CXX-3228 update scripts for SilkBomb 2.0 (#1347)

eramongodb · web-flow · commit c02c77db6981 · 2025-02-21T10:28:18.000-06:00
diff --git a/.evergreen/check-augmented-sbom.sh b/.evergreen/check-augmented-sbom.sh
diff --git a/.evergreen/sbom.sh b/.evergreen/sbom.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o pipefail
+
+: "${ARTIFACTORY_USER:?}"
+: "${ARTIFACTORY_PASSWORD:?}"
+: "${branch_name:?}"
+: "${KONDUKTO_TOKEN:?}"
+
+command -v podman >/dev/null || {
+  echo "missing required program podman" 1>&2
+  exit 1
+}
+
+command -v jq >/dev/null || {
+  echo "missing required program jq" 1>&2
+  exit 1
+}
+
+podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}"
+
+silkbomb="artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0"
+
+# Ensure latest version of SilkBomb is being used.
+podman pull "${silkbomb:?}"
+
+silkbomb_augment_flags=(
+  --repo mongodb/mongo-cxx-driver
+  --branch "${branch_name:?}"
+  --sbom-in /pwd/etc/cyclonedx.sbom.json
+  --sbom-out /pwd/etc/augmented.sbom.json.new
+
+  # Any notable updates to the Augmented SBOM version should be done manually after careful inspection.
+  # Otherwise, it should be equal to the SBOM Lite version, which should normally be `1`.
+  --no-update-sbom-version
+)
+
+# First validate the SBOM Lite.
+podman run -it --rm -v "$(pwd):/pwd" "${silkbomb:?}" \
+  validate --purls /pwd/etc/purls.txt --sbom-in /pwd/etc/cyclonedx.sbom.json --exclude jira
+
+# Allow the timestamp to be updated in the Augmented SBOM for update purposes.
+podman run -it --rm -v "$(pwd):/pwd" --env 'KONDUKTO_TOKEN' "${silkbomb:?}" augment "${silkbomb_augment_flags[@]:?}"
+
+[[ -f ./etc/augmented.sbom.json.new ]] || {
+  echo "failed to download Augmented SBOM" 1>&2
+  exit 1
+}
+
+echo "Comparing Augmented SBOM..."
+
+# Format for easier diff while ignoring the timestamp field.
+jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json >|old.json
+jq -S 'del(.metadata.timestamp)' ./etc/augmented.sbom.json.new >|new.json
+
+# Allow the task to upload the Augmented SBOM even if the diff failed.
+if ! diff -sty --left-column -W 200 old.json new.json >|diff.txt; then
+  declare status
+  status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}'
+  curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true
+fi
+
+cat diff.txt
+
+echo "Comparing Augmented SBOM... done."
diff --git a/.mci.yml b/.mci.yml
@@ -697,40 +697,89 @@ functions:
           content_type: text/html
           display_name: Scan Build Report
 
-    "check augmented sbom":
+    check augmented sbom:
+      - command: ec2.assume_role
+        type: setup
+        params:
+          role_arn: ${KONDUKTO_ROLE_ARN}
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          args:
+            - -c
+            - |
+              set -o errexit
+              set -o pipefail
+              kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)"
+              printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml
+      - command: expansions.update
+        type: setup
+        params:
+          file: expansions.kondukto.yml
       - command: subprocess.exec
         type: test
         params:
-          working_dir: "mongo-cxx-driver"
           binary: bash
+          working_dir: mongo-cxx-driver
           include_expansions_in_env:
-            - ARTIFACTORY_USER
             - ARTIFACTORY_PASSWORD
-            - SILK_CLIENT_ID
-            - SILK_CLIENT_SECRET
-          args: [-c, .evergreen/check-augmented-sbom.sh]
+            - ARTIFACTORY_USER
+            - branch_name
+            - KONDUKTO_TOKEN
+          args:
+            - -c
+            - .evergreen/sbom.sh
 
-    "upload augmented sbom":
+    upload augmented sbom:
       - command: s3.put
+        type: system
         params:
+          display_name: Augmented SBOM (Old)
           aws_key: ${aws_key}
           aws_secret: ${aws_secret}
-          remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json
           bucket: mciuploads
-          permissions: public-read
-          local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
           content_type: application/json
-          display_name: Augmented SBOM
+          local_file: mongo-cxx-driver/old.json
+          permissions: public-read
+          remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json
       - command: s3.put
+        type: system
         params:
+          display_name: Augmented SBOM (New)
           aws_key: ${aws_key}
           aws_secret: ${aws_secret}
-          remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff
           bucket: mciuploads
+          content_type: application/json
+          local_file: mongo-cxx-driver/new.json
           permissions: public-read
+          remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json
+      - command: s3.put
+        type: system
+        params:
+          display_name: Augmented SBOM (Diff)
+          aws_key: ${aws_key}
+          aws_secret: ${aws_secret}
+          bucket: mciuploads
+          content_type: application/json
           local_file: mongo-cxx-driver/diff.txt
+          permissions: public-read
+          remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt
+      - command: s3.put
+        type: system
+        params:
+          display_name: Augmented SBOM (Updated)
+          aws_key: ${aws_key}
+          aws_secret: ${aws_secret}
+          bucket: mciuploads
           content_type: application/json
-          display_name: Augmented SBOM (Diff)
+          local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
+          permissions: public-read
+          remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json
 
 #######################################
 #              Post Task              #
@@ -1262,13 +1311,13 @@ tasks:
             BSONCXX_POLYFILL: std
         - func: "upload scan artifacts"
 
-    - name: silk-check-augmented-sbom
-      run_on: rhel8-latest-small
-      tags: [silk]
+    - name: sbom
+      run_on: rhel80-small
+      tags: [sbom, rhel80]
       commands:
-        - func: "setup"
-        - func: "check augmented sbom"
-        - func: "upload augmented sbom"
+        - func: setup
+        - func: check augmented sbom
+        - func: upload augmented sbom
 
 task_groups:
   - name: tg-abi-stability
@@ -2189,10 +2238,10 @@ buildvariants:
       tasks:
         - name: .scan-build-matrix
 
-    - name: silk
-      display_name: silk
+    - name: sbom
+      display_name: SBOM
       tasks:
-        - name: .silk
+        - name: .sbom
 
     - name: rhel79-compile
       display_name: "RHEL 7.9 (gcc 4.8.5)"
