diff --git a/.evergreen/check-augmented-sbom.sh b/.evergreen/check-augmented-sbom.sh deleted file mode 100755 index 4ceb2a520c..0000000000 --- a/.evergreen/check-augmented-sbom.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail - -command -v podman >/dev/null || { - echo "missing required program podman" 1>&2 - exit 1 -} - -command -v jq >/dev/null || { - echo "missing required program jq" 1>&2 - exit 1 -} - -podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" - -# Ensure latest version of SilkBomb is being used. -podman pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 - -silkbomb_download_flags=( - # Avoid bumping version or timestamp in diff. - --no-update-sbom-version - --no-update-timestamp - - --silk-asset-group mongo-cxx-driver-3.11 - -o /pwd/etc/augmented.sbom.json.new -) - -podman run \ - --env-file <( - echo "SILK_CLIENT_ID=${SILK_CLIENT_ID:?}" - echo "SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET:?}" - ) \ - -it --rm -v "$(pwd):/pwd" \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \ - download "${silkbomb_download_flags[@]:?}" - -[[ -f ./etc/augmented.sbom.json.new ]] || { - echo "failed to download Augmented SBOM from Silk" 1>&2 - exit 1 -} - -echo "Comparing Augmented SBOM..." - -jq -S '.' ./etc/augmented.sbom.json >|old.json -jq -S '.' ./etc/augmented.sbom.json.new >|new.json - -# Allow task to upload the augmented SBOM despite failed diff. -if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then - declare status - status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' - curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true -fi - -cat diff.txt - -echo "Comparing Augmented SBOM... done." diff --git a/.evergreen/sbom.sh b/.evergreen/sbom.sh new file mode 100755 index 0000000000..2791c5fcde --- /dev/null +++ b/.evergreen/sbom.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +set -o errexit +set -o pipefail + +: "${ARTIFACTORY_USER:?}" +: "${ARTIFACTORY_PASSWORD:?}" +: "${branch_name:?}" +: "${KONDUKTO_TOKEN:?}" + +command -v podman >/dev/null || { + echo "missing required program podman" 1>&2 + exit 1 +} + +command -v jq >/dev/null || { + echo "missing required program jq" 1>&2 + exit 1 +} + +podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" + +silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0" + +# Ensure latest version of SilkBomb is being used. +podman pull "${silkbomb:?}" + +silkbomb_augment_flags=( + --repo mongodb/mongo-cxx-driver + --branch "${branch_name:?}" + --sbom-in /pwd/etc/cyclonedx.sbom.json + --sbom-out /pwd/etc/augmented.sbom.json.new + + # Any notable updates to the Augmented SBOM version should be done manually after careful inspection. + # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`. + --no-update-sbom-version +) + +# First validate the SBOM Lite. +podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \ + validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira + +# Allow the timestamp to be updated in the Augmented SBOM for update purposes. +podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}" + +[[ -f ./etc/augmented.sbom.json.new ]] || { + echo "failed to download Augmented SBOM" 1>&2 + exit 1 +} + +echo "Comparing Augmented SBOM..." + +# Format for easier diff while ignoring the timestamp field. +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json >|old.json +jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json.new >|new.json + +# Allow the task to upload the Augmented SBOM even if the diff failed. +if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then + declare status + status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' + curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true +fi + +cat diff.txt + +echo "Comparing Augmented SBOM... done." diff --git a/.mci.yml b/.mci.yml index 138dab2c97..acb2fa50f4 100644 --- a/.mci.yml +++ b/.mci.yml @@ -697,40 +697,89 @@ functions: content_type: text/html display_name: Scan Build Report - "check augmented sbom": + check augmented sbom: + - command: ec2.assume_role + type: setup + params: + role_arn: ${KONDUKTO_ROLE_ARN} + - command: subprocess.exec + type: setup + params: + binary: bash + include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN + args: + - -c + - | + set -o errexit + set -o pipefail + kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)" + printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml + - command: expansions.update + type: setup + params: + file: expansions.kondukto.yml - command: subprocess.exec type: test params: - working_dir: "mongo-cxx-driver" binary: bash + working_dir: mongo-cxx-driver include_expansions_in_env: - - ARTIFACTORY_USER - ARTIFACTORY_PASSWORD - - SILK_CLIENT_ID - - SILK_CLIENT_SECRET - args: [-c, .evergreen/check-augmented-sbom.sh] + - ARTIFACTORY_USER + - branch_name + - KONDUKTO_TOKEN + args: + - -c + - .evergreen/sbom.sh - "upload augmented sbom": + upload augmented sbom: - command: s3.put + type: system params: + display_name: Augmented SBOM (Old) aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json bucket: mciuploads - permissions: public-read - local_file: mongo-cxx-driver/etc/augmented.sbom.json.new content_type: application/json - display_name: Augmented SBOM + local_file: mongo-cxx-driver/old.json + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json - command: s3.put + type: system params: + display_name: Augmented SBOM (New) aws_key: ${aws_key} aws_secret: ${aws_secret} - remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff bucket: mciuploads + content_type: application/json + local_file: mongo-cxx-driver/new.json permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Diff) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads + content_type: application/json local_file: mongo-cxx-driver/diff.txt + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt + - command: s3.put + type: system + params: + display_name: Augmented SBOM (Updated) + aws_key: ${aws_key} + aws_secret: ${aws_secret} + bucket: mciuploads content_type: application/json - display_name: Augmented SBOM (Diff) + local_file: mongo-cxx-driver/etc/augmented.sbom.json.new + permissions: public-read + remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json ####################################### # Post Task # @@ -1262,13 +1311,13 @@ tasks: BSONCXX_POLYFILL: std - func: "upload scan artifacts" - - name: silk-check-augmented-sbom - run_on: rhel8-latest-small - tags: [silk] + - name: sbom + run_on: rhel80-small + tags: [sbom, rhel80] commands: - - func: "setup" - - func: "check augmented sbom" - - func: "upload augmented sbom" + - func: setup + - func: check augmented sbom + - func: upload augmented sbom task_groups: - name: tg-abi-stability @@ -2189,10 +2238,10 @@ buildvariants: tasks: - name: .scan-build-matrix - - name: silk - display_name: silk + - name: sbom + display_name: SBOM tasks: - - name: .silk + - name: .sbom - name: rhel79-compile display_name: "RHEL 7.9 (gcc 4.8.5)"