From e3665ae00d1293df85bd8f3185bb9d55410fd212 Mon Sep 17 00:00:00 2001 From: Kevin Albertson Date: Wed, 2 Oct 2024 13:58:18 -0400 Subject: [PATCH 1/7] note 3.11.0 drops server 3.6 (#1219) --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ee759558d..9880f0c0eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,12 +40,12 @@ Changes prior to 3.9.0 are documented as [release notes on GitHub](https://githu ### Deprecated -- Support for MongoDB Server 3.6. See [MongoDB Software Lifecycle Schedules](https://www.mongodb.com/legal/support-policy/lifecycles). - The `bsoncxx/util/functor.hpp` header. - The `bsoncxx::util` namespace. ### Removed +- Support for MongoDB Server 3.6. See [MongoDB Software Lifecycle Schedules](https://www.mongodb.com/legal/support-policy/lifecycles). - Export of private member functions in the bsoncxx ABI: - `bsoncxx::v_noabi::types::bson_value::value::value(const uint8_t*, uint32_t, uint32_t, uint32_t)` - `bsoncxx::v_noabi::types::bson_value::view::_init(void*)` From e5be69454e525f05cf3af621cbc9b7e6885e8f30 Mon Sep 17 00:00:00 2001 From: Ezra Chung <88335979+eramongodb@users.noreply.github.com> Date: Wed, 2 Oct 2024 13:03:29 -0500 Subject: [PATCH 2/7] Post-release augmented SBOM updates (#1220) --- etc/augmented.sbom.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/etc/augmented.sbom.json b/etc/augmented.sbom.json index 068351d2c2..7caecff299 100644 --- a/etc/augmented.sbom.json +++ b/etc/augmented.sbom.json @@ -27,16 +27,16 @@ "version": "v1.1.0" }, { - "bom-ref": "pkg:github/mongodb/mongo-c-driver@v1.25.0", + "bom-ref": "pkg:github/mongodb/mongo-c-driver@v1.28.0", "copyright": "Copyright 2009-present MongoDB, Inc.", "externalReferences": [ { "type": "distribution", - "url": "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/v1.25.0.tar.gz" + "url": "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/v1.28.0.tar.gz" }, { "type": "website", - "url": "https://github.com/mongodb/mongo-c-driver/tree/v1.25.0" + "url": "https://github.com/mongodb/mongo-c-driver/tree/v1.28.0" } ], "group": "mongodb", @@ -48,9 +48,9 @@ } ], "name": "mongo-c-driver", - "purl": "pkg:github/mongodb/mongo-c-driver@v1.25.0", + "purl": "pkg:github/mongodb/mongo-c-driver@v1.28.0", "type": "library", - "version": "v1.25.0" + "version": "v1.28.0" } ], "dependencies": [ @@ -58,11 +58,11 @@ "ref": "pkg:github/mnmlstc/core@v1.1.0" }, { - "ref": "pkg:github/mongodb/mongo-c-driver@v1.25.0" + "ref": "pkg:github/mongodb/mongo-c-driver@v1.28.0" } ], "metadata": { - "timestamp": "2024-06-05T21:16:58.419485+00:00", + "timestamp": "2024-09-30T15:53:24.743787+00:00", "tools": [ { "externalReferences": [ @@ -106,7 +106,7 @@ ] }, "serialNumber": "urn:uuid:dd68fbb0-f77c-4bb9-90cd-606dd854f301", - "version": 1, + "version": 3, "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", From bdca805d7102be4a2fb253ba649d9950d31a77ce Mon Sep 17 00:00:00 2001 From: Ezra Chung <88335979+eramongodb@users.noreply.github.com> Date: Fri, 4 Oct 2024 10:14:09 -0500 Subject: [PATCH 3/7] Avoid using '$project' in Amazon S3 commands for release branch (#1225) --- .mci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.mci.yml b/.mci.yml index b465285284..138dab2c97 100644 --- a/.mci.yml +++ b/.mci.yml @@ -685,12 +685,12 @@ functions: AWS_SECRET_ACCESS_KEY: ${aws_secret} args: - -c - - aws s3 cp scan s3://mciuploads/${project}/${build_variant}/${revision}/${version_id}/${build_id}/scan/ --recursive --acl public-read --region us-east-1 + - aws s3 cp scan s3://mciuploads/mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/scan/ --recursive --acl public-read --region us-east-1 - command: s3.put params: aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: ${project}/${build_variant}/${revision}/${version_id}/${build_id}/scan/index.html + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/scan/index.html bucket: mciuploads permissions: public-read local_file: mongo-cxx-driver/scan.html @@ -715,7 +715,7 @@ functions: params: aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: ${project}/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json bucket: mciuploads permissions: public-read local_file: mongo-cxx-driver/etc/augmented.sbom.json.new @@ -725,7 +725,7 @@ functions: params: aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: ${project}/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff bucket: mciuploads permissions: public-read local_file: mongo-cxx-driver/diff.txt From 5a355f5cda8783d6ac75ec9075de0fce0c0c8d16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= Date: Mon, 7 Oct 2024 13:30:43 -0400 Subject: [PATCH 4/7] RPM packaging updates (#1228) --- .evergreen/build_snapshot_rpm.sh | 2 +- .evergreen/spec.patch | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.evergreen/build_snapshot_rpm.sh b/.evergreen/build_snapshot_rpm.sh index d595567516..1667026b5d 100755 --- a/.evergreen/build_snapshot_rpm.sh +++ b/.evergreen/build_snapshot_rpm.sh @@ -39,7 +39,7 @@ done package=mongo-cxx-driver spec_file=../mongo-cxx-driver.spec -config=${MOCK_TARGET_CONFIG:=fedora-39-aarch64} +config=${MOCK_TARGET_CONFIG:=fedora-40-aarch64} if [ ! -x /usr/bin/rpmbuild -o ! -x /usr/bin/rpmspec ]; then echo "Missing the rpmbuild or rpmspec utility from the rpm-build package" diff --git a/.evergreen/spec.patch b/.evergreen/spec.patch index a4c96aba18..b589143caa 100644 --- a/.evergreen/spec.patch +++ b/.evergreen/spec.patch @@ -8,7 +8,7 @@ + Name: mongo-cxx-driver -Version: 3.6.5 -+Version: 3.11.0 ++Version: 3.11.1 Release: 1%{?dist} Summary: A C++ Driver for MongoDB License: ASL 2.0 @@ -36,7 +36,7 @@ %cmake \ -DCMAKE_BUILD_TYPE=Release \ -DBSONCXX_POLY_USE_BOOST=1 \ -+ -DBUILD_VERSION=3.11.0 \ ++ -DBUILD_VERSION=3.11.1 \ + -DENABLE_UNINSTALL=OFF \ + -DENABLE_TESTS=OFF \ . From dfca134fb89260b58ff6ebe98648191de67d1597 Mon Sep 17 00:00:00 2001 From: Ezra Chung <88335979+eramongodb@users.noreply.github.com> Date: Fri, 22 Nov 2024 15:14:15 -0600 Subject: [PATCH 5/7] Manually set silk asset group to v3.11 (#1287) --- .evergreen/check-augmented-sbom.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen/check-augmented-sbom.sh b/.evergreen/check-augmented-sbom.sh index f59aa51c89..4ceb2a520c 100755 --- a/.evergreen/check-augmented-sbom.sh +++ b/.evergreen/check-augmented-sbom.sh @@ -23,7 +23,7 @@ silkbomb_download_flags=( --no-update-sbom-version --no-update-timestamp - --silk-asset-group mongo-cxx-driver + --silk-asset-group mongo-cxx-driver-3.11 -o /pwd/etc/augmented.sbom.json.new ) From 29b76ca336f06598de9e4a98b7d5e65be3caae50 Mon Sep 17 00:00:00 2001 From: Ezra Chung <88335979+eramongodb@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:34:25 -0600 Subject: [PATCH 6/7] CXX-3224 Regenerate SBOM Lite for silkbomb:2.0 forward compatibility (#1342) --- etc/augmented.sbom.json | 6 +++--- etc/cyclonedx.sbom.json | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/augmented.sbom.json b/etc/augmented.sbom.json index 7caecff299..2b9ec0b3d6 100644 --- a/etc/augmented.sbom.json +++ b/etc/augmented.sbom.json @@ -62,7 +62,7 @@ } ], "metadata": { - "timestamp": "2024-09-30T15:53:24.743787+00:00", + "timestamp": "2025-02-19T21:01:34.820453+00:00", "tools": [ { "externalReferences": [ @@ -105,8 +105,8 @@ } ] }, - "serialNumber": "urn:uuid:dd68fbb0-f77c-4bb9-90cd-606dd854f301", - "version": 3, + "serialNumber": "urn:uuid:df96140b-11df-43e4-840f-c874b3468665", + "version": 1, "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", diff --git a/etc/cyclonedx.sbom.json b/etc/cyclonedx.sbom.json index 7caecff299..2b9ec0b3d6 100644 --- a/etc/cyclonedx.sbom.json +++ b/etc/cyclonedx.sbom.json @@ -62,7 +62,7 @@ } ], "metadata": { - "timestamp": "2024-09-30T15:53:24.743787+00:00", + "timestamp": "2025-02-19T21:01:34.820453+00:00", "tools": [ { "externalReferences": [ @@ -105,8 +105,8 @@ } ] }, - "serialNumber": "urn:uuid:dd68fbb0-f77c-4bb9-90cd-606dd854f301", - "version": 3, + "serialNumber": "urn:uuid:df96140b-11df-43e4-840f-c874b3468665", + "version": 1, "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", From fdb3e4c33b0498296e3d98b9770b30b3393e2f4e Mon Sep 17 00:00:00 2001 From: Ezra Chung Date: Thu, 20 Feb 2025 10:52:26 -0600 Subject: [PATCH 7/7] CXX-3228 update scripts for SilkBomb 2.0 --- .evergreen/check-augmented-sbom.sh | 58 ----------- .evergreen/silk-check-augmented-sbom.sh | 62 ++++++++++++ .evergreen/silk-upload-sbom-lite.sh | 29 ++++++ .mci.yml | 127 +++++++++++++++++++++--- 4 files changed, 202 insertions(+), 74 deletions(-) delete mode 100755 .evergreen/check-augmented-sbom.sh create mode 100755 .evergreen/silk-check-augmented-sbom.sh create mode 100755 .evergreen/silk-upload-sbom-lite.sh diff --git a/.evergreen/check-augmented-sbom.sh b/.evergreen/check-augmented-sbom.sh deleted file mode 100755 index 4ceb2a520c..0000000000 --- a/.evergreen/check-augmented-sbom.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail - -command -v podman >/dev/null || { - echo "missing required program podman" 1>&2 - exit 1 -} - -command -v jq >/dev/null || { - echo "missing required program jq" 1>&2 - exit 1 -} - -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 - -silkbomb_download_flags=( - # Avoid bumping version or timestamp in diff. - --no-update-sbom-version - --no-update-timestamp - - --silk-asset-group mongo-cxx-driver-3.11 - -o /pwd/etc/augmented.sbom.json.new -) - -podman run \ - --env-file <( - echo "SILK_CLIENT_ID=${SILK_CLIENT_ID:?}" - echo "SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET:?}" - ) \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \ - download "${silkbomb_download_flags[@]:?}" - -[[ -f ./etc/augmented.sbom.json.new ]] || { - echo "failed to download Augmented SBOM from Silk" 1>&2 - exit 1 -} - -echo "Comparing Augmented SBOM..." - -jq -S '.' ./etc/augmented.sbom.json >|old.json -jq -S '.' ./etc/augmented.sbom.json.new >|new.json - -# Allow task to upload the augmented SBOM despite failed diff. -if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then - declare status - status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' - curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true -fi - -cat diff.txt - -echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/silk-check-augmented-sbom.sh b/.evergreen/silk-check-augmented-sbom.sh new file mode 100755 index 0000000000..e8d83b2107 --- /dev/null +++ b/.evergreen/silk-check-augmented-sbom.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +command -v jq >/dev/null || { + echo "missing required program jq" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +silkbomb_augment_flags=( + --repo mongodb/mongo-cxx-driver + --branch "${branch_name:?}" + --sbom-in /pwd/etc/cyclonedx.sbom.json + --sbom-out /pwd/etc/augmented.sbom.json.new + + # Any notable updates to the Augmented SBOM version should be done manually after careful inspection. + # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`. + --no-update-sbom-version +) + +# Allow the timestamp to be updated in the Augmented SBOM for update purposes. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" + +[[ -f ./etc/augmented.sbom.json.new ]] || { + echo "failed to download Augmented SBOM" 1>&2 + exit 1 +} + +echo "Comparing Augmented SBOM..." + +# Format for easier diff while ignoring the timestamp field. +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json >|old.json +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json.new >|new.json + +# Allow the task to upload the Augmented SBOM even if the diff failed. +if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then + declare status + status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' + curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true +fi + +cat diff.txt + +echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/silk-upload-sbom-lite.sh b/.evergreen/silk-upload-sbom-lite.sh new file mode 100755 index 0000000000..705f4d9a59 --- /dev/null +++ b/.evergreen/silk-upload-sbom-lite.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +# First validate the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ + validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira + +# Then upload the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" \ + upload --repo mongodb/mongo-cxx-driver --branch "${branch_name:?}" --sbom-in /pwd/etc/cyclonedx.sbom.json diff --git a/.mci.yml b/.mci.yml index 138dab2c97..44b9f5f7af 100644 --- a/.mci.yml +++ b/.mci.yml @@ -697,40 +697,127 @@ functions: content_type: text/html display_name: Scan Build Report - "check augmented sbom": + "upload sbom lite": + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml - command: subprocess.exec type: test params: - working_dir: "mongo-cxx-driver" binary: bash + working_dir: mongo-cxx-driver include_expansions_in_env: - ARTIFACTORY_USER - ARTIFACTORY_PASSWORD - - SILK_CLIENT_ID - - SILK_CLIENT_SECRET - args: [-c, .evergreen/check-augmented-sbom.sh] + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/scripts/silk-upload-sbom-lite.sh + + "check augmented sbom": + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml + - command: subprocess.exec + type: test + params: + binary: bash + working_dir: mongo-cxx-driver + include_expansions_in_env: + - ARTIFACTORY_PASSWORD + - ARTIFACTORY_USER + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/scripts/silk-check-augmented-sbom.sh "upload augmented sbom": - command: s3.put + type: system params: + display_name: Augmented SBOM (Old) aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json bucket: mciuploads - permissions: public-read - local_file: mongo-cxx-driver/etc/augmented.sbom.json.new content_type: application/json - display_name: Augmented SBOM + local_file: mongo-cxx-driver/old.json + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/old.json - command: s3.put + type: system params: + display_name: Augmented SBOM (New) aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff bucket: mciuploads + content_type: application/json + local_file: mongo-cxx-driver/new.json permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/new.json + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Diff) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json local_file: mongo-cxx-driver/diff.txt + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/diff.txt + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Updated) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads content_type: application/json - display_name: Augmented SBOM (Diff) + local_file: mongo-cxx-driver/etc/augmented.sbom.json.new + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json ####################################### # Post Task # @@ -1262,13 +1349,21 @@ tasks: BSONCXX_POLYFILL: std - func: "upload scan artifacts" + - name: silk-upload-sbom-lite + run_on: rhel80-small + tags: [silk, rhel80] + commands: + - func: setup + - func: upload sbom lite + - name: silk-check-augmented-sbom - run_on: rhel8-latest-small - tags: [silk] + run_on: rhel80-small + tags: [silk, rhel80] + depends_on: [{ name: silk-upload-sbom-lite }] commands: - - func: "setup" - - func: "check augmented sbom" - - func: "upload augmented sbom" + - func: setup + - func: check augmented sbom + - func: upload augmented sbom task_groups: - name: tg-abi-stability