CXX-3228 update scripts and release instructions for SilkBomb 2.0

.evergreen/config_generator/components/sbom.py

@@ -0,0 +1,159 @@
+from config_generator.components.funcs.setup import Setup
+
+from config_generator.etc.distros import find_small_distro
+from config_generator.etc.function import Function, merge_defns
+from config_generator.etc.utils import bash_exec
+
+from shrub.v3.evg_build_variant import BuildVariant
+from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, expansions_update, s3_put
+from shrub.v3.evg_task import EvgTask, EvgTaskRef
+
+from pydantic import ConfigDict
+from typing import Optional
+
+
+TAG = 'sbom'
+
+
+class CustomCommand(BuiltInCommand):
+    command: str
+    model_config = ConfigDict(arbitrary_types_allowed=True)
+
+
+def ec2_assume_role(
+    role_arn: Optional[str] = None,
+    policy: Optional[str] = None,
+    duration_seconds: Optional[int] = None,
+    command_type: Optional[EvgCommandType] = None,
+) -> CustomCommand:
+    return CustomCommand(
+        command="ec2.assume_role",
+        params={
+            "role_arn": role_arn,
+            "policy": policy,
+            "duration_seconds": duration_seconds,
+        },
+        type=command_type,
+    )
+
+
+class CheckAugmentedSBOM(Function):
+    name = 'check augmented sbom'
+    commands = [
+        ec2_assume_role(
+            command_type=EvgCommandType.SETUP,
+            role_arn='${KONDUKTO_ROLE_ARN}',
+        ),
+        bash_exec(
+            command_type=EvgCommandType.SETUP,
+            include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
+            script='''\
+            set -o errexit
+            set -o pipefail
+            kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)"
+            printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml
+        ''',
+        ),
+        expansions_update(
+            command_type=EvgCommandType.SETUP,
+            file='expansions.kondukto.yml',
+        ),
+        bash_exec(
+            command_type=EvgCommandType.TEST,
+            working_dir='mongo-cxx-driver',
+            include_expansions_in_env=[
+                'ARTIFACTORY_PASSWORD',
+                'ARTIFACTORY_USER',
+                'branch_name',
+                'KONDUKTO_TOKEN',
+            ],
+            script='.evergreen/scripts/sbom.sh',
+        ),
+    ]
+
+
+class UploadAugmentedSBOM(Function):
+    name = 'upload augmented sbom'
+    commands = [
+        # The current Augmented SBOM, ignoring version and timestamp fields.
+        s3_put(
+            command_type=EvgCommandType.SYSTEM,
+            aws_key='${aws_key}',
+            aws_secret='${aws_secret}',
+            bucket='mciuploads',
+            content_type='application/json',
+            display_name='Augmented SBOM (Old)',
+            local_file='mongo-cxx-driver/old.json',
+            permissions='public-read',
+            remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json',
+        ),
+        # The updated Augmented SBOM, ignoring version and timestamp fields.
+        s3_put(
+            command_type=EvgCommandType.SYSTEM,
+            aws_key='${aws_key}',
+            aws_secret='${aws_secret}',
+            bucket='mciuploads',
+            content_type='application/json',
+            display_name='Augmented SBOM (New)',
+            local_file='mongo-cxx-driver/new.json',
+            permissions='public-read',
+            remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json',
+        ),
+        # The difference between the current and updated Augmented SBOM.
+        s3_put(
+            command_type=EvgCommandType.SYSTEM,
+            aws_key='${aws_key}',
+            aws_secret='${aws_secret}',
+            bucket='mciuploads',
+            content_type='application/json',
+            display_name='Augmented SBOM (Diff)',
+            local_file='mongo-cxx-driver/diff.txt',
+            permissions='public-read',
+            remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt',
+        ),
+        # The updated Augmented SBOM without any filtering or modifications.
+        s3_put(
+            command_type=EvgCommandType.SYSTEM,
+            aws_key='${aws_key}',
+            aws_secret='${aws_secret}',
+            bucket='mciuploads',
+            content_type='application/json',
+            display_name='Augmented SBOM (Updated)',
+            local_file='mongo-cxx-driver/etc/augmented.sbom.json.new',
+            permissions='public-read',
+            remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json',
+        ),
+    ]
+
+
+def functions():
+    return merge_defns(
+        CheckAugmentedSBOM.defn(),
+        UploadAugmentedSBOM.defn(),
+    )
+
+
+def tasks():
+    distro_name = 'rhel80'
+    distro = find_small_distro(distro_name)
+
+    yield EvgTask(
+        name='sbom',
+        tags=[TAG, distro_name],
+        run_on=distro.name,
+        commands=[
+            Setup.call(),
+            CheckAugmentedSBOM.call(),
+            UploadAugmentedSBOM.call(),
+        ],
+    )
+
+
+def variants():
+    return [
+        BuildVariant(
+            name=TAG,
+            display_name='SBOM',
+            tasks=[EvgTaskRef(name=f'.{TAG}')],
+        ),
+    ]

.evergreen/config_generator/etc/distros.py

@@ -64,7 +64,6 @@ def ls_distro(name, **kwargs):
 RHEL_DISTROS = [] + \
     ls_distro(name='rhel80', os='rhel', os_type='linux', os_ver='8.0') + \
     ls_distro(name='rhel95', os='rhel', os_type='linux', os_ver='9.5') + \
-    ls_distro(name='rhel8-latest', os='rhel', os_type='linux', os_ver='latest') + \
     []
 
 RHEL_ARM64_DISTROS = [] + \

.evergreen/generated_configs/functions.yml

@@ -203,19 +203,42 @@ functions:
 
           .evergreen/atlas_data_lake/pull-mongohouse-image.sh
   check augmented sbom:
-    command: subprocess.exec
-    type: test
-    params:
-      binary: bash
-      working_dir: mongo-cxx-driver
-      include_expansions_in_env:
-        - ARTIFACTORY_USER
-        - ARTIFACTORY_PASSWORD
-        - SILK_CLIENT_ID
-        - SILK_CLIENT_SECRET
-      args:
-        - -c
-        - .evergreen/scripts/check-augmented-sbom.sh
+    - command: ec2.assume_role
+      type: setup
+      params:
+        role_arn: ${KONDUKTO_ROLE_ARN}
+    - command: subprocess.exec
+      type: setup
+      params:
+        binary: bash
+        include_expansions_in_env:
+          - AWS_ACCESS_KEY_ID
+          - AWS_SECRET_ACCESS_KEY
+          - AWS_SESSION_TOKEN
+        args:
+          - -c
+          - |
+            set -o errexit
+            set -o pipefail
+            kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)"
+            printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml
+    - command: expansions.update
+      type: setup
+      params:
+        file: expansions.kondukto.yml
+    - command: subprocess.exec
+      type: test
+      params:
+        binary: bash
+        working_dir: mongo-cxx-driver
+        include_expansions_in_env:
+          - ARTIFACTORY_PASSWORD
+          - ARTIFACTORY_USER
+          - branch_name
+          - KONDUKTO_TOKEN
+        args:
+          - -c
+          - .evergreen/scripts/sbom.sh
   clang-tidy:
     command: subprocess.exec
     type: test
@@ -675,14 +698,25 @@ functions:
     - command: s3.put
       type: system
       params:
-        display_name: Augmented SBOM
+        display_name: Augmented SBOM (Old)
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
         bucket: mciuploads
         content_type: application/json
-        local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
+        local_file: mongo-cxx-driver/old.json
+        permissions: public-read
+        remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json
+    - command: s3.put
+      type: system
+      params:
+        display_name: Augmented SBOM (New)
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        bucket: mciuploads
+        content_type: application/json
+        local_file: mongo-cxx-driver/new.json
         permissions: public-read
-        remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json
+        remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json
     - command: s3.put
       type: system
       params:
@@ -693,7 +727,18 @@ functions:
         content_type: application/json
         local_file: mongo-cxx-driver/diff.txt
         permissions: public-read
-        remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff
+        remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt
+    - command: s3.put
+      type: system
+      params:
+        display_name: Augmented SBOM (Updated)
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        bucket: mciuploads
+        content_type: application/json
+        local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
+        permissions: public-read
+        remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json
   upload code coverage:
     command: subprocess.exec
     type: system

.evergreen/generated_configs/tasks.yml

@@ -17195,6 +17195,13 @@ tasks:
           example_projects_cxx: clang++
           example_projects_cxxflags: -fsanitize=undefined -fno-sanitize-recover=undefined -fno-omit-frame-pointer
           example_projects_ldflags: -fsanitize=undefined -fno-sanitize-recover=undefined -static-libsan
+  - name: sbom
+    run_on: rhel80-small
+    tags: [sbom, rhel80]
+    commands:
+      - func: setup
+      - func: check augmented sbom
+      - func: upload augmented sbom
   - name: scan-build-rhel80-std11-default
     run_on: rhel80-large
     tags: [scan-build, rhel80, std11]
@@ -17258,13 +17265,6 @@ tasks:
           BSONCXX_POLYFILL: impls
           CXX_STANDARD: 17
       - func: upload scan artifacts
-  - name: silk-check-augmented-sbom
-    run_on: rhel8-latest-small
-    tags: [silk, rhel8-latest]
-    commands:
-      - func: setup
-      - func: check augmented sbom
-      - func: upload augmented sbom
   - name: test_mongohouse
     run_on: ubuntu2204-large
     tags: [mongohouse, ubuntu2204]