CLOUDP-315271: Onboard Kundukto to CI

[cveticm]

Proposed changes

Adds new evergreen task "generate_and_upload_sbom" to generate an SBOM and package it in the release.
Adds new file build/ci/purls.txt which is a list of purls built from the binary.
This step of work does the following:

1. New task "generate_and_upload_sbom":
   1. Creates Silkbomb tokens
   2. Generates a list of purls from the linux binary
   3. Generates an non-augemented SBOM in dir compliance/.
   4. Creates a Kondukto token
   5. Uploads the SBOM to the mongodb_mongodb-atlas-cli Kondukto project
2. Modification to release process
   1. Includes the SBOM in release page.
3. New purls check
   1. A new make command generates build/ci/purls.txt for visibility to devs on the implications their changes have to the sbom
   2. A new EVG check that purls.txt is up-to-date

This PR does not:

1. Generate SSDLC report (future work of CLOUDP-315269)
2. Generate augmented SBOMs (future work of CLOUDP-315270)
3. Generate a purls list for any other OS (future work of CLOUDP-316920

Jira ticket: CLOUDP-315271

Checklist

• I have signed the MongoDB CLA
• I have added tests that prove my fix is effective or that my feature works
• I have added any necessary documentation in document requirements section listed in CONTRIBUTING.md (if appropriate)
• I have addressed the @mongodb/docs-cloud-team comments (if appropriate)
• I have updated test/README.md (if an e2e test has been added)
• I have run make fmt and formatted my code

[cveticm]

This directory currently holds the generated SBOM.
It will also hold the generated SSDLC report after future work.

[gssbzn]

there are no expectations to produce this report with the release, any reason we are including it?

[cveticm]

In the scope we have as a goal to include SSDLC report as a part of release.
The rationale is that releases provide a convenient place to store the report and enable customers to access the report on release. And then up-to-date reports with augmented SBOMs can be provided to customers on request.

[gssbzn]

I have questions about the utility of packaging it with the bin, I don't see any other binary doing it, AKO for example is commited to the repo and not shipped

Then if we really want to ship it then I wonder why not use https://goreleaser.com/customization/sbom/#usage

[cveticm]

@fmenezes any opinion on shifting approach of where we store the report?

[fmenezes]

Just got off a call with @cveticm basically there are 3 approaches:

• Store on main/master (used by https://github.com/mongodb/mongodb-atlas-kubernetes)
• Store in the release package (used by ops manager)
• Store in github releases page (which it would be used by CLI/LocalDev)

The reason why we wanted to do on releases page was to make it same for CLI and Local Dev, also bear in mind our policy does not specify where to store these and most projects simply upload to S3.

[gssbzn]

also bear in mind our policy does not specify where to store these

Yes and my initial point, there's no expectation to be proactive about these and only to make it available upon request

[gssbzn]

Store in the release package (used by ops manager)

Thanks for reminding me of this I downloaded OM to see where they are but since it's 2GB package I forgot to check

in ops manager they are included in the notices folder, which in the CLI is the thirdparty notice folder

[cveticm]

I think putting the compliance report on the GitHub release page makes the most sense. It allows customers to grab the report easily before downloading any packages.
I also think that being proactive about making these reports available could reflect well on our SSDLC policy to customers.

Let me know if either of you have strong objections

[fmenezes]

Let's proceed with the releases page we might amend README/docs about it

[gssbzn]

general design comment, can we commit the purl file and make it a CI check (GH or EVG no preference) that is kept up to date, this is similar to how other repos manage this file

[gssbzn]

check the library owners check which is kind of similar

[fmenezes]

I would't go for this approach we would jump from 2 files storing dependency information (library_owners.json and go.mod) to 3 files (library_owners.json, go.mod and purls.txt).

I would prefer for the tooling to translate dependencies into purls and later json on the fly as needed.

I'm inclined to even remove library_owners.json, given only our team has code in atlasCLI since the kubernetes plugin extraction.

[gssbzn]

I'm ok to remove lib owners (same reason) but I see value on purls being committed given shipped dependencies are not the same as the ones in go.mod and this raises awareness when adding new libs and the implications, this also comes with the comment that I'd like if purls are auto generated by the precommit hook, similar to mms

[cveticm]

I have no strong opinion here. Having the purl file committed could definitely help with making dependencies more visible, but I see @fmenezes's point about not wanting to manage yet another file.

I can create a make command to generate purls from the binary and set up a GH action to check that it's up-to-date similar to how we do the docs check.

@fmenezes, any strong feelings about this idea?

[fmenezes]

sure that is fine, we can commit it but bear in mind the extra checks

[gssbzn]

you can use make build git is already set up to ignore the files generated by that command, and that build process is hook to generate a similar binary to what we ship with go releaser

[fmenezes]

I think we shouldn't do it anymore, we should make sure the file is fully updated

[fmenezes]

I don't think we need this we can set working dir at evergreen function

[fmenezes]

nit: for empty folders you can commit a complicance/.gitkeep empty file to keep folder on source code

[fmenezes]

I think we should merge "write kondukto credentials" and "run silkbomb" and make sure to add a rm kondukto_credentials.env in the end

[cveticm]

Example of check failing if purls.txt is not up-to-date:
https://spruce.mongodb.com/task/mongodb_atlas_cli_master_code_health_check_purls_patch_36f21cd8defe25ad9c89cf4d1d09f424e62cff55_681485dc659ffc00070b41ef_25_05_02_08_44_17/logs?execution=0&logtype=all

[gssbzn]

why hardcode to linux?

[cveticm]

there are some dependencies which are used only by some builds. For the moment, we will only generate purls for linux (in the interest of reducing this PRs scope) and will include generation for all builds, compiling them into one list which will be used for sbom generation in CLOUDP-316920

[gssbzn]

move to /scripts

[cveticm]

This script is only run as part of CI and other scripts live in this dir such as check-licenses.sh so IMO it makes more sense to keep this script within ./build/ci

[gssbzn]

will hooking this to the pre commit be a separate task?

[cveticm]

I didn't intended to since, as a part of CI, we do a check to see if purls.txt is up-to-date. Devs would have to manually run this command. My intent here was to give devs visual on changes to sbom because of their work.

I'm happy to include this command in pre commit. To verify @gssbzn, this would make the CI check is redundant, correct?

[gssbzn]

this would make the CI check is redundant, correct?

No cause having the pre commit installed is opt-in, and you can also do git commit --no-verify so you still need to check the files is up to date on the CI

Also just inc ase, ideally this should only run if the go.mod is modified

[github-actions]

Coverage Report 📈

Branch	Commit	Coverage
CLOUDP-227276_ssdlc_phase_2	36f21cd	37.1%
CLOUDP-315271_onboard_silkbomb_kundukto_to_ci	3633dd4	37.8%
	Difference	.7%