Skip to content

Commit 382d572

Browse files
addaleaxaddaleax
authored
fix(ci): adopt augmented SBOM integration with Silk COMPASS-7910 (#5911)
1 parent b7946cc commit 382d572

File tree

4 files changed

+42
-7
lines changed

4 files changed

+42
-7
lines changed

.evergreen/buildvariants-and-tasks.in.yml

+9-3
Original file line numberDiff line numberDiff line change
@@ -32,26 +32,31 @@ const PACKAGE_BUILD_VARIANTS = [
3232
// # when compiling/re-building addons. This ensures compatibility with other
3333
// # debian platforms that have glibc 2.23 or newer.
3434
run_on: 'ubuntu1604-large',
35+
silk_asset_group: 'compass-ubuntu',
3536
},
3637
{
3738
name: 'package-windows',
3839
display_name: 'Package Windows',
3940
run_on: 'windows-vsCurrent-large',
41+
silk_asset_group: 'compass-windows',
4042
},
4143
{
4244
name: 'package-rhel',
4345
display_name: 'Package RHEL',
4446
run_on: 'rhel80-large',
47+
silk_asset_group: 'compass-rhel',
4548
},
4649
{
4750
name: 'package-macos-x64',
4851
display_name: 'Package MacOS Intel',
49-
run_on: 'macos-1100'
52+
run_on: 'macos-1100',
53+
silk_asset_group: 'compass-macos',
5054
},
5155
{
5256
name: 'package-macos-arm',
5357
display_name: 'Package MacOS Arm64',
54-
run_on: 'macos-1100-arm64'
58+
run_on: 'macos-1100-arm64',
59+
silk_asset_group: 'compass-macos-arm',
5560
}
5661
];
5762
@@ -152,7 +157,8 @@ buildvariants:
152157
# package
153158
<% for (const buildVariant of PACKAGE_BUILD_VARIANTS) { %>
154159
- name: <%= buildVariant.name %>
155-
160+
expansions:
161+
silk_asset_group: <%= buildVariant.silk_asset_group %>
156162
display_name: <%= buildVariant.display_name %>
157163
run_on: <%= buildVariant.run_on %>
158164
tasks:

.evergreen/buildvariants-and-tasks.yml

+10
Original file line numberDiff line numberDiff line change
@@ -32,34 +32,44 @@ buildvariants:
3232
- name: test-electron
3333
run_on: macos-14-arm64-gui
3434
- name: package-ubuntu
35+
expansions:
36+
silk_asset_group: compass-ubuntu
3537
display_name: Package Ubuntu
3638
run_on: ubuntu1604-large
3739
tasks:
3840
- name: package-compass
3941
- name: package-compass-isolated
4042
- name: package-compass-readonly
4143
- name: package-windows
44+
expansions:
45+
silk_asset_group: compass-windows
4246
display_name: Package Windows
4347
run_on: windows-vsCurrent-large
4448
tasks:
4549
- name: package-compass
4650
- name: package-compass-isolated
4751
- name: package-compass-readonly
4852
- name: package-rhel
53+
expansions:
54+
silk_asset_group: compass-rhel
4955
display_name: Package RHEL
5056
run_on: rhel80-large
5157
tasks:
5258
- name: package-compass
5359
- name: package-compass-isolated
5460
- name: package-compass-readonly
5561
- name: package-macos-x64
62+
expansions:
63+
silk_asset_group: compass-macos
5664
display_name: Package MacOS Intel
5765
run_on: macos-1100
5866
tasks:
5967
- name: package-compass
6068
- name: package-compass-isolated
6169
- name: package-compass-readonly
6270
- name: package-macos-arm
71+
expansions:
72+
silk_asset_group: compass-macos-arm
6373
display_name: Package MacOS Arm64
6474
run_on: macos-1100-arm64
6575
tasks:

.evergreen/create-sbom.sh

+12-4
Original file line numberDiff line numberDiff line change
@@ -7,19 +7,27 @@ CRYPT_SHARED_VERSION=$(cat packages/compass/src/deps/csfle/version)
77

88
set +x
99
echo "${ARTIFACTORY_PASSWORD}" > /tmp/artifactory_password
10+
cat << EOF > /tmp/silkbomb.env
11+
SILK_CLIENT_ID=${SILK_CLIENT_ID}
12+
SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
13+
EOF
1014
set -x
1115

1216
trap_handler() {
13-
rm -f /tmp/artifactory_password
17+
rm -vf /tmp/artifactory_password /tmp/silkbomb.env
1418
}
1519
trap trap_handler ERR EXIT
1620

17-
scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
21+
scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/silkbomb.env /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
1822
ssh -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -p "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME" \
1923
"(cat /tmp/dependencies.json | jq -r '.[] | "'"pkg:npm/" + .name + "@" + .version'"' > /tmp/purls.txt) && \
2024
echo "pkg:generic/mongo_crypt_shared@${CRYPT_SHARED_VERSION}" >> /tmp/purls.txt && \
2125
(cat /tmp/artifactory_password | docker login artifactory.corp.mongodb.com --username '${ARTIFACTORY_USERNAME}' --password-stdin ; rm -f /tmp/artifactor_password ) && \
2226
docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 && \
2327
docker run --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
24-
--purls /tmp/purls.txt --sbom_out /tmp/sbom.json"
25-
scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom.json,purls.txt} .sbom/
28+
--purls /tmp/purls.txt --sbom-out /tmp/sbom-lite.json && \
29+
docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
30+
--silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /tmp/sbom-lite.json && \
31+
docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
32+
--silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /tmp/sbom.json"
33+
scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom-lite.json,sbom.json,purls.txt} .sbom/

.evergreen/functions.yml

+11
Original file line numberDiff line numberDiff line change
@@ -435,6 +435,10 @@ functions:
435435
SIGNING_SERVER_PRIVATE_KEY_CYGPATH: ${SIGNING_SERVER_PRIVATE_KEY_CYGPATH}
436436
SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
437437
SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
438+
# for Silk SBOM integration
439+
SILK_ASSET_GROUP: ${silk_asset_group}
440+
SILK_CLIENT_ID: ${silk_client_id}
441+
SILK_CLIENT_SECRET: ${silk_client_secret}
438442
script: |
439443
set -e
440444
@@ -821,6 +825,13 @@ functions:
821825
remote_file: ${project}/${revision}_${revision_order_id}/${task_id}/purls.txt
822826
content_type: text/plain
823827
optional: true
828+
- command: s3.put
829+
params:
830+
<<: *save-artifact-params-public
831+
local_file: src/.sbom/sbom-lite.json
832+
remote_file: ${project}/${revision}_${revision_order_id}/${task_id}/sbom-lite.json
833+
content_type: application/json
834+
optional: true
824835
- command: s3.put
825836
params:
826837
<<: *save-artifact-params-public

0 commit comments

Comments
 (0)