Skip to content

Commit

Permalink
fix(ci): adopt augmented SBOM integration with Silk MONGOSH-1773 (#2021)
Browse files Browse the repository at this point in the history
  • Loading branch information
addaleax authored Jun 20, 2024
1 parent e6a811c commit 8789106
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 5 deletions.
6 changes: 5 additions & 1 deletion .evergreen.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7550,6 +7550,10 @@ functions:
PACKAGE_VARIANT: ${package_variant}
ARTIFACTORY_USERNAME: ${artifactory_username}
ARTIFACTORY_PASSWORD: ${artifactory_password}
# for Silk SBOM integration
SILK_ASSET_GROUP: mongosh-${executable_os_id}
SILK_CLIENT_ID: ${silk_client_id}
SILK_CLIENT_SECRET: ${silk_client_secret}
create_static_analysis_report:
- command: s3.get
params:
Expand Down Expand Up @@ -16801,7 +16805,7 @@ tasks:
- func: install
vars:
node_js_version: "20.12.2"
- func: create_static_analysis_report
- func: create_static_analysis_report
vars:
node_js_version: "20.12.2"

Expand Down
18 changes: 16 additions & 2 deletions .evergreen/download-crypt-shared-and-generate-sbom.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#!/bin/bash
set -e
set -x

npm run evergreen-release download-crypt-shared-library

ls -lhA dist
Expand All @@ -9,9 +10,22 @@ echo "pkg:generic/mongo_crypt_shared@$(cat dist/.mongosh_crypt_*.version)" >> di
cat dist/.purls.txt

set +x
docker login artifactory.corp.mongodb.com --username ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}
echo "${ARTIFACTORY_PASSWORD}" | docker login artifactory.corp.mongodb.com --username "${ARTIFACTORY_USERNAME}" --password-stdin
cat << EOF > silkbomb.env
SILK_CLIENT_ID=${SILK_CLIENT_ID}
SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
EOF
set -x

trap_handler() {
rm -f silkbomb.env
}
trap trap_handler ERR EXIT

docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
--purls /pwd/dist/.purls.txt --sbom_out /pwd/dist/.sbom.json
--purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json
docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
--silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json
docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
--silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json
8 changes: 6 additions & 2 deletions .evergreen/evergreen.yml.in
Original file line number Diff line number Diff line change
Expand Up @@ -522,9 +522,13 @@ functions:
PACKAGE_VARIANT: ${package_variant}
ARTIFACTORY_USERNAME: ${artifactory_username}
ARTIFACTORY_PASSWORD: ${artifactory_password}
# for Silk SBOM integration
SILK_ASSET_GROUP: mongosh-${executable_os_id}
SILK_CLIENT_ID: ${silk_client_id}
SILK_CLIENT_SECRET: ${silk_client_secret}
create_static_analysis_report:
<%
let firstPartyDepsFilenames = [];
let firstPartyDepsFilenames = [];
for (const { executableOsId, packages } of RELEASE_PACKAGE_MATRIX) {
const filename = `mongosh-${executableOsId}-first-party-deps.json`;
firstPartyDepsFilenames.push(filename); %>
Expand Down Expand Up @@ -1391,7 +1395,7 @@ tasks:
- func: install
vars:
node_js_version: "<% out(NODE_JS_VERSION_20) %>"
- func: create_static_analysis_report
- func: create_static_analysis_report
vars:
node_js_version: "<% out(NODE_JS_VERSION_20) %>"

Expand Down

0 comments on commit 8789106

Please sign in to comment.