Add compliance report (#25)

Author: blink1073

authorized-pub/action.yml

@@ -22,7 +22,7 @@ runs:
       run: |
           export GH_TOKEN=${{ inputs.token }}
           NAME=$(gh api users/${{ github.actor }} --jq '.name')
-          export REPORT=$S3_ASSETS/authorized_publication.txt
+          export REPORT=$S3_ASSETS/authorized-publication.txt
           echo "Product: ${{ inputs.product_name }}" > $REPORT
           echo "Version: ${{ inputs.release_version }}" >> $REPORT
           echo "Releaser: $NAME"  >> $REPORT

compliance-report/action.yml

@@ -0,0 +1,28 @@
+name: Generate a compliance report
+description: Generates the compliance report in the S3_ASSETS folder
+inputs:
+  token:
+    description: The GitHub token for the action
+    required: true
+  sbom_name:
+    description: The name of the SBOM file in the S3 bucket
+    default: cyclonedx.sbom.json
+  sarif_name:
+    description: The name of the SARIF file in the S3 bucket
+    default: code-scanning-alerts.json
+  authorized_pub_name:
+    description: The name of the Authorized Publication file in the S3 bucket
+    default: authorized-publication.txt
+runs:
+  using: composite
+  steps:
+    - name: Generate Compliance Report
+      shell: bash
+      run: |
+        set -eux
+        export GH_TOKEN=${{ inputs.token }}
+        export RELEASE_CREATOR=$(gh api users/${{ github.actor }} --jq '.name')
+        export SBOM_NAME=${{ inputs.sbom_name }}
+        export SARIF_NAME=${{ inputs.sarif_name }}
+        export AUTHORIZED_PUB_NAME=${{ inputs.authorized_pub_name }}
+        bash ${{ github.action_path }}/generate.sh

compliance-report/generate.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -eux
+
+cat << EOF >> ${S3_ASSETS}/ssdlc_compliance_report.md
+Release Creator
+${RELEASE_CREATOR}
+
+Tool used to track third party vulnerabilities
+Silk
+
+Third-Party Dependency Information
+See ${SBOM_NAME}
+
+Static Analysis Findings
+See ${SARIF_NAME}
+
+Signature Information
+See ${AUTHORIZED_PUB_NAME}
+
+Known Vulnerabilities
+Any vulnerabilities that may be shown in the files referenced above have been reviewed and accepted by the appropriate approvers.
+EOF

gpg-sign/action.yml

@@ -11,6 +11,16 @@ inputs:
 runs:
   using: composite
   steps:
+    - name: Get the list of filenames as a space-separated string
+      shell: bash
+      id: filenames
+      run: |
+          set -eux
+          export FILENAMES=${{inputs.filenames}}
+          if [[ $FILENAMES =~ '*' ]]; then
+            FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g')
+          fi
+          echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT
     - name: "Create detached signature for file"
       shell: bash
       run: |
@@ -25,4 +35,6 @@ runs:
     - name: "Move the signature files to the release directory"
       shell: bash
       run: |
-        for filename in ${{ inputs.filenames }}; do mv ${filename}.sig $RELEASE_ASSETS; done
+        set -eux
+        export FILENAMES=${{steps.filenames.outputs.names}}
+        for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done

python/publish/action.yml

@@ -51,8 +51,11 @@ runs:
     - name: Generate Sarif Report
       uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
       with:
-        output-file: sarif-report.json
         ref: ${{ inputs.version }}
+    - name: Generate Compliance Report
+      uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+      with:
+        token: ${{ inputs.token }}
     - name: Run publish script
       shell: bash
       run: ${{github.action_path}}/publish.sh

python/publish/publish.sh

@@ -2,7 +2,8 @@
 
 set -eux
 
-mv sarif-report.json $S3_ASSETS
+cp $RELEASE_ASSETS/*.sig $S3_ASSETS
+mv code-scanning-alerts.json $S3_ASSETS
 
 if [ "$DRY_RUN" == "false" ]; then
     echo "Uploading Release Reports"

sbom/action.yml

@@ -11,10 +11,12 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Download the Augmented SBOM file to the release assets folder
+    - name: Download the Augmented SBOM file to the release assets and s3 assets folders
       shell: bash
       run: |
+        set -eux
         podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \
           --env-file=${SILKBOMB_ENVFILE} \
           ${{ inputs.artifactory_image }} \
-          download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/sbom.json
+          download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/cyclonedx.sbom.json
+        cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}

setup/setup.sh

@@ -39,11 +39,11 @@ mkdir $S3_ASSETS
 
 echo "Set up global variables"
 cat <<EOF >> $GITHUB_ENV
-AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}"
+AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}
 GPG_KEY_ID=$GPG_KEY_ID
-GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}"
+GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}
 GARASIGN_ENVFILE=$GARASIGN_ENVFILE
-SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}"
+SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}
 ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
 RELEASE_ASSETS=$RELEASE_ASSETS
 S3_ASSETS=$S3_ASSETS