From 878910626ecf11e4c86c0ac574ff918d7a807682 Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Thu, 20 Jun 2024 17:56:58 +0200 Subject: [PATCH] fix(ci): adopt augmented SBOM integration with Silk MONGOSH-1773 (#2021) --- .evergreen.yml | 6 +++++- .../download-crypt-shared-and-generate-sbom.sh | 18 ++++++++++++++++-- .evergreen/evergreen.yml.in | 8 ++++++-- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/.evergreen.yml b/.evergreen.yml index cc0a97fa9..e1bbcae26 100644 --- a/.evergreen.yml +++ b/.evergreen.yml @@ -7550,6 +7550,10 @@ functions: PACKAGE_VARIANT: ${package_variant} ARTIFACTORY_USERNAME: ${artifactory_username} ARTIFACTORY_PASSWORD: ${artifactory_password} + # for Silk SBOM integration + SILK_ASSET_GROUP: mongosh-${executable_os_id} + SILK_CLIENT_ID: ${silk_client_id} + SILK_CLIENT_SECRET: ${silk_client_secret} create_static_analysis_report: - command: s3.get params: @@ -16801,7 +16805,7 @@ tasks: - func: install vars: node_js_version: "20.12.2" - - func: create_static_analysis_report + - func: create_static_analysis_report vars: node_js_version: "20.12.2" diff --git a/.evergreen/download-crypt-shared-and-generate-sbom.sh b/.evergreen/download-crypt-shared-and-generate-sbom.sh index b2c02793d..71b24f938 100755 --- a/.evergreen/download-crypt-shared-and-generate-sbom.sh +++ b/.evergreen/download-crypt-shared-and-generate-sbom.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e set -x + npm run evergreen-release download-crypt-shared-library ls -lhA dist @@ -9,9 +10,22 @@ echo "pkg:generic/mongo_crypt_shared@$(cat dist/.mongosh_crypt_*.version)" >> di cat dist/.purls.txt set +x -docker login artifactory.corp.mongodb.com --username ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD} +echo "${ARTIFACTORY_PASSWORD}" | docker login artifactory.corp.mongodb.com --username "${ARTIFACTORY_USERNAME}" --password-stdin +cat << EOF > silkbomb.env +SILK_CLIENT_ID=${SILK_CLIENT_ID} +SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET} +EOF set -x +trap_handler() { + rm -f silkbomb.env +} +trap trap_handler ERR EXIT + docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \ - --purls /pwd/dist/.purls.txt --sbom_out /pwd/dist/.sbom.json + --purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json +docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \ + --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json +docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \ + --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json diff --git a/.evergreen/evergreen.yml.in b/.evergreen/evergreen.yml.in index 1c8892659..b7d681721 100644 --- a/.evergreen/evergreen.yml.in +++ b/.evergreen/evergreen.yml.in @@ -522,9 +522,13 @@ functions: PACKAGE_VARIANT: ${package_variant} ARTIFACTORY_USERNAME: ${artifactory_username} ARTIFACTORY_PASSWORD: ${artifactory_password} + # for Silk SBOM integration + SILK_ASSET_GROUP: mongosh-${executable_os_id} + SILK_CLIENT_ID: ${silk_client_id} + SILK_CLIENT_SECRET: ${silk_client_secret} create_static_analysis_report: <% - let firstPartyDepsFilenames = []; + let firstPartyDepsFilenames = []; for (const { executableOsId, packages } of RELEASE_PACKAGE_MATRIX) { const filename = `mongosh-${executableOsId}-first-party-deps.json`; firstPartyDepsFilenames.push(filename); %> @@ -1391,7 +1395,7 @@ tasks: - func: install vars: node_js_version: "<% out(NODE_JS_VERSION_20) %>" - - func: create_static_analysis_report + - func: create_static_analysis_report vars: node_js_version: "<% out(NODE_JS_VERSION_20) %>"