-
Notifications
You must be signed in to change notification settings - Fork 543
Add release instructions for static analysis and 3rd party deps (CXX-3009, CXX-3023) #1143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
c2c016c
Add EVG task to check augmented SBOM for updates
eramongodb c4badb8
Split Artifactory and Garasign credential files
eramongodb 882b98e
CXX-3023 Add instructions to update and report Silk vulnerabilities
eramongodb c5cfe71
CXX-3009 Add instructions to update SSDLC Report sheet with Coverity …
eramongodb dea9db4
CXX-3023 Add etc/third_party_vulnerabilities.md
eramongodb 7784298
Fix severity level for third party dependencies
eramongodb c1f5d2c
Restrict third party dependencies to bundled sources only
eramongodb 653b524
Properly distinguish between SBOM Lite and Augmented SBOM documents
eramongodb 750318a
Always print contents of Augmented SBOM in diff
eramongodb 213eb5e
Make diff output easier to spot
eramongodb c14030e
Expand tabs in diff output for consistent widths
eramongodb 5f9cabc
Update Augmented SBOM and include instructions for manual download
eramongodb ee663cb
Also upload Augmented SBOM diff to EVG
eramongodb d595556
Remove filtering of metadata fields
eramongodb File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -o errexit | ||
| set -o pipefail | ||
|
|
||
| command -v podman >/dev/null || { | ||
| echo "missing required program podman" 1>&2 | ||
| exit 1 | ||
| } | ||
|
|
||
| command -v jq >/dev/null || { | ||
| echo "missing required program jq" 1>&2 | ||
| exit 1 | ||
| } | ||
|
|
||
| podman login --password-stdin --username "${ARTIFACTORY_USER:?}" artifactory.corp.mongodb.com <<<"${ARTIFACTORY_PASSWORD:?}" | ||
|
|
||
| silkbomb_download_flags=( | ||
| # Avoid bumping version or timestamp in diff. | ||
| --no-update-sbom-version | ||
| --no-update-timestamp | ||
|
|
||
| --silk-asset-group mongo-cxx-driver | ||
| -o /pwd/etc/augmented.sbom.json.new | ||
| ) | ||
|
|
||
| podman run \ | ||
| --env-file <( | ||
| echo "SILK_CLIENT_ID=${SILK_CLIENT_ID:?}" | ||
| echo "SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET:?}" | ||
| ) \ | ||
| -it --rm -v "$(pwd):/pwd" \ | ||
| artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \ | ||
| download "${silkbomb_download_flags[@]:?}" | ||
|
|
||
| [[ -f ./etc/augmented.sbom.json.new ]] || { | ||
| echo "failed to download Augmented SBOM from Silk" 1>&2 | ||
| exit 1 | ||
| } | ||
|
|
||
| echo "Comparing Augmented SBOM..." | ||
|
|
||
| # Allow task to upload the augmented SBOM despite failed diff. | ||
| if ! diff -sty --left-column -W 200 \ | ||
| <(jq ./etc/augmented.sbom.json) \ | ||
| <(jq ./etc/augmented.sbom.json.new) >|diff.txt; then | ||
| declare status | ||
| status='{"status":"failed", "type":"test", "should_continue":true, "desc":"detected significant changes in Augmented SBOM"}' | ||
| curl -sS -d "${status:?}" -H "Content-Type: application/json" -X POST localhost:2285/task_status || true | ||
| fi | ||
|
|
||
| cat diff.txt | ||
|
|
||
| echo "Comparing Augmented SBOM... done." |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| { | ||
| "components": [ | ||
| { | ||
| "bom-ref": "pkg:github/mnmlstc/[email protected]", | ||
| "copyright": "Copyright \u00a9 2013 - 2014 MNMLSTC", | ||
| "externalReferences": [ | ||
| { | ||
| "type": "distribution", | ||
| "url": "https://github.com/mnmlstc/core/archive/refs/tags/v1.1.0.tar.gz" | ||
| }, | ||
| { | ||
| "type": "website", | ||
| "url": "https://github.com/mnmlstc/core/tree/v1.1.0" | ||
| } | ||
| ], | ||
| "group": "mnmlstc", | ||
| "licenses": [ | ||
| { | ||
| "license": { | ||
| "id": "Apache-2.0" | ||
| } | ||
| } | ||
| ], | ||
| "name": "core", | ||
| "purl": "pkg:github/mnmlstc/[email protected]", | ||
| "type": "library", | ||
| "version": "v1.1.0" | ||
| }, | ||
| { | ||
| "bom-ref": "pkg:github/mongodb/[email protected]", | ||
| "copyright": "Copyright 2009-present MongoDB, Inc.", | ||
| "externalReferences": [ | ||
| { | ||
| "type": "distribution", | ||
| "url": "https://github.com/mongodb/mongo-c-driver/archive/refs/tags/v1.25.0.tar.gz" | ||
| }, | ||
| { | ||
| "type": "website", | ||
| "url": "https://github.com/mongodb/mongo-c-driver/tree/v1.25.0" | ||
| } | ||
| ], | ||
| "group": "mongodb", | ||
| "licenses": [ | ||
| { | ||
| "license": { | ||
| "id": "Apache-2.0" | ||
| } | ||
| } | ||
| ], | ||
| "name": "mongo-c-driver", | ||
| "purl": "pkg:github/mongodb/[email protected]", | ||
| "type": "library", | ||
| "version": "v1.25.0" | ||
| } | ||
| ], | ||
| "dependencies": [ | ||
| { | ||
| "ref": "pkg:github/mnmlstc/[email protected]" | ||
| }, | ||
| { | ||
| "ref": "pkg:github/mongodb/[email protected]" | ||
| } | ||
| ], | ||
| "metadata": { | ||
| "timestamp": "2024-06-06T18:10:31.789025+00:00", | ||
| "tools": [ | ||
| { | ||
| "externalReferences": [ | ||
| { | ||
| "type": "build-system", | ||
| "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" | ||
| }, | ||
| { | ||
| "type": "distribution", | ||
| "url": "https://pypi.org/project/cyclonedx-python-lib/" | ||
| }, | ||
| { | ||
| "type": "documentation", | ||
| "url": "https://cyclonedx-python-library.readthedocs.io/" | ||
| }, | ||
| { | ||
| "type": "issue-tracker", | ||
| "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" | ||
| }, | ||
| { | ||
| "type": "license", | ||
| "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" | ||
| }, | ||
| { | ||
| "type": "release-notes", | ||
| "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" | ||
| }, | ||
| { | ||
| "type": "vcs", | ||
| "url": "https://github.com/CycloneDX/cyclonedx-python-lib" | ||
| }, | ||
| { | ||
| "type": "website", | ||
| "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" | ||
| } | ||
| ], | ||
| "name": "cyclonedx-python-lib", | ||
| "vendor": "CycloneDX", | ||
| "version": "6.4.4" | ||
| } | ||
| ] | ||
| }, | ||
| "serialNumber": "urn:uuid:dd68fbb0-f77c-4bb9-90cd-606dd854f301", | ||
| "version": 1, | ||
| "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", | ||
| "bomFormat": "CycloneDX", | ||
| "specVersion": "1.5" | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we get confirmation that this file should be committed rather than generated on-the-fly for releases? The augmented SBOM in Silk will be updated asynchronously and automatically as vulns are discovered by scanning tools, so a committed version would easily become out-of-date repeatedly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It only needs to be available as an artifact for a given release, and it doesn't need to be regularly committed either. Therefore, the proposed release instructions state that this file only needs to be updated if there are significant changes in the latest Augmented SBOM relative to what is currently committed (as will be tracked by the EVG task). In effect, its presence in the repo isn't just for reporting purposes, but also to enable the tracking of updates to the Augmented SBOM via the EVG task.