CLOUDP-316920: Generate PURLs for windows and darwin os

.github/workflows/generate-augmented-sbom.yml

@@ -19,7 +19,7 @@ jobs:
     env:
       KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
       KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
-      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      KONDUKTO_BRANCH: ${{ vars.KONDUKTO_BRANCH }}
       SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
 
     steps:
@@ -34,20 +34,37 @@ jobs:
         with:
             go-version-file: 'go.mod'
 
-      - name: Download Linux ARM64 binary
+      - name: Download binaries
         run: |
           curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version }}/mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64.tar.gz" \
-            -o release.tar.gz
+            -o linux.tar.gz
+          curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version }}/mongodb-atlas-cli_${{ inputs.release_version }}_macos_x86_64.zip" \
+            -o darwin.zip
+          curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version }}/mongodb-atlas-cli_${{ inputs.release_version }}_windows_x86_64.zip" \
+            -o windows.zip
 
-      - name: Extract binary
+      - name: Extract binaries
         run: |
-          tar -xzf release.tar.gz
+          tar -xzf linux.tar.gz
+          unzip -o darwin.zip -d ./darwin
+          unzip -o windows.zip -d ./windows
 
-      - name: Generate PURLs from binary
+      - name: Generate PURLs from binaries
         run: |
+          # Generate Linux purls
           go version -m ./mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64/bin/atlas | \
             awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
-            LC_ALL=C sort > purls.txt
+            LC_ALL=C sort > purls-linux.txt
+          # Generate Darwin purls
+          go version -m ./darwin/bin/atlas | \
+            awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+            LC_ALL=C sort > purls-darwin.txt
+          # Generate Windows purls
+          go version -m ./windows/bin/atlas.exe | \
+            awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+            LC_ALL=C sort > purls-windows.txt
+          # Merge purls
+          cat purls-linux.txt purls-darwin.txt purls-windows.txt |  LC_ALL=C sort | uniq > purls.txt
           cat purls.txt
 
       - name: Generate SBOM with Silkbomb
@@ -80,8 +97,8 @@ jobs:
             augment \
             --sbom-in "/pwd/sbom_lite.json" \
             --repo "${KONDUKTO_REPO}" \
-            --branch "${KONDUKTO_BRANCH_PREFIX}-linux-arm64" \
-            --sbom-out "/pwd/linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json"
+            --branch "${KONDUKTO_BRANCH}" \
+            --sbom-out "/pwd/augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json"
 
       - name: Generate SSDLC report
         env:
@@ -95,6 +112,6 @@ jobs:
         with:
           name: augmented_sbom_and_ssdlc_report
           path: |
-            linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json
+            augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json
             ssdlc-compliance-${{ inputs.release_version }}-${{ env.date }}.md
           if-no-files-found: error

Makefile

@@ -139,12 +139,28 @@ gen-docs: gen-docs-metadata ## Generate docs for atlascli commands
 	go run -ldflags "$(LINKER_FLAGS)" ./tools/cmd/docs
 
 .PHONY: gen-purls
-gen-purls: # Generate purls on linux os
-	@echo "==> Generating purls"
+gen-purls: # Generate purls
+	@echo "==> Generating Linux purls"
 	GOOS=linux GOARCH=amd64 go build -trimpath -mod=readonly -o bin/atlas-linux ./cmd/atlas
 	go version -m ./bin/atlas-linux | \
 		awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \
-		LC_ALL=C sort > build/package/purls.txt
+		LC_ALL=C sort > build/package/purls-linux.txt
+
+	@echo "==> Generating Darwin purls"
+	GOOS=darwin GOARCH=arm64 go build -trimpath -mod=readonly -o bin/atlas-darwin ./cmd/atlas
+	go version -m ./bin/atlas-darwin | \
+		awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \
+		LC_ALL=C sort > build/package/purls-darwin.txt
+
+	@echo "==> Generating Windows purls"
+	GOOS=windows GOARCH=386 go build -trimpath -mod=readonly -o bin/atlas-win ./cmd/atlas
+	go version -m ./bin/atlas-win | \
+		awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \
+		LC_ALL=C sort > build/package/purls-win.txt
+
+	@echo "==> Merging purls"
+	cat build/package/purls-linux.txt build/package/purls-darwin.txt build/package/purls-win.txt |  LC_ALL=C sort | uniq > build/package/purls.txt
+	rm -rf build/package/purls-linux.txt build/package/purls-darwin.txt build/package/purls-win.txt
 
 .PHONY: build
 build: ## Generate an atlas binary in ./bin

build/package/gen-ssdlc-report.sh

@@ -32,7 +32,7 @@ if [ "${AUGMENTED_REPORT}" = "true" ]; then
   target_dir="."
   file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
   SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
-      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - This file has been provided along with this report under the name 'augmented_sbom_v${VERSION}-${DATE}.json'
       - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
 
 else # If not augmented, generate the standard report

build/package/purls.txt

@@ -38,11 +38,13 @@ pkg:golang/github.com/briandowns/spinner@v1.23.2
 pkg:golang/github.com/cloudflare/circl@v1.6.0
 pkg:golang/github.com/denisbrodbeck/machineid@v1.0.1
 pkg:golang/github.com/dsnet/compress@v0.0.2-0.20230904184137-39efe44ab707
+pkg:golang/github.com/ebitengine/purego@v0.8.4
 pkg:golang/github.com/fatih/color@v1.14.1
 pkg:golang/github.com/felixge/httpsnoop@v1.0.4
 pkg:golang/github.com/fsnotify/fsnotify@v1.8.0
 pkg:golang/github.com/go-logr/logr@v1.4.2
 pkg:golang/github.com/go-logr/stdr@v1.2.2
+pkg:golang/github.com/go-ole/go-ole@v1.2.6
 pkg:golang/github.com/go-viper/mapstructure/v2@v2.2.1
 pkg:golang/github.com/golang-jwt/jwt/v5@v5.2.2
 pkg:golang/github.com/golang/snappy@v0.0.4
@@ -56,6 +58,7 @@ pkg:golang/github.com/hashicorp/errwrap@v1.1.0
 pkg:golang/github.com/hashicorp/go-multierror@v1.1.1
 pkg:golang/github.com/hashicorp/golang-lru/v2@v2.0.7
 pkg:golang/github.com/iancoleman/strcase@v0.3.0
+pkg:golang/github.com/inconshreveable/mousetrap@v1.1.0
 pkg:golang/github.com/kballard/go-shellquote@v0.0.0-20180428030007-95032a82bc51
 pkg:golang/github.com/klauspost/compress@v1.18.0
 pkg:golang/github.com/klauspost/pgzip@v1.2.6
@@ -91,6 +94,7 @@ pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0
 pkg:golang/github.com/xdg-go/scram@v1.1.2
 pkg:golang/github.com/xdg-go/stringprep@v1.0.4
 pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78
+pkg:golang/github.com/yusufpapurcu/wmi@v1.2.4
 pkg:golang/go.mongodb.org/atlas-sdk/v20240530005@v20240530005.0.0
 pkg:golang/go.mongodb.org/atlas-sdk/v20250312003@v20250312003.0.0
 pkg:golang/go.mongodb.org/atlas@v0.38.0