VS-129: Integrate with Silk and download SBOM (#63)

Author: adelinowona

evergreen/download-augmented-sbom.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# Environment variables used as input:
+# SILK_CLIENT_ID
+# SILK_CLIENT_SECRET
+
+declare -r SSDLC_PATH="./artifacts/ssdlc"
+mkdir -p "${SSDLC_PATH}"
+
+echo "Downloading augmented sbom from silk"
+
+docker run --platform="linux/amd64" --rm -v ${PWD}:/pwd \
+  -e SILK_CLIENT_ID \
+  -e SILK_CLIENT_SECRET \
+  artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \
+  download --silk-asset-group mongo-csharp-analyzer --sbom-out /pwd/${SSDLC_PATH}/augmented-sbom.json

evergreen/evergreen.yml

@@ -181,6 +181,29 @@ functions:
         filenames:
           - "mongo-csharp-analyzer/artifacts/nuget/MongoDB.Analyzer.${PACKAGE_VERSION}.nupkg"
 
+  download-and-promote-augmented-sbom-to-s3-bucket:
+    - command: shell.exec
+      params:
+        working_dir: "mongo-csharp-analyzer"
+        include_expansions_in_env:
+          - "SILK_CLIENT_ID"
+          - "SILK_CLIENT_SECRET"
+        script: |
+          ${PREPARE_SHELL}
+          ./evergreen/download-augmented-sbom.sh
+    - command: s3.put
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_file: ./mongo-csharp-analyzer/artifacts/ssdlc/augmented-sbom.json
+        remote_file: mongo-csharp-analyzer/${PACKAGE_VERSION}/augmented-sbom.json
+        bucket: csharp-driver-release-assets
+        region: us-west-2
+        permissions: private
+        content_type: application/json
+        display_name: augmented-sbom.json
+        
   generate-ssdlc-report:
     - command: shell.exec
       params:
@@ -191,9 +214,6 @@ functions:
         script: |
           ${PREPARE_SHELL}
           ./evergreen/generate-ssdlc-report.sh
-    - command: ec2.assume_role
-      params:
-        role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
     - command: s3.put
       params:
         aws_key: ${AWS_ACCESS_KEY_ID}
@@ -288,21 +308,31 @@ tasks:
 
   - name: push-packages-nuget
     commands:
+      - command: ec2.assume_role
+        params:
+          role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
       - func: package-pack
       - func: package-push
         vars:
           PACKAGES_SOURCE: "https://api.nuget.org/v3/index.json"
           PACKAGES_SOURCE_KEY: ${nuget_api_key}
       - func: trace-artifacts
+      - func: download-and-promote-augmented-sbom-to-s3-bucket
       - func: generate-ssdlc-report
 
   - name: push-packages-myget
     commands:
+      - command: ec2.assume_role
+        params:
+          role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
       - func: package-pack
       - func: package-push
         vars:
           PACKAGES_SOURCE: "https://www.myget.org/F/mongodb/api/v3/index.json"
           PACKAGES_SOURCE_KEY: ${myget_api_key}
+      - func: trace-artifacts
+      - func: download-and-promote-augmented-sbom-to-s3-bucket
+      - func: generate-ssdlc-report
 
 axes:
   - id: driver

evergreen/template_ssdlc_compliance_report.md

@@ -1,7 +1,7 @@
 # ${PRODUCT_NAME} SSDLC compliance report
 
 This report is available
-<a href=https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/ssdlc_compliance_report.md>here</a>.
+<a href="https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/ssdlc_compliance_report.md">here</a>.
 
 <table>
   <tr>
@@ -41,18 +41,15 @@ This information is available in multiple ways:
 
 Blocked on <https://jira.mongodb.org/browse/DRIVERS-2892>.
 
-The MongoDB SSDLC policy is available at
-<https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc>.
+The MongoDB SSDLC policy is available <a href="https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc">here</a>.
 
 ## Third-darty dependency information
 
-There are no dependencies to report vulnerabilities of.
-Our [SBOM](https://docs.devprod.prod.corp.mongodb.com/mms/python/src/sbom/silkbomb/docs/CYCLONEDX/) lite
-is <https://github.com/mongodb/mongo-csharp-analyzer/blob/v${PACKAGE_VERSION}/sbom.json>.
+Our third party report is available <a href="https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/augmented-sbom.json">here</a>.
 
 ## Static analysis findings
 
-Coverity static analysis report is available <a href="https://coverity.corp.mongodb.com/login">here</a>, under mongodb-csharp-driver project.
+Coverity static analysis report is available <a href="https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/static_code_analysis.csv">here</a>.
 
 ## Signature information