Add release instructions for static analysis and 3rd party deps (CXX-3009, CXX-3023) #1143
Conversation
There was a problem hiding this comment.
LGTM with minor comments addressed.
I liked the proposed silk-check-augmented-sbom and committing the Augmented SBOM. I expect the task will give advanced notice to address a 3PD vulnerability before a release. I had incorrectly assumed the Augmented SBOM was not intended to be committed.
|
Re-requesting reviews due to some notable changes. Latest changes verified by this patch.
|
There was a problem hiding this comment.
Can we get confirmation that this file should be committed rather than generated on-the-fly for releases? The augmented SBOM in Silk will be updated asynchronously and automatically as vulns are discovered by scanning tools, so a committed version would easily become out-of-date repeatedly.
There was a problem hiding this comment.
It only needs to be available as an artifact for a given release, and it doesn't need to be regularly committed either. Therefore, the proposed release instructions state that this file only needs to be updated if there are significant changes in the latest Augmented SBOM relative to what is currently committed (as will be tracked by the EVG task). In effect, its presence in the repo isn't just for reporting purposes, but also to enable the tracking of updates to the Augmented SBOM via the EVG task.
…3009, CXX-3023) (#1143) * Add EVG task to check augmented SBOM for updates * Split Artifactory and Garasign credential files * CXX-3023 Add instructions to update and report Silk vulnerabilities * CXX-3009 Add instructions to update SSDLC Report sheet with Coverity issues * CXX-3023 Add etc/third_party_vulnerabilities.md * Restrict third party dependencies to bundled sources only * Properly distinguish between SBOM Lite and Augmented SBOM documents * Always print contents of Augmented SBOM in diff * Update Augmented SBOM and include instructions for manual download
Resolves CXX-3009 and CXX-3023.
This PR satisfies the "Static Analysis Report" and "3rd Party Dependency Vulnerabilities" report requirements for SSDLC.
3rd Party Dependencies (3PDs) are documented by
etc/purls.txtand the correspondingetc/cyclonedx.sbom.jsondocument, including their version and license. Any vulnerabilities which affect the "standard release product" for the MongoDB C++ Driver are reported inetc/third_party_vulnerabilities.md, which will be bundled with the signed release tarball alongside the final SSDLC Compliance Report per release. Seeetc/third_party_vulnerabilities.mdfor the definition of the "standard release product".Static analysis issues are tracked and documented by a Google Spreadsheet which will be cloned and linked-to in the final SSDLC Compliance Report per release. This is expected to be a temporary solution until better automation, tooling, and integrations are implemented. Details to follow in the subsequent PR which will introduce
etc/ssdlc_compliance_report.md.To better track the status of 3PD vulnerabilities (currently, none), a new Evergreen task tests for significant changes to the augmented SBOM document.
Theanetc/cyclonedx.sbom.jsondocument serves as both the "SBOM Lite" and "augmented SBOM" document, as no observable difference between the two types of files could be found thus far. Should there be significant differences,etc/augmented.sbom.jsonfile is expected to be committed alongsideetc/cyclonedx.sbom.jsonin the future. (Update: confirmed, the Augmented SBOM should not be used as the SBOM Lite.)