sp Update `etc/third_party_vulnerabilities.md` with any updates to new or known vulnerabilities for third party dependencies that have not yet been fixed by the upcoming release. -Commit the latest version of the Augmented SBOM document into the repo as `etc/augmented.sbom.json`. The Augmented SBOM document does not need to be updated if the `silk-check-augmented-sbom` was not failing (in which case the only changes present would a version bump or timestamp update). - -#### Instant Update - -If the Augmented SBOM has not yet been updated in time for a release, a temporary Silk Asset Group may be used instead: - -```bash -# Artifactory and Silk credentials. -. $HOME/.secrets/artifactory-creds.txt -. $HOME/.secrets/silk-creds.txt - -# Name of the temporary Silk Asset Group. Do NOT use an existing Silk Asset Group! -asset_group_id="mongo-cxx-driver-tmp-releasing" - -# Output: "Login succeeded!" -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 - -# Common flags to podman. -silkbomb_flags=( - --env-file "$HOME/.secrets/silk-creds.txt" - -it --rm -v "$(pwd):/pwd" - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.1 -) - -# Create a new and temporary Silk Asset Group. -podman run "${silkbomb_flags[@]:?}" asset-group --asset-cmd create --silk-asset-group "${asset_group_id:?}" --name "${asset_group_id:?}" - -# Upload the SBOM Lite. -podman run "${silkbomb_flags[@]:?}" upload --silk-asset-group "${asset_group_id:?}" -i /pwd/etc/cyclonedx.sbom.json - -# Download the Augmented SBOM. -podman run "${silkbomb_flags[@]:?}" download --silk-asset-group "${asset_group_id:?}" -o /pwd/etc/augmented.sbom.json - -# Remove the temporary Silk Asset Group. -podman run "${silkbomb_flags[@]:?}" asset-group --asset-cmd delete --silk-asset-group "${asset_group_id:?}" -``` +Download the "Augmented SBOM (Updated)" file from the latest EVG commit build in the `sbom` task and commit it into the repo as `etc/augmented.sbom.json` (even if the only notable change is the timestamp field). ### Check Snyk @@ -532,41 +457,9 @@ git push upstream releases/vX.Y The new branch should be continuously tested on Evergreen. Update the "Display Name" and "Branch Name" of the [mongo-cxx-driver-latest-release Evergreen project](https://spruce.mongodb.com/project/mongo-cxx-driver-latest-release/settings/general) to refer to the new release branch. -The new branch should be tracked by Silk. Use the [create-silk-asset-group.py script](https://github.com/mongodb/mongo-c-driver/blob/master/tools/create-silk-asset-group.py) in the C Driver to create a new Silk asset group: - -```bash -# Snyk credentials. Ask for these from a team member. -. ~/.secrets/silk-creds.txt - -# Ensure correct release version number! -version="X.Y" - -create_args=( - --silk-client-id "${SILK_CLIENT_ID:?}" - --silk-client-secret "${SILK_CLIENT_SECRET:?}" - --asset-id "mongo-cxx-driver-${version:?}" # Avoid '/' in Asset ID field. - --project "mongo-cxx-driver-${version:?}" - --branch "releases/v${version:?}" - --code-repo-url "https://github.com/mongodb/mongo-cxx-driver" - --sbom-lite-path="etc/cyclonedx.sbom.json" -) - -python path/to/tools/create-silk-asset-group.py "${create_args[@]:?}" -``` - -Verify the new asset group (`mongo-cxx-driver-X.Y`) is present in the [Silk Asset Inventory](https://us1.app.silk.security/inventory/all). +Update the `etc/cyclonedx.sbom.json` file with a new unique serial number for the next upcoming patch release (e.g. for `1.2.4` following the release of `1.2.3`). This can be done by running the `silkbomb:2.0 update` command described above in [SBOM Lite](#sbom-lite) without the `-i` flag, or by manually inserting the result of running the `uuidgen` CLI command. Ensure any existing `copyright`, `licenses`, and other manually inserted or modified fields are preserved during the update. Update `etc/augmented.sbom.json` as described above in [Augmented SBOM](#augmented-sbom). -Update the Silk asset group identifier in `.evergreen/scripts/check-augmented-sbom.sh` to refer to the new silk asset group created above: - -```bash -silkbomb_download_flags=( - ... - --silk-asset-group mongo-cxx-driver-X.Y # <-- - ... -) -``` - -Commit and push this change on the `releases/vX.Y` branch. +Commit and push these changes to the `releases/vX.Y` branch. ### Update Snyk @@ -630,6 +523,8 @@ In `etc/apidocmenu.md`, update the list of versions under "Driver Documentation In `README.md`, sync the "Driver Development Status" table with the updated table from `etc/apidocmenu.md`. +Update the `etc/cyclonedx.sbom.json` file with a new unique serial number for the next upcoming non-patch release (e.g. for `1.3.0` or `2.0.0` following the release of `1.2.3`). This can be done by running the `silkbomb:2.0 update` command described above in [SBOM Lite](#sbom-lite) without the `-i` flag, or by manually inserting the result of running the `uuidgen` CLI command. Ensure any existing `copyright`, `licenses`, and other manually inserted or modified fields are preserved during the update. Update `etc/augmented.sbom.json` as described above in [Augmented SBOM](#augmented-sbom). + Commit these changes to the `post-release-changes` branch: ```bash