CXX-3228 update scripts and release instructions for SilkBomb 2.0

[eramongodb]

Summary

Resolves CXX-3228 for the master branch (EVG project: mongo-cxx-driver). Followup to #1340. Verified by this patch. Use this patch to reference related logs and files while reviewing the proposed changes.

This PR is intended to serve as a template and reference for similar changes which will be applied to the C Driver, libmongocrypt, and relevant actively-maintained release branches.

Check Augmented SBOM

The silk-check-augmented-sbom task is updated to make use of silkbomb:2.0. To account for the serialNumber requirement which was manually implemented in #1340, some adjustments are made to the task:

• The task now uploads an "Augmented SBOM (Updated)" file which may be used to update etc/augmented.sbom.json. This file will always have a most-recently-updated timestamp, hence the removal of the --no-update-timestamp flag. Therefore, the jq command to format the Augmented SBOMs for comparison exclude the metadata.timestamp field.
• The --no-update-sbom-version flag remains to ensure consistency between the version field of the SBOM Lite and Augmented SBOM documents. This will almost always remain a value of 1, as each new release will generate a new serialNumber, resetting the version field.

Upload SBOM Lite

Given SilkBomb 2.0's support for the augment command (replaces the download command: on-demand generation of the Augmented SBOM rather than waiting for cron jobs to scan and augment the SBOM Lite via the Silk Asset Group's sbom_lite_path property), the silk-check-augmented-sbom task now depends on a new silk-upload-sbom-lite task which uploads the SBOM Lite per EVG build. This means the "Augmented SBOM (Updated)" will always be the most up-to-date it can be for the SBOM Lite that is committed for the given EVG patch or commit build.

The ${branch_name} Evergreen variable is used to specify the release branch for which the tasks are uploading/augmenting the SBOM via the --branch flag. The --repo and --branch flags completely replace the need to manually create and maintain Silk Asset Groups for individual release branches. Therefore, related instructions have been removed from etc/releasing.md.

Note

Only the upload and augment commands must be run via Evergreen. The update command, which (re)generates the SBOM Lite (etc/cyclonedx.sbom.json) using PURLs (etc/purls.txt) may be run locally.

Note

The --update-license-text and --select-licenses flags are not necessary for our use cases.

Release Instructions

Due to the upload and augment commands, both of which may be executed in the same EVG build, the release instructions are updated to simply download the "Augmented SBOM (Updated)" file and commit a sufficiently recent version into the repository prior to a release.

The post-release instructions to create a new Silk Asset Group are now replaced with instructions to (re)generate the SBOM Lite with a new unique serial number. Care must be taken to ensure copyright, licenses, and other manually inserted or modified fields are preserved during this process (updates to silkbomb:2.0 to better support this step are coming soon).

Important

A new serialNumber must be generated post-release for all relevant release branches to ensure the next release has a unique serialNumber. After a 1.2.3 release, only releases/v1.2 requires a new serialNumber for the upcoming 1.2.4 release. After a 1.3.0 release, both master and releases/v1.3 require a new serialNumber for the upcoming 1.4.0 and 1.3.1 releases respectively.

[eramongodb]

Due to the augment command already fulfilling the same function as the upload command for purposes of uploading the SBOM Lite, the silk-upload-sbom-lite task and related scripts are removed. For consistency with proposed changes for the C Driver, the tasks and scripts have been renamed to simply "SBOM".

[kevinAlbs]

LGTM with minor changes.