Initial test

cveticm · cveticm · commit 9044d23f6f5a · 2025-05-28T15:52:47.000+01:00
diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml
@@ -0,0 +1,94 @@
+name: Augment SBOM
+
+on:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 1.42.2)"
+        required: true
+        type: string
+
+permissions:  
+  id-token: write  
+  contents: read  
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: mongodb/mongodb-atlas-cli
+      KONDUKTO_BRANCH_PREFIX: atlascli
+      SILKBOMB_IMG: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
+
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+            go-version-file: 'go.mod'
+
+      - name: Download Linux ARM64 binary
+        run: |
+          curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version || '1.42.2' }}/mongodb-atlas-cli_${{ github.event.inputs.release_version || '1.42.2' }}_linux_arm64.tar.gz" \
+            -o release.tar.gz
+
+      - name: Extract binary
+        run: |
+          tar -xzf release.tar.gz
+
+      - name: Generate PURLs from binary
+        run: |
+          go version -m ./mongodb-atlas-cli_${{ inputs.release_version || '1.42.2' }}_linux_arm64/bin/atlas | \
+            awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+            LC_ALL=C sort > purls.txt
+          cat purls.txt
+
+      - name: Generate SBOM with Silkbomb
+        run: |
+          docker run \
+            --pull=always \
+            --platform="linux/amd64" \
+            --rm \
+            -v "${PWD}:/pwd" \
+            "${SILKBOMB_IMG}" \
+            update \
+            --purls "/pwd/purls.txt" \
+            --sbom-out "/pwd/sbom_lite.json"
+          cat "sbom_lite.json"
+
+      - name: Augment SBOM with Kondukto
+        run: |
+          docker run \
+            --pull=always \
+            --platform="linux/amd64" \
+            --rm \
+            -v "${PWD}:/pwd" \
+            -e "KONDUKTO_TOKEN=${KONDUKTO_TOKEN}" \
+            "${SILKBOMB_IMG}" \
+            augment \
+            --sbom-in "/pwd/sbom_lite.json" \
+            --repo "${KONDUKTO_REPO}" \
+            --branch "${KONDUKTO_BRANCH_PREFIX}-linux-arm64" \
+            --sbom-out "/pwd/linux_amd64_augmented_sbom_v${{ inputs.release_version || '1.42.2' }}.json"
+
+      - name: Generate SSDLC report
+        env:
+            AUTHOR: ${{ github.actor }}
+            VERSION: ${{ inputs.release_version || '1.42.2' }}
+            AUGMENTED_SBOM_TEXT: "  - See Augmented SBOM manifests (CycloneDX in JSON format):
+                \n    - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${{ inputs.release_version || '1.42.2' }}.json'\n"
+        run: ./build/package/gen-ssdlc-report.sh
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            linux_amd64_augmented_sbom_v${{ inputs.release_version || '1.42.2' }}.json
+            ssdlc-compliance-${{ inputs.release_version || '1.42.2' }}.md
diff --git a/build/package/gen-ssdlc-report.sh b/build/package/gen-ssdlc-report.sh
@@ -19,6 +19,7 @@ set -eu
 release_date=${DATE:-$(date -u '+%Y-%m-%d')}
 
 export DATE="${release_date}"
+export AUGMENTED_SBOM_TEXT=${AUGMENTED_SBOM_TEXT:-""}  
 
 if [ -z "${AUTHOR:-}" ]; then
   AUTHOR=$(git config user.name)
@@ -31,16 +32,22 @@ fi
 export AUTHOR
 export VERSION
 
-echo "Generating SSDLC checklist for AtlasCLI version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+target_dir="."
+
+if [ -z "${AUGMENTED_SBOM_TEXT:-}" ]; then
+  target_dir="compliance/v${VERSION}"
 
-# Ensure AtlasCLI version directory exists
-mkdir -p "compliance/v${VERSION}"
+  # Ensure AtlasCLI version directory exists
+  mkdir -p "${target_dir}"
+fi
+
+echo "Generating SSDLC checklist for AtlasCLI version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
 
 envsubst < docs/releases/ssdlc-compliance.template.md \
-  > "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md"
+  > "${target_dir}/ssdlc-compliance-${VERSION}.md"
 
-echo "SDLC checklist ready. Files in compliance/v${VERSION}/:"
-ls -l "compliance/v${VERSION}/"
+echo "SDLC checklist ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
 
 echo "Printing the generated report:"
-cat "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md"
+cat "${target_dir}/ssdlc-compliance-${VERSION}.md"
diff --git a/docs/releases/ssdlc-compliance.template.md b/docs/releases/ssdlc-compliance.template.md
@@ -18,7 +18,7 @@ Overview:
 - **Dependency Information**
   - See SBOM Lite manifests (CycloneDX in JSON format):
     - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json
-
+${AUGMENTED_SBOM_TEXT}
 - **Security Testing Report**
   - Available as needed from Cloud Security.
 
@@ -27,4 +27,4 @@ Overview:
 
 Assumptions and attestations:
 
-- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.
