Skip to content

Include links to the Evergreen build and to the driver security testing summary in the SSDLC report #1426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jun 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .evergreen/.evg.yml
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,8 @@ functions:
env:
PRODUCT_NAME: ${product_name}
PRODUCT_VERSION: ${product_version}
PRODUCT_RELEASE_CREATOR: ${author}
EVERGREEN_VERSION_ID: ${version_id}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vbabanin proposed a great idea to use Evergreen default expansions instead of trying to compute the required information on our own. Implementing this proposal greatly simplified the PR. However, I don't see how to test the new approach for builds triggered by a Git tag. We will see today how that works when releasing 5.1.2.

script: .evergreen/ssdlc-report.sh
- command: ec2.assume_role
params:
Expand Down
26 changes: 21 additions & 5 deletions .evergreen/ssdlc-report.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,23 @@ set -eu
# Supported/used environment variables:
# PRODUCT_NAME
# PRODUCT_VERSION
# PRODUCT_RELEASE_CREATOR
# EVERGREEN_VERSION_ID

if [ -z "${PRODUCT_NAME}" ]; then
echo "PRODUCT_NAME must be set to a non-empty string"
printf "\nPRODUCT_NAME must be set to a non-empty string\n"
exit 1
fi
if [ -z "${PRODUCT_VERSION}" ]; then
echo "PRODUCT_VERSION must be set to a non-empty string"
printf "\nPRODUCT_VERSION must be set to a non-empty string\n"
exit 1
fi
if [ -z "${PRODUCT_RELEASE_CREATOR}" ]; then
printf "\PRODUCT_RELEASE_CREATOR must be set to a non-empty string\n"
exit 1
fi
if [ -z "${EVERGREEN_VERSION_ID}" ]; then
printf "\EVERGREEN_VERSION_ID must be set to a non-empty string\n"
exit 1
fi

Expand All @@ -22,7 +32,11 @@ RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE[0]:-$0}")"
source "${RELATIVE_DIR_PATH}/javaConfig.bash"

printf "\nCreating SSDLC reports\n"

printf "\nProduct name: %s\n" "${PRODUCT_NAME}"
printf "\nProduct version: %s\n" "${PRODUCT_VERSION}"
printf "\nProduct release creator: %s\n" "${PRODUCT_RELEASE_CREATOR}"
declare -r EVERGREEN_BUILD_URL="https://spruce.mongodb.com/version/${EVERGREEN_VERSION_ID}"
printf "\nEvergreen build URL: %s\n" "${EVERGREEN_BUILD_URL}"
declare -r SSDLC_PATH="${RELATIVE_DIR_PATH}/../build/ssdlc"
declare -r SSDLC_STATIC_ANALYSIS_REPORTS_PATH="${SSDLC_PATH}/static-analysis-reports"
mkdir "${SSDLC_PATH}"
Expand Down Expand Up @@ -52,14 +66,16 @@ declare -r SSDLC_REPORT_PATH="${SSDLC_PATH}/ssdlc_compliance_report.md"
cp "${TEMPLATE_SSDLC_REPORT_PATH}" "${SSDLC_REPORT_PATH}"
declare -a SED_EDIT_IN_PLACE_OPTION
if [[ "$OSTYPE" == "darwin"* ]]; then
SED_EDIT_IN_PLACE_OPTION=(-i '')
SED_EDIT_IN_PLACE_OPTION=(-i '')
else
SED_EDIT_IN_PLACE_OPTION=(-i)
SED_EDIT_IN_PLACE_OPTION=(-i)
fi
sed "${SED_EDIT_IN_PLACE_OPTION[@]}" \
-e "s/\${product_name}/${PRODUCT_NAME}/g" \
-e "s/\${product_version}/${PRODUCT_VERSION}/g" \
-e "s/\${report_date_utc}/$(date -u +%Y-%m-%d)/g" \
-e "s/\${product_release_creator}/${PRODUCT_RELEASE_CREATOR}/g" \
-e "s>\${evergreen_build_url}>${EVERGREEN_BUILD_URL}>g" \
"${SSDLC_REPORT_PATH}"
printf "%s\n" "${SSDLC_REPORT_PATH}"

Expand Down
41 changes: 19 additions & 22 deletions .evergreen/template_ssdlc_compliance_report.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,30 +13,18 @@ This report is available at
<td>${product_version}</td>
</tr>
<tr>
<th>Report date, UTC</th>
<td>${report_date_utc}</td>
</tr>
</table>

## Release creator

This information is available in multiple ways:

<table>
<tr>
<th>Evergreen</th>
<th>Release creator</th>
<td>
Go to
<a href="https://evergreen.mongodb.com/waterfall/mongo-java-driver?bv_filter=Publish%20Release">
https://evergreen.mongodb.com/waterfall/mongo-java-driver?bv_filter=Publish%20Release</a>,
find the build triggered from Git tag <code>r${product_version}</code>, see who authored it.
${product_release_creator}
<p>
Refer to data in Papertrail for more details.
There is currently no official way to serve that data.
</p>
</td>
</tr>
<tr>
<th>Papertrail</th>
<td>
Refer to data in Papertrail. There is currently no official way to serve that data.
</td>
<th>Report date, UTC</th>
<td>${report_date_utc}</td>
</tr>
</table>

Expand All @@ -47,22 +35,31 @@ Blocked on <https://jira.mongodb.org/browse/JAVA-5429>.
The MongoDB SSDLC policy is available at
<https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc>.

## Third-darty dependency information
## Third-party dependency information

There are no dependencies to report vulnerabilities of.
Our [SBOM](https://docs.devprod.prod.corp.mongodb.com/mms/python/src/sbom/silkbomb/docs/CYCLONEDX/) lite
is <https://github.com/mongodb/mongo-java-driver/blob/r${product_version}/sbom.json>.

## Static analysis findings

The static analysis findings are all available at
The static analysis findings are available at
<https://d-9067613a84.awsapps.com/start/#/console?account_id=857654397073&role_name=Drivers.User&destination=https%3a%2f%2fus-west-1.console.aws.amazon.com%2fs3%2fbuckets%2fjava-driver-release-assets%3fregion%3dus-west-1%26bucketType%3dgeneral%26prefix%3d${product_name}%2f${product_version}%2fstatic-analysis-reports%2f>.
All the findings in the aforementioned reports
are either of the MongoDB status "False Positive" or "No Fix Needed",
because code that has any other findings cannot technically get into the product.

<https://github.com/mongodb/mongo-java-driver/blob/r${product_version}/config/spotbugs/exclude.xml> may also be of interest.

## Security testing results

The testing results are available at
<${evergreen_build_url}>.

See the driver security testing summary
<https://docs.google.com/document/d/1y2K_RY4GZVXpQvv4JH_35mSzFRTawNJ3mibpvSBU8H0>
for the description of what is tested.

## Signature information

The product artifacts are signed.
Expand Down