Merge branch 'master' into chore_remove_msi_task

Author: fmenezes

.github/workflows/generate-augmented-sbom.yml

@@ -0,0 +1,100 @@
+name: Augment SBOM
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 1.42.2)"
+        required: true
+        type: string
+
+permissions:  
+  id-token: write  
+  contents: read  
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+            go-version-file: 'go.mod'
+
+      - name: Download Linux ARM64 binary
+        run: |
+          curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version }}/mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64.tar.gz" \
+            -o release.tar.gz
+
+      - name: Extract binary
+        run: |
+          tar -xzf release.tar.gz
+
+      - name: Generate PURLs from binary
+        run: |
+          go version -m ./mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64/bin/atlas | \
+            awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+            LC_ALL=C sort > purls.txt
+          cat purls.txt
+
+      - name: Generate SBOM with Silkbomb
+        run: |
+          docker run \
+            --pull=always \
+            --platform="linux/amd64" \
+            --rm \
+            -v "${PWD}:/pwd" \
+            "${SILKBOMB_IMG}" \
+            update \
+            --purls "/pwd/purls.txt" \
+            --sbom-out "/pwd/sbom_lite.json"
+          cat "sbom_lite.json"
+
+      - name: Get current date
+        id: date
+        run: |
+          echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_ENV"
+
+      - name: Augment SBOM with Kondukto
+        run: |
+          docker run \
+            --pull=always \
+            --platform="linux/amd64" \
+            --rm \
+            -v "${PWD}:/pwd" \
+            -e "KONDUKTO_TOKEN=${KONDUKTO_TOKEN}" \
+            "${SILKBOMB_IMG}" \
+            augment \
+            --sbom-in "/pwd/sbom_lite.json" \
+            --repo "${KONDUKTO_REPO}" \
+            --branch "${KONDUKTO_BRANCH_PREFIX}-linux-arm64" \
+            --sbom-out "/pwd/linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json"
+
+      - name: Generate SSDLC report
+        env:
+            AUTHOR: ${{ github.actor }}
+            VERSION: ${{ inputs.release_version }}
+            AUGMENTED_REPORT: "true"
+        run: ./build/package/gen-ssdlc-report.sh
+
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json
+            ssdlc-compliance-${{ inputs.release_version }}-${{ env.date }}.md
+          if-no-files-found: error

.github/workflows/update-ssdlc-report.yaml

@@ -38,6 +38,7 @@ jobs:
         env:
           AUTHOR: ${{ steps.extract.outputs.author }}
           VERSION: ${{ steps.extract.outputs.version }}
+          AUGMENTED_REPORT: "false"
         run: ./build/package/gen-ssdlc-report.sh
       - name: set Apix Bot token
         id: app-token

build/ci/release.yml

@@ -96,15 +96,15 @@ functions:
       params:
         shell: bash
         script: |
-          docker run \
+          podman run \
           --pull=always \
           --platform="linux/amd64" \
           --rm \
           --env-file ${workdir}/kondukto_credentials.env \
           -v ${workdir}:/workdir \
           901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
           upload \
-          --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json \
+          --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/sbom.json \
           --repo mongodb_mongodb-atlas-cli  \
           --branch ${branch_name}  
           rm ${workdir}/kondukto_credentials.env
@@ -218,6 +218,7 @@ functions:
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.json
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.msi
           - src/github.com/mongodb/mongodb-atlas-cli/dist/*.sig
+          - src/github.com/mongodb/mongodb-atlas-cli/sbom.json
         remote_file: ${project}/dist/${revision}_${created_at}/
         bucket: mongodb-mongocli-build
         permissions: public-read
@@ -349,17 +350,15 @@ functions:
           echo "${__project_aws_ssh_key_value}" > ./build/ci/ssh_id
           chmod 0600 ./build/ci/ssh_id
 tasks:
-  - name: generate_and_upload_sbom
-    commands:  
-      - func: "generate sbom"
-      - func: "run silkbomb"
   - name: package_goreleaser
     tags: ["packaging"]
     depends_on:
       - name: compile
         variant: "code_health"
     commands:
       - func: "create-windows-host"
+      - func: "generate sbom"
+      - func: "run silkbomb"
       - func: "generate notices"
       - func: "install goreleaser"
       - func: "install macos notarization service"
@@ -506,9 +505,6 @@ buildvariants:
       unstable: -unstable
     tasks:
       - name: package_goreleaser
-        depends_on:
-          - name: generate_and_upload_sbom
-            variant: ssdlc
   - name: publish_atlascli_snapshot
     display_name: "Publish AtlasCLI Snapshot"
     run_on:
@@ -531,9 +527,6 @@ buildvariants:
       meta_package_name: "mongodb-atlas"
     tasks:
       - name: package_goreleaser
-        depends_on:
-          - name: generate_and_upload_sbom
-            variant: ssdlc
   - name: copybara
     display_name: "Copybara"
     git_tag_only: true
@@ -575,11 +568,3 @@ buildvariants:
       - ubuntu2004-small
     tasks:
       - name: .smoke-test .generate .repo .atlascli
-  - name: ssdlc
-    display_name: Compliance [ssdlc]
-    run_on:
-      - ubuntu2204-small
-    expansions:
-      <<: *go_linux_version
-    tasks:
-      - name: generate_and_upload_sbom

build/package/.goreleaser.yml

@@ -145,5 +145,5 @@ release:
   name_template: "MongoDB Atlas CLI {{.Version}}"
   extra_files:
     - glob: ./bin/*.msi
-    - glob: compliance/**/*
+    - glob: ./sbom.json
 version: 2

build/package/gen-ssdlc-report.sh

@@ -28,19 +28,33 @@ if [ -z "${VERSION:-}" ]; then
   VERSION=$(git tag --list 'atlascli/v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
 fi
 
+if [ "${AUGMENTED_REPORT}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json"
+  # Ensure AtlasCLI version directory exists
+  mkdir -p "${target_dir}"
+fi
+
 export AUTHOR
 export VERSION
+export SBOM_TEXT
 
 echo "Generating SSDLC checklist for AtlasCLI version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
 
-# Ensure AtlasCLI version directory exists
-mkdir -p "compliance/v${VERSION}"
-
 envsubst < docs/releases/ssdlc-compliance.template.md \
-  > "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md"
+  > "${target_dir}/${file_name}"
 
-echo "SDLC checklist ready. Files in compliance/v${VERSION}/:"
-ls -l "compliance/v${VERSION}/"
+echo "SDLC checklist ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
 
 echo "Printing the generated report:"
-cat "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md"
+cat "${target_dir}/${file_name}"

build/package/generate-sbom.sh

@@ -19,13 +19,13 @@ set -Eeou pipefail
 export WORKDIR=${workdir:?}
 
 # Authenticate Docker to AWS ECR
-aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
+aws ecr get-login-password --region us-east-1 | podman login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com
 
 echo "Generating SBOMs..."
-docker run --rm \
+podman run --rm \
   -v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \
   901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \
   update \
   --purls /pwd/build/package/purls.txt \
-  --sbom-out /pwd/compliance/sbom.json
+  --sbom-out /pwd/sbom.json
 

docs/releases/ssdlc-compliance.template.md

@@ -16,8 +16,7 @@ Overview:
   - [Kondukto](https://arcticglow.kondukto.io/)
 
 - **Dependency Information**
-  - See SBOM Lite manifests (CycloneDX in JSON format):
-    - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json
+${SBOM_TEXT}
 
 - **Security Testing Report**
   - Available as needed from Cloud Security.
@@ -27,4 +26,4 @@ Overview:
 
 Assumptions and attestations:
 
-- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.