Skip to content

Commit 771f650

Browse files
eramongodberamongodb
authored
CXX-3228 update scripts for SilkBomb 2.0 (#1345)
1 parent 3ff7bc4 commit 771f650

File tree

7 files changed

+298
-176
lines changed

7 files changed

+298
-176
lines changed

.evergreen/config_generator/components/sbom.py

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,159 @@
1+
from config_generator.components.funcs.setup import Setup
2+
3+
from config_generator.etc.distros import find_small_distro
4+
from config_generator.etc.function import Function, merge_defns
5+
from config_generator.etc.utils import bash_exec
6+
7+
from shrub.v3.evg_build_variant import BuildVariant
8+
from shrub.v3.evg_command import BuiltInCommand, EvgCommandType, expansions_update, s3_put
9+
from shrub.v3.evg_task import EvgTask, EvgTaskRef
10+
11+
from pydantic import ConfigDict
12+
from typing import Optional
13+
14+
15+
TAG = 'sbom'
16+
17+
18+
class CustomCommand(BuiltInCommand):
19+
command: str
20+
model_config = ConfigDict(arbitrary_types_allowed=True)
21+
22+
23+
def ec2_assume_role(
24+
role_arn: Optional[str] = None,
25+
policy: Optional[str] = None,
26+
duration_seconds: Optional[int] = None,
27+
command_type: Optional[EvgCommandType] = None,
28+
) -> CustomCommand:
29+
return CustomCommand(
30+
command="ec2.assume_role",
31+
params={
32+
"role_arn": role_arn,
33+
"policy": policy,
34+
"duration_seconds": duration_seconds,
35+
},
36+
type=command_type,
37+
)
38+
39+
40+
class CheckAugmentedSBOM(Function):
41+
name = 'check augmented sbom'
42+
commands = [
43+
ec2_assume_role(
44+
command_type=EvgCommandType.SETUP,
45+
role_arn='${KONDUKTO_ROLE_ARN}',
46+
),
47+
bash_exec(
48+
command_type=EvgCommandType.SETUP,
49+
include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
50+
script='''\
51+
set -o errexit
52+
set -o pipefail
53+
kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)"
54+
printf "KONDUKTO_TOKEN: %s\\n" "$kondukto_token" >|expansions.kondukto.yml
55+
''',
56+
),
57+
expansions_update(
58+
command_type=EvgCommandType.SETUP,
59+
file='expansions.kondukto.yml',
60+
),
61+
bash_exec(
62+
command_type=EvgCommandType.TEST,
63+
working_dir='mongo-cxx-driver',
64+
include_expansions_in_env=[
65+
'ARTIFACTORY_PASSWORD',
66+
'ARTIFACTORY_USER',
67+
'branch_name',
68+
'KONDUKTO_TOKEN',
69+
],
70+
script='.evergreen/scripts/sbom.sh',
71+
),
72+
]
73+
74+
75+
class UploadAugmentedSBOM(Function):
76+
name = 'upload augmented sbom'
77+
commands = [
78+
# The current Augmented SBOM, ignoring version and timestamp fields.
79+
s3_put(
80+
command_type=EvgCommandType.SYSTEM,
81+
aws_key='${aws_key}',
82+
aws_secret='${aws_secret}',
83+
bucket='mciuploads',
84+
content_type='application/json',
85+
display_name='Augmented SBOM (Old)',
86+
local_file='mongo-cxx-driver/old.json',
87+
permissions='public-read',
88+
remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json',
89+
),
90+
# The updated Augmented SBOM, ignoring version and timestamp fields.
91+
s3_put(
92+
command_type=EvgCommandType.SYSTEM,
93+
aws_key='${aws_key}',
94+
aws_secret='${aws_secret}',
95+
bucket='mciuploads',
96+
content_type='application/json',
97+
display_name='Augmented SBOM (New)',
98+
local_file='mongo-cxx-driver/new.json',
99+
permissions='public-read',
100+
remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json',
101+
),
102+
# The difference between the current and updated Augmented SBOM.
103+
s3_put(
104+
command_type=EvgCommandType.SYSTEM,
105+
aws_key='${aws_key}',
106+
aws_secret='${aws_secret}',
107+
bucket='mciuploads',
108+
content_type='application/json',
109+
display_name='Augmented SBOM (Diff)',
110+
local_file='mongo-cxx-driver/diff.txt',
111+
permissions='public-read',
112+
remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt',
113+
),
114+
# The updated Augmented SBOM without any filtering or modifications.
115+
s3_put(
116+
command_type=EvgCommandType.SYSTEM,
117+
aws_key='${aws_key}',
118+
aws_secret='${aws_secret}',
119+
bucket='mciuploads',
120+
content_type='application/json',
121+
display_name='Augmented SBOM (Updated)',
122+
local_file='mongo-cxx-driver/etc/augmented.sbom.json.new',
123+
permissions='public-read',
124+
remote_file='mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json',
125+
),
126+
]
127+
128+
129+
def functions():
130+
return merge_defns(
131+
CheckAugmentedSBOM.defn(),
132+
UploadAugmentedSBOM.defn(),
133+
)
134+
135+
136+
def tasks():
137+
distro_name = 'rhel80'
138+
distro = find_small_distro(distro_name)
139+
140+
yield EvgTask(
141+
name='sbom',
142+
tags=[TAG, distro_name],
143+
run_on=distro.name,
144+
commands=[
145+
Setup.call(),
146+
CheckAugmentedSBOM.call(),
147+
UploadAugmentedSBOM.call(),
148+
],
149+
)
150+
151+
152+
def variants():
153+
return [
154+
BuildVariant(
155+
name=TAG,
156+
display_name='SBOM',
157+
tasks=[EvgTaskRef(name=f'.{TAG}')],
158+
),
159+
]

.evergreen/config_generator/components/silk.py

Lines changed: 0 additions & 90 deletions
This file was deleted.

.evergreen/generated_configs/functions.yml

Lines changed: 62 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -203,19 +203,42 @@ functions:
203203
204204
.evergreen/atlas_data_lake/pull-mongohouse-image.sh
205205
check augmented sbom:
206-
command: subprocess.exec
207-
type: test
208-
params:
209-
binary: bash
210-
working_dir: mongo-cxx-driver
211-
include_expansions_in_env:
212-
- ARTIFACTORY_USER
213-
- ARTIFACTORY_PASSWORD
214-
- SILK_CLIENT_ID
215-
- SILK_CLIENT_SECRET
216-
args:
217-
- -c
218-
- .evergreen/scripts/check-augmented-sbom.sh
206+
- command: ec2.assume_role
207+
type: setup
208+
params:
209+
role_arn: ${KONDUKTO_ROLE_ARN}
210+
- command: subprocess.exec
211+
type: setup
212+
params:
213+
binary: bash
214+
include_expansions_in_env:
215+
- AWS_ACCESS_KEY_ID
216+
- AWS_SECRET_ACCESS_KEY
217+
- AWS_SESSION_TOKEN
218+
args:
219+
- -c
220+
- |
221+
set -o errexit
222+
set -o pipefail
223+
kondukto_token="$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)"
224+
printf "KONDUKTO_TOKEN: %s\n" "$kondukto_token" >|expansions.kondukto.yml
225+
- command: expansions.update
226+
type: setup
227+
params:
228+
file: expansions.kondukto.yml
229+
- command: subprocess.exec
230+
type: test
231+
params:
232+
binary: bash
233+
working_dir: mongo-cxx-driver
234+
include_expansions_in_env:
235+
- ARTIFACTORY_PASSWORD
236+
- ARTIFACTORY_USER
237+
- branch_name
238+
- KONDUKTO_TOKEN
239+
args:
240+
- -c
241+
- .evergreen/scripts/sbom.sh
219242
clang-tidy:
220243
command: subprocess.exec
221244
type: test
@@ -572,14 +595,25 @@ functions:
572595
- command: s3.put
573596
type: system
574597
params:
575-
display_name: Augmented SBOM
598+
display_name: Augmented SBOM (Old)
576599
aws_key: ${aws_key}
577600
aws_secret: ${aws_secret}
578601
bucket: mciuploads
579602
content_type: application/json
580-
local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
603+
local_file: mongo-cxx-driver/old.json
604+
permissions: public-read
605+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/old.json
606+
- command: s3.put
607+
type: system
608+
params:
609+
display_name: Augmented SBOM (New)
610+
aws_key: ${aws_key}
611+
aws_secret: ${aws_secret}
612+
bucket: mciuploads
613+
content_type: application/json
614+
local_file: mongo-cxx-driver/new.json
581615
permissions: public-read
582-
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json
616+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/new.json
583617
- command: s3.put
584618
type: system
585619
params:
@@ -590,7 +624,18 @@ functions:
590624
content_type: application/json
591625
local_file: mongo-cxx-driver/diff.txt
592626
permissions: public-read
593-
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/silk/augmented.sbom.json.diff
627+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/diff.txt
628+
- command: s3.put
629+
type: system
630+
params:
631+
display_name: Augmented SBOM (Updated)
632+
aws_key: ${aws_key}
633+
aws_secret: ${aws_secret}
634+
bucket: mciuploads
635+
content_type: application/json
636+
local_file: mongo-cxx-driver/etc/augmented.sbom.json.new
637+
permissions: public-read
638+
remote_file: mongo-cxx-driver/${build_variant}/${revision}/${version_id}/${build_id}/sbom/augmented.sbom.json
594639
upload code coverage:
595640
command: subprocess.exec
596641
type: system

.evergreen/generated_configs/tasks.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4146,6 +4146,13 @@ tasks:
41464146
example_projects_cxx: clang++
41474147
example_projects_cxxflags: -D_GLIBCXX_USE_CXX11_ABI=0 -fsanitize=undefined -fno-sanitize-recover=undefined -fno-omit-frame-pointer
41484148
example_projects_ldflags: -fsanitize=undefined -fno-sanitize-recover=undefined
4149+
- name: sbom
4150+
run_on: rhel80-small
4151+
tags: [sbom, rhel80]
4152+
commands:
4153+
- func: setup
4154+
- func: check augmented sbom
4155+
- func: upload augmented sbom
41494156
- name: scan-build-ubuntu2204-std11-default
41504157
run_on: ubuntu2204-large
41514158
tags: [scan-build, ubuntu2204, std11]
@@ -4209,13 +4216,6 @@ tasks:
42094216
BSONCXX_POLYFILL: impls
42104217
CXX_STANDARD: 17
42114218
- func: upload scan artifacts
4212-
- name: silk-check-augmented-sbom
4213-
run_on: rhel8-latest-small
4214-
tags: [silk, rhel8-latest]
4215-
commands:
4216-
- func: setup
4217-
- func: check augmented sbom
4218-
- func: upload augmented sbom
42194219
- name: test_mongohouse
42204220
run_on: ubuntu2204-large
42214221
tags: [mongohouse, ubuntu2204]

0 commit comments

Comments
 (0)