Skip to content

Commit c02c77d

Browse files
authored
CXX-3228 update scripts for SilkBomb 2.0 (#1347)
1 parent 29b76ca commit c02c77d

File tree

3 files changed

+137
-80
lines changed

3 files changed

+137
-80
lines changed

.evergreen/check-augmented-sbom.sh

Lines changed: 0 additions & 58 deletions
This file was deleted.

.evergreen/sbom.sh

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
#!/usr/bin/env bash
2+
3+
set -o errexit
4+
set -o pipefail
5+
6+
: "${ARTIFACTORY_USER:?}"
7+
: "${ARTIFACTORY_PASSWORD:?}"
8+
: "${branch_name:?}"
9+
: "${KONDUKTO_TOKEN:?}"
10+
11+
command -v podman >/dev/null || {
12+
echo "missing required program podman" 1>&2
13+
exit 1
14+
}
15+
16+
command -v jq >/dev/null || {
17+
echo "missing required program jq" 1>&2
18+
exit 1
19+
}
20+
21+
podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}"
22+
23+
silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0"
24+
25+
# Ensure latest version of SilkBomb is being used.
26+
podman pull "${silkbomb:?}"
27+
28+
silkbomb_augment_flags=(
29+
--repo mongodb/mongo-cxx-driver
30+
--branch "${branch_name:?}"
31+
--sbom-in /pwd/etc/cyclonedx.sbom.json
32+
--sbom-out /pwd/etc/augmented.sbom.json.new
33+
34+
# Any notable updates to the Augmented SBOM version should be done manually after careful inspection.
35+
# Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`.
36+
--no-update-sbom-version
37+
)
38+
39+
# First validate the SBOM Lite.
40+
podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \
41+
validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira
42+
43+
# Allow the timestamp to be updated in the Augmented SBOM for update purposes.
44+
podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}"
45+
46+
[[ -f ./etc/augmented.sbom.json.new ]] || {
47+
echo "failed to download Augmented SBOM" 1>&2
48+
exit 1
49+
}
50+
51+
echo "Comparing Augmented SBOM..."
52+
53+
# Format for easier diff while ignoring the timestamp field.
54+
jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json >|old.json
55+
jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json.new >|new.json
56+
57+
# Allow the task to upload the Augmented SBOM even if the diff failed.
58+
if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then
59+
declare status
60+
status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}'
61+
curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true
62+
fi
63+
64+
cat diff.txt
65+
66+
echo "Comparing Augmented SBOM... done."

.mci.yml

Lines changed: 71 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -697,40 +697,89 @@ functions:
697697
content_type: text/html
698698
display_name: Scan Build Report
699699

700-
"check augmented sbom":
700+
check augmented sbom:
701+
- command: ec2.assume_role
702+
type: setup
703+
params:
704+
role_arn: ${KONDUKTO_ROLE_ARN}
705+
- command: subprocess.exec
706+
type: setup
707+
params:
708+
binary: bash
709+
include_expansions_in_env:
710+
- AWS_ACCESS_KEY_ID
711+
- AWS_SECRET_ACCESS_KEY
712+
- AWS_SESSION_TOKEN
713+
args:
714+
- -c
715+
- |
716+
set -o errexit
717+
set -o pipefail
718+
kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)"
719+
printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml
720+
- command: expansions.update
721+
type: setup
722+
params:
723+
file: expansions.kondukto.yml
701724
- command: subprocess.exec
702725
type: test
703726
params:
704-
working_dir: "mongo-cxx-driver"
705727
binary: bash
728+
working_dir: mongo-cxx-driver
706729
include_expansions_in_env:
707-
- ARTIFACTORY_USER
708730
- ARTIFACTORY_PASSWORD
709-
- SILK_CLIENT_ID
710-
- SILK_CLIENT_SECRET
711-
args: [-c, .evergreen/check-augmented-sbom.sh]
731+
- ARTIFACTORY_USER
732+
- branch_name
733+
- KONDUKTO_TOKEN
734+
args:
735+
- -c
736+
- .evergreen/sbom.sh
712737

713-
"upload augmented sbom":
738+
upload augmented sbom:
714739
- command: s3.put
740+
type: system
715741
params:
742+
display_name: Augmented SBOM (Old)
716743
aws_key: ${aws_key}
717744
aws_secret: ${aws_secret}
718-
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json
719745
bucket: mciuploads
720-
permissions: public-read
721-
local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
722746
content_type: application/json
723-
display_name: Augmented SBOM
747+
local_file: mongo-cxx-driver/old.json
748+
permissions: public-read
749+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json
724750
- command: s3.put
751+
type: system
725752
params:
753+
display_name: Augmented SBOM (New)
726754
aws_key: ${aws_key}
727755
aws_secret: ${aws_secret}
728-
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff
729756
bucket: mciuploads
757+
content_type: application/json
758+
local_file: mongo-cxx-driver/new.json
730759
permissions: public-read
760+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json
761+
- command: s3.put
762+
type: system
763+
params:
764+
display_name: Augmented SBOM (Diff)
765+
aws_key: ${aws_key}
766+
aws_secret: ${aws_secret}
767+
bucket: mciuploads
768+
content_type: application/json
731769
local_file: mongo-cxx-driver/diff.txt
770+
permissions: public-read
771+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt
772+
- command: s3.put
773+
type: system
774+
params:
775+
display_name: Augmented SBOM (Updated)
776+
aws_key: ${aws_key}
777+
aws_secret: ${aws_secret}
778+
bucket: mciuploads
732779
content_type: application/json
733-
display_name: Augmented SBOM (Diff)
780+
local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
781+
permissions: public-read
782+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json
734783

735784
#######################################
736785
# Post Task #
@@ -1262,13 +1311,13 @@ tasks:
12621311
BSONCXX_POLYFILL: std
12631312
- func: "upload scan artifacts"
12641313

1265-
- name: silk-check-augmented-sbom
1266-
run_on: rhel8-latest-small
1267-
tags: [silk]
1314+
- name: sbom
1315+
run_on: rhel80-small
1316+
tags: [sbom, rhel80]
12681317
commands:
1269-
- func: "setup"
1270-
- func: "check augmented sbom"
1271-
- func: "upload augmented sbom"
1318+
- func: setup
1319+
- func: check augmented sbom
1320+
- func: upload augmented sbom
12721321

12731322
task_groups:
12741323
- name: tg-abi-stability
@@ -2189,10 +2238,10 @@ buildvariants:
21892238
tasks:
21902239
- name: .scan-build-matrix
21912240

2192-
- name: silk
2193-
display_name: silk
2241+
- name: sbom
2242+
display_name: SBOM
21942243
tasks:
2195-
- name: .silk
2244+
- name: .sbom
21962245

21972246
- name: rhel79-compile
21982247
display_name: "RHEL 7.9 (gcc 4.8.5)"

0 commit comments

Comments
 (0)