From cb68305315130a84f2be34b837e419e7b126c29b Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 25 Apr 2025 17:55:25 +0100 Subject: [PATCH 01/17] Initial tasks to generate sboms for ssdlc --- build/ci/release.yml | 69 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/build/ci/release.yml b/build/ci/release.yml index eff153c9bd..0a5af6faf4 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -165,6 +165,42 @@ functions: - workdir - FEED_FILE_NAME binary: ../build/package/generate-download-archive-manifest.sh + "generate purls": + - command: shell.exec + params: + shell: bash + script: | + echo "Generating PURLs..." + ./generate_purls.sh > ${workdir}/purls.txt + "generate sbom": + - command: shell.exec + params: + shell: bash + script: | + echo "Generating SBOM from PURLs..." + ./generate_sbom.sh ${workdir}/purls.txt > ${workdir}/sbom.json + "write kondukto credentials": + - command: ec2.assume_role + display_name: Assume IAM role with permissions to pull Kondukto API token + params: + role_arn: ${kondukto_role_arn} + - command: shell.exec + display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file + params: + silent: true + shell: bash + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] + script: | + set -e + # use AWS CLI to get the Kondukto API token from AWS Secrets Manager + kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text) + # set the KONDUKTO_TOKEN environment variable + echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env + "run silkbomb": + - command: shell.exec + params: + shell: bash + script: ${CONTAINER_COMMAND} run ${CONTAINER_OPTIONS} ${CONTAINER_ENV_FILES} ${CONTAINER_VOLUMES} ${CONTAINER_IMAGE} ${SILKBOMB_COMMAND} ${SILKBOMB_ARGS} "upload dist": - command: s3.put params: @@ -437,6 +473,30 @@ tasks: content_type: ${content_type|application/x-gzip} display_name: downloads-center-new- - func: "send slack notification" + - name: generate_purls + commands: + - func: "generate purls" + - name: generate_sbom + commands: + - func: "generate sbom" + # uploads SBOM to Kondukto (uploads --sbom-in to Kondukto) + - name: upload_sbom_to_kondukto + commands: + - func: "write kondukto credentials" + - func: "run silkbomb" + vars: + <<: *silkbomb_container_config + SILKBOMB_COMMAND: upload + SILKBOMB_ARGS: --sbom-in /workdir/ --repo --branch ${branch_name} + # produce augmented SBOM (uploads --sbom-in to Kondukto and writes augmented SBOM to --sbom-out) + - name: augment_sbom + commands: + - func: "write kondukto credentials" + - func: "run silkbomb" + vars: + <<: *silkbomb_container_config + SILKBOMB_COMMAND: augment + SILKBOMB_ARGS: --sbom-in /workdir/sbom.json --repo mongodb-atlas-cli --branch ${branch_name} --sbom-out /workdir/sbom.augmented.json - name: push_atlascli_generate patchable: false stepback: false @@ -553,6 +613,15 @@ buildvariants: depends_on: - name: package_msi variant: release_atlascli_msi + - name: ssdlc + display_name: Compliance [ssdlc] + run_on: + - rhel9-latest-small + tasks: + - name: generate_purls + - name: generate_sbom + - name: upload_sbom_to_kondukto + - name: augment_sbom - name: copybara display_name: "Copybara" git_tag_only: true From dcd3a98ecd23c2c5c56b86b0b6285cb623323860 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Tue, 29 Apr 2025 14:31:08 +0100 Subject: [PATCH 02/17] Fixes sbom generation functions --- build/ci/evergreen.yml | 79 ++++++++++++++++++++++++++++++++++++++++++ build/ci/release.yml | 69 ------------------------------------ 2 files changed, 79 insertions(+), 69 deletions(-) diff --git a/build/ci/evergreen.yml b/build/ci/evergreen.yml index 7dc0f7f4a7..2d7a2f2368 100644 --- a/build/ci/evergreen.yml +++ b/build/ci/evergreen.yml @@ -43,6 +43,12 @@ variables: working_dir: src/github.com/mongodb/mongodb-atlas-cli env: <<: *go_env + - &silkbomb_container_config + CONTAINER_COMMAND: docker + CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 + CONTAINER_OPTIONS: --pull=always --platform="linux/amd64" --rm + CONTAINER_ENV_FILES: --env-file ${workdir}/kondukto_credentials.env + CONTAINER_VOLUMES: -v ${workdir}:/workdir pre: - func: "clone" - func: "set-expansions" @@ -533,6 +539,61 @@ functions: binary: make args: - otel + "generate purls": + - command: shell.exec + params: + <<: *go_options + shell: bash + script: | + set -Eeou pipefail + echo "Generating PURLs..." + go list -json -mod=mod all | jq -r '.Module // empty | "pkg:golang/" + .Path + "@" + .Version // empty' | sort -u >> purls.txt + go version | sed 's|^go version \([^ ]*\) *.*|pkg:golang/std@\1|' >> purls.txt + "generate sbom": + - command: ec2.assume_role + params: + role_arn: ${ecr_role_arn} + - command: shell.exec + params: + include_expansions_in_env: + [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] + script: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com + - command: shell.exec + params: + working_dir: src/github.com/mongodb/mongodb-atlas-cli + include_expansions_in_env: + - workdir + shell: bash + script: | + set -Eeuo pipefail + echo "Generating SBOM from PURLs..." + docker run --rm \ + -v "${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ + 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ + update \ + --purls /pwd/purls.txt \ + --sbom-out /pwd/sbom.json + + echo "Resulting SBOM contents:" + cat sbom.json + "write kondukto credentials": + - command: ec2.assume_role + params: + role_arn: ${kondukto_role_arn} + - command: shell.exec + params: + silent: true + shell: bash + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] + script: | + set -e + kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text) + echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env + "run silkbomb": + - command: shell.exec + params: + shell: bash + script: ${CONTAINER_COMMAND} run ${CONTAINER_OPTIONS} ${CONTAINER_ENV_FILES} ${CONTAINER_VOLUMES} ${CONTAINER_IMAGE} ${SILKBOMB_COMMAND} ${SILKBOMB_ARGS} tasks: - name: compile tags: ["code_health"] @@ -1742,6 +1803,16 @@ tasks: -e SNYK_CFG_ORG=${SNYK_ORG} \ -v ${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/app \ snyk/snyk:golang snyk monitor + - name: generate_and_upload_sboms + commands: + - func: "generate purls" + - func: "generate sbom" + - func: "write kondukto credentials" + - func: "run silkbomb" + vars: + <<: *silkbomb_container_config + SILKBOMB_COMMAND: upload + SILKBOMB_ARGS: --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/sbom.json --repo mongodb_mongodb-atlas-cli --branch ${branch_name} task_groups: - name: atlas_deployments_windows_group setup_task: @@ -2068,6 +2139,14 @@ buildvariants: - ubuntu2204-small tasks: - name: ".snyk" + - name: ssdlc + display_name: Compliance [ssdlc] + run_on: + - ubuntu2204-small + expansions: + <<: *go_linux_version + tasks: + - name: generate_and_upload_sboms patch_aliases: - alias: "localdev" variant_tags: ["localdev cron"] diff --git a/build/ci/release.yml b/build/ci/release.yml index 0a5af6faf4..eff153c9bd 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -165,42 +165,6 @@ functions: - workdir - FEED_FILE_NAME binary: ../build/package/generate-download-archive-manifest.sh - "generate purls": - - command: shell.exec - params: - shell: bash - script: | - echo "Generating PURLs..." - ./generate_purls.sh > ${workdir}/purls.txt - "generate sbom": - - command: shell.exec - params: - shell: bash - script: | - echo "Generating SBOM from PURLs..." - ./generate_sbom.sh ${workdir}/purls.txt > ${workdir}/sbom.json - "write kondukto credentials": - - command: ec2.assume_role - display_name: Assume IAM role with permissions to pull Kondukto API token - params: - role_arn: ${kondukto_role_arn} - - command: shell.exec - display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file - params: - silent: true - shell: bash - include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] - script: | - set -e - # use AWS CLI to get the Kondukto API token from AWS Secrets Manager - kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text) - # set the KONDUKTO_TOKEN environment variable - echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env - "run silkbomb": - - command: shell.exec - params: - shell: bash - script: ${CONTAINER_COMMAND} run ${CONTAINER_OPTIONS} ${CONTAINER_ENV_FILES} ${CONTAINER_VOLUMES} ${CONTAINER_IMAGE} ${SILKBOMB_COMMAND} ${SILKBOMB_ARGS} "upload dist": - command: s3.put params: @@ -473,30 +437,6 @@ tasks: content_type: ${content_type|application/x-gzip} display_name: downloads-center-new- - func: "send slack notification" - - name: generate_purls - commands: - - func: "generate purls" - - name: generate_sbom - commands: - - func: "generate sbom" - # uploads SBOM to Kondukto (uploads --sbom-in to Kondukto) - - name: upload_sbom_to_kondukto - commands: - - func: "write kondukto credentials" - - func: "run silkbomb" - vars: - <<: *silkbomb_container_config - SILKBOMB_COMMAND: upload - SILKBOMB_ARGS: --sbom-in /workdir/ --repo --branch ${branch_name} - # produce augmented SBOM (uploads --sbom-in to Kondukto and writes augmented SBOM to --sbom-out) - - name: augment_sbom - commands: - - func: "write kondukto credentials" - - func: "run silkbomb" - vars: - <<: *silkbomb_container_config - SILKBOMB_COMMAND: augment - SILKBOMB_ARGS: --sbom-in /workdir/sbom.json --repo mongodb-atlas-cli --branch ${branch_name} --sbom-out /workdir/sbom.augmented.json - name: push_atlascli_generate patchable: false stepback: false @@ -613,15 +553,6 @@ buildvariants: depends_on: - name: package_msi variant: release_atlascli_msi - - name: ssdlc - display_name: Compliance [ssdlc] - run_on: - - rhel9-latest-small - tasks: - - name: generate_purls - - name: generate_sbom - - name: upload_sbom_to_kondukto - - name: augment_sbom - name: copybara display_name: "Copybara" git_tag_only: true From 2e7a97e944add8da45f5e00dbf23c24fe7cf79ce Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Tue, 29 Apr 2025 15:23:16 +0100 Subject: [PATCH 03/17] Tidy up --- build/ci/evergreen.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/build/ci/evergreen.yml b/build/ci/evergreen.yml index 2d7a2f2368..60515dfcd4 100644 --- a/build/ci/evergreen.yml +++ b/build/ci/evergreen.yml @@ -43,12 +43,6 @@ variables: working_dir: src/github.com/mongodb/mongodb-atlas-cli env: <<: *go_env - - &silkbomb_container_config - CONTAINER_COMMAND: docker - CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 - CONTAINER_OPTIONS: --pull=always --platform="linux/amd64" --rm - CONTAINER_ENV_FILES: --env-file ${workdir}/kondukto_credentials.env - CONTAINER_VOLUMES: -v ${workdir}:/workdir pre: - func: "clone" - func: "set-expansions" @@ -566,16 +560,13 @@ functions: shell: bash script: | set -Eeuo pipefail - echo "Generating SBOM from PURLs..." + echo "Generating SBOM..." docker run --rm \ -v "${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update \ --purls /pwd/purls.txt \ --sbom-out /pwd/sbom.json - - echo "Resulting SBOM contents:" - cat sbom.json "write kondukto credentials": - command: ec2.assume_role params: @@ -1810,7 +1801,11 @@ tasks: - func: "write kondukto credentials" - func: "run silkbomb" vars: - <<: *silkbomb_container_config + CONTAINER_COMMAND: docker + CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 + CONTAINER_OPTIONS: --pull=always --platform="linux/amd64" --rm + CONTAINER_ENV_FILES: --env-file ${workdir}/kondukto_credentials.env + CONTAINER_VOLUMES: -v ${workdir}:/workdir SILKBOMB_COMMAND: upload SILKBOMB_ARGS: --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/sbom.json --repo mongodb_mongodb-atlas-cli --branch ${branch_name} task_groups: From 797f1f38560fdafedc6eb9d170d728d003bf43c3 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Tue, 29 Apr 2025 17:11:39 +0100 Subject: [PATCH 04/17] Migrates ssdlc task into release process --- build/ci/evergreen.yml | 74 ---------------------------------- build/ci/release.yml | 57 ++++++++++++++++++++++++++ build/package/.goreleaser.yml | 3 +- build/package/generate-sbom.sh | 35 ++++++++++++++++ 4 files changed, 94 insertions(+), 75 deletions(-) create mode 100755 build/package/generate-sbom.sh diff --git a/build/ci/evergreen.yml b/build/ci/evergreen.yml index 60515dfcd4..7dc0f7f4a7 100644 --- a/build/ci/evergreen.yml +++ b/build/ci/evergreen.yml @@ -533,58 +533,6 @@ functions: binary: make args: - otel - "generate purls": - - command: shell.exec - params: - <<: *go_options - shell: bash - script: | - set -Eeou pipefail - echo "Generating PURLs..." - go list -json -mod=mod all | jq -r '.Module // empty | "pkg:golang/" + .Path + "@" + .Version // empty' | sort -u >> purls.txt - go version | sed 's|^go version \([^ ]*\) *.*|pkg:golang/std@\1|' >> purls.txt - "generate sbom": - - command: ec2.assume_role - params: - role_arn: ${ecr_role_arn} - - command: shell.exec - params: - include_expansions_in_env: - [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] - script: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com - - command: shell.exec - params: - working_dir: src/github.com/mongodb/mongodb-atlas-cli - include_expansions_in_env: - - workdir - shell: bash - script: | - set -Eeuo pipefail - echo "Generating SBOM..." - docker run --rm \ - -v "${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ - 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ - update \ - --purls /pwd/purls.txt \ - --sbom-out /pwd/sbom.json - "write kondukto credentials": - - command: ec2.assume_role - params: - role_arn: ${kondukto_role_arn} - - command: shell.exec - params: - silent: true - shell: bash - include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] - script: | - set -e - kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text) - echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env - "run silkbomb": - - command: shell.exec - params: - shell: bash - script: ${CONTAINER_COMMAND} run ${CONTAINER_OPTIONS} ${CONTAINER_ENV_FILES} ${CONTAINER_VOLUMES} ${CONTAINER_IMAGE} ${SILKBOMB_COMMAND} ${SILKBOMB_ARGS} tasks: - name: compile tags: ["code_health"] @@ -1794,20 +1742,6 @@ tasks: -e SNYK_CFG_ORG=${SNYK_ORG} \ -v ${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/app \ snyk/snyk:golang snyk monitor - - name: generate_and_upload_sboms - commands: - - func: "generate purls" - - func: "generate sbom" - - func: "write kondukto credentials" - - func: "run silkbomb" - vars: - CONTAINER_COMMAND: docker - CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 - CONTAINER_OPTIONS: --pull=always --platform="linux/amd64" --rm - CONTAINER_ENV_FILES: --env-file ${workdir}/kondukto_credentials.env - CONTAINER_VOLUMES: -v ${workdir}:/workdir - SILKBOMB_COMMAND: upload - SILKBOMB_ARGS: --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/sbom.json --repo mongodb_mongodb-atlas-cli --branch ${branch_name} task_groups: - name: atlas_deployments_windows_group setup_task: @@ -2134,14 +2068,6 @@ buildvariants: - ubuntu2204-small tasks: - name: ".snyk" - - name: ssdlc - display_name: Compliance [ssdlc] - run_on: - - ubuntu2204-small - expansions: - <<: *go_linux_version - tasks: - - name: generate_and_upload_sboms patch_aliases: - alias: "localdev" variant_tags: ["localdev cron"] diff --git a/build/ci/release.yml b/build/ci/release.yml index eff153c9bd..bee34272c5 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -70,6 +70,40 @@ functions: params: <<: *go_options binary: build/package/generate-notices.sh + "generate sbom": + - command: ec2.assume_role + params: + role_arn: ${ecr_role_arn} + - command: shell.exec + params: + include_expansions_in_env: + [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] + script: | + aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com + - command: subprocess.exec + params: + <<: *go_options + include_expansions_in_env: + - workdir + binary: build/package/generate-sbom.sh + "write kondukto credentials": + - command: ec2.assume_role + params: + role_arn: ${kondukto_role_arn} + - command: shell.exec + params: + silent: true + shell: bash + include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] + script: | + set -e + kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text) + echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env + "run silkbomb": + - command: shell.exec + params: + shell: bash + script: ${CONTAINER_COMMAND} run ${CONTAINER_OPTIONS} ${CONTAINER_ENV_FILES} ${CONTAINER_VOLUMES} ${CONTAINER_IMAGE} ${SILKBOMB_COMMAND} ${SILKBOMB_ARGS} "package": - command: github.generate_token params: @@ -317,6 +351,19 @@ tasks: permissions: public-read content_type: ${content_type|application/octet-stream} display_name: unsigned + - name: generate_and_upload_sboms + commands: + - func: "generate sbom" + - func: "write kondukto credentials" + - func: "run silkbomb" + vars: + CONTAINER_COMMAND: docker + CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 + CONTAINER_OPTIONS: --pull=always --platform="linux/amd64" --rm + CONTAINER_ENV_FILES: --env-file ${workdir}/kondukto_credentials.env + CONTAINER_VOLUMES: -v ${workdir}:/workdir + SILKBOMB_COMMAND: upload + SILKBOMB_ARGS: --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json --repo mongodb_mongodb-atlas-cli --branch ${branch_name} - name: package_goreleaser tags: ["packaging"] depends_on: @@ -553,6 +600,8 @@ buildvariants: depends_on: - name: package_msi variant: release_atlascli_msi + - name: generate_and_upload_sboms + variant: ssdlc - name: copybara display_name: "Copybara" git_tag_only: true @@ -605,3 +654,11 @@ buildvariants: - ubuntu2004-small tasks: - name: .smoke-test .generate .repo .atlascli + - name: ssdlc + display_name: Compliance [ssdlc] + run_on: + - ubuntu2204-small + expansions: + <<: *go_linux_version + tasks: + - name: generate_and_upload_sboms diff --git a/build/package/.goreleaser.yml b/build/package/.goreleaser.yml index 302c5f2c26..e0b7a6aef8 100644 --- a/build/package/.goreleaser.yml +++ b/build/package/.goreleaser.yml @@ -55,6 +55,7 @@ archives: - LICENSE - LICENSING-NOTES.txt - third_party_notices/**/* + - compliance/**/* wrap_in_directory: true format: tar.gz - id: macos @@ -142,4 +143,4 @@ release: name_template: "MongoDB Atlas CLI {{.Version}}" extra_files: - glob: ./bin/*.msi -version: 2 \ No newline at end of file +version: 2 diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh new file mode 100755 index 0000000000..4e0fe8317f --- /dev/null +++ b/build/package/generate-sbom.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash + +# Copyright 2025 MongoDB Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -Eeou pipefail + +echo "Generating PURLs..." +cd "${workdir}/src/github.com/mongodb/mongodb-atlas-cli" + +# Generate purls.txt +go list -json -mod=mod all | jq -r '.Module // empty | "pkg:golang/" + .Path + "@" + .Version // empty' | sort -u > purls.txt +go version | sed 's|^go version \([^ ]*\) *.*|pkg:golang/std@\1|' >> purls.txt + +mkdir ./compliance + +echo "Generating SBOM..." +docker run --rm \ + -v "${PWD}:/pwd" \ + 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ + update \ + --purls /pwd/purls.txt \ + --sbom-out /pwd/compliance/sbom.json + \ No newline at end of file From 196ee18cc0baaa911826426d66d93305415de4e6 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Tue, 29 Apr 2025 17:16:53 +0100 Subject: [PATCH 05/17] Typo fixes --- build/ci/release.yml | 2 +- build/package/generate-sbom.sh | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/build/ci/release.yml b/build/ci/release.yml index bee34272c5..65bb73b06f 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -351,7 +351,7 @@ tasks: permissions: public-read content_type: ${content_type|application/octet-stream} display_name: unsigned - - name: generate_and_upload_sboms + - name: generate_and_upload_sbom commands: - func: "generate sbom" - func: "write kondukto credentials" diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh index 4e0fe8317f..a63df99267 100755 --- a/build/package/generate-sbom.sh +++ b/build/package/generate-sbom.sh @@ -19,15 +19,14 @@ set -Eeou pipefail echo "Generating PURLs..." cd "${workdir}/src/github.com/mongodb/mongodb-atlas-cli" -# Generate purls.txt -go list -json -mod=mod all | jq -r '.Module // empty | "pkg:golang/" + .Path + "@" + .Version // empty' | sort -u > purls.txt +go list -json -mod=mod all | jq -r '.Module // empty | "pkg:golang/" + .Path + "@" + .Version // empty' | sort -u > purls.txt go version | sed 's|^go version \([^ ]*\) *.*|pkg:golang/std@\1|' >> purls.txt mkdir ./compliance echo "Generating SBOM..." docker run --rm \ - -v "${PWD}:/pwd" \ + -v "${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update \ --purls /pwd/purls.txt \ From 61d6df8f356609df3f86707d10780dcfd87d04cf Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Tue, 29 Apr 2025 17:32:17 +0100 Subject: [PATCH 06/17] Adds depends on for releaser task --- build/ci/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/ci/release.yml b/build/ci/release.yml index 65bb73b06f..35cb74dfd7 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -575,6 +575,8 @@ buildvariants: depends_on: - name: package_msi variant: "go_atlascli_msi_snapshot" + - name: generate_and_upload_sboms + variant: ssdlc - name: publish_atlascli_snapshot display_name: "Publish AtlasCLI Snapshot" run_on: From 85e66b352f3590612d677c02aad0ce6d29018da9 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Tue, 29 Apr 2025 17:42:03 +0100 Subject: [PATCH 07/17] Shellcheck fix --- build/ci/release.yml | 6 +++--- build/package/generate-sbom.sh | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/build/ci/release.yml b/build/ci/release.yml index 35cb74dfd7..3555f4d5b0 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -575,7 +575,7 @@ buildvariants: depends_on: - name: package_msi variant: "go_atlascli_msi_snapshot" - - name: generate_and_upload_sboms + - name: generate_and_upload_sbom variant: ssdlc - name: publish_atlascli_snapshot display_name: "Publish AtlasCLI Snapshot" @@ -602,7 +602,7 @@ buildvariants: depends_on: - name: package_msi variant: release_atlascli_msi - - name: generate_and_upload_sboms + - name: generate_and_upload_sbom variant: ssdlc - name: copybara display_name: "Copybara" @@ -663,4 +663,4 @@ buildvariants: expansions: <<: *go_linux_version tasks: - - name: generate_and_upload_sboms + - name: generate_and_upload_sbom diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh index a63df99267..b2f7d6ba80 100755 --- a/build/package/generate-sbom.sh +++ b/build/package/generate-sbom.sh @@ -16,8 +16,10 @@ set -Eeou pipefail +export WORKDIR=${workdir:?} + echo "Generating PURLs..." -cd "${workdir}/src/github.com/mongodb/mongodb-atlas-cli" +cd "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli" go list -json -mod=mod all | jq -r '.Module // empty | "pkg:golang/" + .Path + "@" + .Version // empty' | sort -u > purls.txt go version | sed 's|^go version \([^ ]*\) *.*|pkg:golang/std@\1|' >> purls.txt @@ -26,7 +28,7 @@ mkdir ./compliance echo "Generating SBOM..." docker run --rm \ - -v "${workdir}/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ + -v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update \ --purls /pwd/purls.txt \ From 0c10041649fa03660ea68b177ad0341ba43b2294 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Wed, 30 Apr 2025 11:42:32 +0100 Subject: [PATCH 08/17] Addresses pr review --- build/ci/release.yml | 30 +++++++++++++++--------------- build/package/generate-sbom.sh | 11 +++++++++-- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/build/ci/release.yml b/build/ci/release.yml index 3555f4d5b0..3a393bcd32 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -74,16 +74,13 @@ functions: - command: ec2.assume_role params: role_arn: ${ecr_role_arn} - - command: shell.exec - params: - include_expansions_in_env: - [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] - script: | - aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com - command: subprocess.exec params: <<: *go_options include_expansions_in_env: + - AWS_ACCESS_KEY_ID + - AWS_SECRET_ACCESS_KEY + - AWS_SESSION_TOKEN - workdir binary: build/package/generate-sbom.sh "write kondukto credentials": @@ -103,7 +100,18 @@ functions: - command: shell.exec params: shell: bash - script: ${CONTAINER_COMMAND} run ${CONTAINER_OPTIONS} ${CONTAINER_ENV_FILES} ${CONTAINER_VOLUMES} ${CONTAINER_IMAGE} ${SILKBOMB_COMMAND} ${SILKBOMB_ARGS} + script: | + docker run \ + --pull=always \ + --platform="linux/amd64" \ + --rm \ + --env-file ${workdir}/kondukto_credentials.env \ + -v ${workdir}:/workdir \ + 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ + upload \ + --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json \ + --repo mongodb_mongodb-atlas-cli \ + --branch ${branch_name} "package": - command: github.generate_token params: @@ -356,14 +364,6 @@ tasks: - func: "generate sbom" - func: "write kondukto credentials" - func: "run silkbomb" - vars: - CONTAINER_COMMAND: docker - CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 - CONTAINER_OPTIONS: --pull=always --platform="linux/amd64" --rm - CONTAINER_ENV_FILES: --env-file ${workdir}/kondukto_credentials.env - CONTAINER_VOLUMES: -v ${workdir}:/workdir - SILKBOMB_COMMAND: upload - SILKBOMB_ARGS: --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json --repo mongodb_mongodb-atlas-cli --branch ${branch_name} - name: package_goreleaser tags: ["packaging"] depends_on: diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh index b2f7d6ba80..c1825e57e6 100755 --- a/build/package/generate-sbom.sh +++ b/build/package/generate-sbom.sh @@ -18,11 +18,18 @@ set -Eeou pipefail export WORKDIR=${workdir:?} +# Authenticate Docker to AWS ECR +aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com + echo "Generating PURLs..." cd "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli" -go list -json -mod=mod all | jq -r '.Module // empty | "pkg:golang/" + .Path + "@" + .Version // empty' | sort -u > purls.txt -go version | sed 's|^go version \([^ ]*\) *.*|pkg:golang/std@\1|' >> purls.txt +go build -C cmd/atlas -o tmp_binary +go version -m cmd/atlas/tmp_binary | awk '{if ($1 == "dep" || $1 == "=>"){print "pkg:golang/"$2"@"$3}}' > purls.txt + +rm -f cmd/atlas/tmp_binary + +cat purls.txt mkdir ./compliance From c735fd0bfa3d3bcf01380782551693b4f602cb5e Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Wed, 30 Apr 2025 14:44:04 +0100 Subject: [PATCH 09/17] Addresses pr review --- build/package/generate-sbom.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh index c1825e57e6..66896f3956 100755 --- a/build/package/generate-sbom.sh +++ b/build/package/generate-sbom.sh @@ -24,12 +24,8 @@ aws ecr get-login-password --region us-east-1 | docker login --username AWS --pa echo "Generating PURLs..." cd "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli" -go build -C cmd/atlas -o tmp_binary -go version -m cmd/atlas/tmp_binary | awk '{if ($1 == "dep" || $1 == "=>"){print "pkg:golang/"$2"@"$3}}' > purls.txt - -rm -f cmd/atlas/tmp_binary - -cat purls.txt +make build +go version -m ./bin/atlas | awk '{if ($1 == "dep" || $1 == "=>"){print "pkg:golang/"$2"@"$3}}' > purls.txt mkdir ./compliance From 05d1f501d700d4cf48fca26bdd5ac08ffc8e7a28 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Thu, 1 May 2025 12:50:26 +0100 Subject: [PATCH 10/17] Purl moved to make command and new gitaction --- .github/workflows/code-health.yml | 21 +++++ Makefile | 7 +- build/package/purls.txt | 122 ++++++++++++++++++++++++++++++ 3 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 build/package/purls.txt diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml index 0c62ed3d86..9ab7d5173a 100644 --- a/.github/workflows/code-health.yml +++ b/.github/workflows/code-health.yml @@ -326,6 +326,27 @@ jobs: with: go-version-file: 'go.mod' - run: make check-templates + purls_check: + runs-on: ubuntu-latest + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} + - name: Checkout repository + uses: actions/checkout@v4 + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + - name: Generate purls + run: make purls > /dev/null + - name: Check for uncommitted changes in purl.txt + run: | + if ! git diff --quiet --exit-code purl.txt; then + echo "purl.txt is out of date. Please run 'make purl.txt' and commit the result." + git --no-pager diff purl.txt + exit 1 + fi verify_image: name: Build docker image runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index a3c6940ea6..43a01abd12 100644 --- a/Makefile +++ b/Makefile @@ -117,7 +117,7 @@ addcopy: ## Add missing license to files @scripts/add-copy.sh .PHONY: generate -generate: gen-docs gen-mocks gen-api-commands ## Generate docs, mocks, code, api commands, all auto generated assets +generate: gen-docs gen-mocks gen-api-commands gen-purls ## Generate docs, mocks, code, api commands, all auto generated assets .PHONY: apply-overlay apply-overlay: ## Apply overlay on openapi spec @@ -149,6 +149,11 @@ gen-docs: gen-docs-metadata ## Generate docs for atlascli commands @echo "==> Generating docs" go run -ldflags "$(LINKER_FLAGS)" ./tools/cmd/docs +.PHONY: gen-purls +gen-purls: build ## Generate list of purls + @echo "==> Generating purls" + @go version -m ./bin/atlas | awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' > build/package/purls.txt + .PHONY: build build: ## Generate an atlas binary in ./bin @echo "==> Building $(ATLAS_BINARY_NAME) binary" diff --git a/build/package/purls.txt b/build/package/purls.txt new file mode 100644 index 0000000000..fbc98151fc --- /dev/null +++ b/build/package/purls.txt @@ -0,0 +1,122 @@ +pkg:golang/cloud.google.com/go/auth@v0.16.0 +pkg:golang/cloud.google.com/go/auth/oauth2adapt@v0.2.8 +pkg:golang/cloud.google.com/go/compute/metadata@v0.6.0 +pkg:golang/cloud.google.com/go/iam@v1.5.0 +pkg:golang/cloud.google.com/go/kms@v1.21.2 +pkg:golang/cloud.google.com/go/longrunning@v0.6.6 +pkg:golang/github.com/AlecAivazis/survey/v2@v2.3.7 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azcore@v1.18.0 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.9.0 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/internal@v1.11.1 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys@v1.3.1 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal@v1.1.1 +pkg:golang/github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2 +pkg:golang/github.com/Masterminds/semver/v3@v3.3.1 +pkg:golang/github.com/PaesslerAG/gval@v1.0.0 +pkg:golang/github.com/PaesslerAG/jsonpath@v0.1.1 +pkg:golang/github.com/ProtonMail/go-crypto@v1.2.0 +pkg:golang/github.com/STARRY-S/zip@v0.2.1 +pkg:golang/github.com/andybalholm/brotli@v1.1.1 +pkg:golang/github.com/aws/aws-sdk-go-v2@v1.36.3 +pkg:golang/github.com/aws/aws-sdk-go-v2/config@v1.29.14 +pkg:golang/github.com/aws/aws-sdk-go-v2/credentials@v1.17.67 +pkg:golang/github.com/aws/aws-sdk-go-v2/feature/ec2/imds@v1.16.30 +pkg:golang/github.com/aws/aws-sdk-go-v2/internal/configsources@v1.3.34 +pkg:golang/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2@v2.6.34 +pkg:golang/github.com/aws/aws-sdk-go-v2/internal/ini@v1.8.3 +pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding@v1.12.3 +pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url@v1.12.15 +pkg:golang/github.com/aws/aws-sdk-go-v2/service/kms@v1.38.3 +pkg:golang/github.com/aws/aws-sdk-go-v2/service/sso@v1.25.3 +pkg:golang/github.com/aws/aws-sdk-go-v2/service/ssooidc@v1.30.1 +pkg:golang/github.com/aws/aws-sdk-go-v2/service/sts@v1.33.19 +pkg:golang/github.com/aws/smithy-go@v1.22.2 +pkg:golang/github.com/bodgit/plumbing@v1.3.0 +pkg:golang/github.com/bodgit/sevenzip@v1.6.0 +pkg:golang/github.com/bodgit/windows@v1.0.1 +pkg:golang/github.com/briandowns/spinner@v1.23.2 +pkg:golang/github.com/cloudflare/circl@v1.6.0 +pkg:golang/github.com/denisbrodbeck/machineid@v1.0.1 +pkg:golang/github.com/dsnet/compress@v0.0.2-0.20230904184137-39efe44ab707 +pkg:golang/github.com/ebitengine/purego@v0.8.2 +pkg:golang/github.com/fatih/color@v1.14.1 +pkg:golang/github.com/felixge/httpsnoop@v1.0.4 +pkg:golang/github.com/fsnotify/fsnotify@v1.8.0 +pkg:golang/github.com/go-logr/logr@v1.4.2 +pkg:golang/github.com/go-logr/stdr@v1.2.2 +pkg:golang/github.com/go-viper/mapstructure/v2@v2.2.1 +pkg:golang/github.com/golang-jwt/jwt/v5@v5.2.2 +pkg:golang/github.com/golang/mock@v1.6.0 +pkg:golang/github.com/golang/snappy@v0.0.4 +pkg:golang/github.com/google/go-github/v61@v61.0.0 +pkg:golang/github.com/google/go-querystring@v1.1.0 +pkg:golang/github.com/google/s2a-go@v0.1.9 +pkg:golang/github.com/google/uuid@v1.6.0 +pkg:golang/github.com/googleapis/enterprise-certificate-proxy@v0.3.6 +pkg:golang/github.com/googleapis/gax-go/v2@v2.14.1 +pkg:golang/github.com/hashicorp/errwrap@v1.1.0 +pkg:golang/github.com/hashicorp/go-multierror@v1.1.1 +pkg:golang/github.com/hashicorp/golang-lru/v2@v2.0.7 +pkg:golang/github.com/iancoleman/strcase@v0.3.0 +pkg:golang/github.com/kballard/go-shellquote@v0.0.0-20180428030007-95032a82bc51 +pkg:golang/github.com/klauspost/compress@v1.18.0 +pkg:golang/github.com/klauspost/pgzip@v1.2.6 +pkg:golang/github.com/kylelemons/godebug@v1.1.0 +pkg:golang/github.com/mattn/go-colorable@v0.1.13 +pkg:golang/github.com/mattn/go-isatty@v0.0.20 +pkg:golang/github.com/mgutz/ansi@v0.0.0-20170206155736-9520e82c474b +pkg:golang/github.com/mholt/archives@v0.1.1 +pkg:golang/github.com/minio/minlz@v1.0.0 +pkg:golang/github.com/mongodb-forks/digest@v1.1.0 +pkg:golang/github.com/montanaflynn/stats@v0.7.1 +pkg:golang/github.com/nwaples/rardecode/v2@v2.1.0 +pkg:golang/github.com/pelletier/go-toml@v1.9.5 +pkg:golang/github.com/pelletier/go-toml/v2@v2.2.3 +pkg:golang/github.com/pierrec/lz4/v4@v4.1.21 +pkg:golang/github.com/pkg/browser@v0.0.0-20240102092130-5ac0b6a4141c +pkg:golang/github.com/sagikazarmark/locafero@v0.7.0 +pkg:golang/github.com/shirou/gopsutil/v4@v4.25.3 +pkg:golang/github.com/sorairolake/lzip-go@v0.3.5 +pkg:golang/github.com/sourcegraph/conc@v0.3.0 +pkg:golang/github.com/spf13/afero@v1.14.0 +pkg:golang/github.com/spf13/cast@v1.7.1 +pkg:golang/github.com/spf13/cobra@v1.9.1 +pkg:golang/github.com/spf13/pflag@v1.0.6 +pkg:golang/github.com/spf13/viper@v1.20.1 +pkg:golang/github.com/subosito/gotenv@v1.6.0 +pkg:golang/github.com/tangzero/inflector@v1.0.0 +pkg:golang/github.com/therootcompany/xz@v1.0.1 +pkg:golang/github.com/tklauser/go-sysconf@v0.3.12 +pkg:golang/github.com/ulikunitz/xz@v0.5.12 +pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0 +pkg:golang/github.com/xdg-go/scram@v1.1.2 +pkg:golang/github.com/xdg-go/stringprep@v1.0.4 +pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78 +pkg:golang/go.mongodb.org/atlas@v0.38.0 +pkg:golang/go.mongodb.org/atlas-sdk/v20240530005@v20240530005.0.0 +pkg:golang/go.mongodb.org/atlas-sdk/v20250312002@v20250312002.0.0 +pkg:golang/go.mongodb.org/mongo-driver@v1.17.3 +pkg:golang/go.opentelemetry.io/auto/sdk@v1.1.0 +pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.60.0 +pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.60.0 +pkg:golang/go.opentelemetry.io/otel@v1.35.0 +pkg:golang/go.opentelemetry.io/otel/metric@v1.35.0 +pkg:golang/go.opentelemetry.io/otel/trace@v1.35.0 +pkg:golang/go4.org@v0.0.0-20230225012048-214862532bf5 +pkg:golang/golang.org/x/crypto@v0.37.0 +pkg:golang/golang.org/x/exp@v0.0.0-20241004190924-225e2abe05e6 +pkg:golang/golang.org/x/mod@v0.24.0 +pkg:golang/golang.org/x/net@v0.39.0 +pkg:golang/golang.org/x/oauth2@v0.29.0 +pkg:golang/golang.org/x/sync@v0.13.0 +pkg:golang/golang.org/x/sys@v0.32.0 +pkg:golang/golang.org/x/term@v0.31.0 +pkg:golang/golang.org/x/text@v0.24.0 +pkg:golang/golang.org/x/time@v0.11.0 +pkg:golang/google.golang.org/api@v0.229.0 +pkg:golang/google.golang.org/genproto@v0.0.0-20250303144028-a0af3efb3deb +pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20250414145226-207652e42e2e +pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20250414145226-207652e42e2e +pkg:golang/google.golang.org/grpc@v1.72.0 +pkg:golang/google.golang.org/protobuf@v1.36.6 +pkg:golang/gopkg.in/yaml.v3@v3.0.1 From 9af0c7aa522ce670733cfa3b017d216d3a2c7ef0 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Thu, 1 May 2025 12:51:03 +0100 Subject: [PATCH 11/17] moves compliance file to release page and uses new amke gen-purls command --- build/ci/release.yml | 8 ++++++++ build/package/.goreleaser.yml | 2 +- build/package/generate-sbom.sh | 7 +------ 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/build/ci/release.yml b/build/ci/release.yml index 3a393bcd32..9dc9c3e86f 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -74,6 +74,14 @@ functions: - command: ec2.assume_role params: role_arn: ${ecr_role_arn} + - command: subprocess.exec + params: + <<: *go_options + include_expansions_in_env: + - workdir + binary: make + args: + - gen-purls - command: subprocess.exec params: <<: *go_options diff --git a/build/package/.goreleaser.yml b/build/package/.goreleaser.yml index e0b7a6aef8..905efe962a 100644 --- a/build/package/.goreleaser.yml +++ b/build/package/.goreleaser.yml @@ -55,7 +55,6 @@ archives: - LICENSE - LICENSING-NOTES.txt - third_party_notices/**/* - - compliance/**/* wrap_in_directory: true format: tar.gz - id: macos @@ -143,4 +142,5 @@ release: name_template: "MongoDB Atlas CLI {{.Version}}" extra_files: - glob: ./bin/*.msi + - glob: compliance/**/* version: 2 diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh index 66896f3956..f7f974c289 100755 --- a/build/package/generate-sbom.sh +++ b/build/package/generate-sbom.sh @@ -21,12 +21,7 @@ export WORKDIR=${workdir:?} # Authenticate Docker to AWS ECR aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com -echo "Generating PURLs..." cd "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli" - -make build -go version -m ./bin/atlas | awk '{if ($1 == "dep" || $1 == "=>"){print "pkg:golang/"$2"@"$3}}' > purls.txt - mkdir ./compliance echo "Generating SBOM..." @@ -34,6 +29,6 @@ docker run --rm \ -v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update \ - --purls /pwd/purls.txt \ + --purls /pwd/build/package/purls.txt \ --sbom-out /pwd/compliance/sbom.json \ No newline at end of file From 4c93dd1364bd3df9b4505e890730e0e81ddd71fc Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Thu, 1 May 2025 12:54:28 +0100 Subject: [PATCH 12/17] Fix --- .github/workflows/code-health.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml index 9ab7d5173a..0a495cc096 100644 --- a/.github/workflows/code-health.yml +++ b/.github/workflows/code-health.yml @@ -339,12 +339,12 @@ jobs: with: go-version-file: 'go.mod' - name: Generate purls - run: make purls > /dev/null - - name: Check for uncommitted changes in purl.txt + run: make gen-purls > /dev/null + - name: Check for uncommitted changes in purls.txt run: | - if ! git diff --quiet --exit-code purl.txt; then - echo "purl.txt is out of date. Please run 'make purl.txt' and commit the result." - git --no-pager diff purl.txt + if ! git diff --quiet --exit-code build/package/purls.txt; then + echo "build/package/purls.txt is out of date. Please run 'make gen-purls' and commit the result." + git --no-pager diff build/package/purls.txt exit 1 fi verify_image: From 2b92c82184c6a6607437e9d6ed169c8a6965f738 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Thu, 1 May 2025 14:42:28 +0100 Subject: [PATCH 13/17] Ensures purls are geenrates for fixed os and addresses pr review --- .gitignore | 1 + Makefile | 6 ++++-- build/ci/release.yml | 13 ++----------- build/package/generate-sbom.sh | 7 ++----- build/package/purls.txt | 26 +++++++++++++------------- 5 files changed, 22 insertions(+), 31 deletions(-) diff --git a/.gitignore b/.gitignore index 68d0517690..34b4a13e2b 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ *.so *.dylib bin/** +compliance/** dist/** # mac notarization service linux_amd64/** diff --git a/Makefile b/Makefile index 43a01abd12..c7da5f96c7 100644 --- a/Makefile +++ b/Makefile @@ -150,9 +150,11 @@ gen-docs: gen-docs-metadata ## Generate docs for atlascli commands go run -ldflags "$(LINKER_FLAGS)" ./tools/cmd/docs .PHONY: gen-purls -gen-purls: build ## Generate list of purls +gen-purls: # Generate purls on linux os @echo "==> Generating purls" - @go version -m ./bin/atlas | awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' > build/package/purls.txt + GOOS=linux GOARCH=amd64 go build -o bin/atlas-linux ./cmd/atlas + go version -m ./bin/atlas-linux | awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | sort > build/package/purls.txt + rm bin/atlas-linux .PHONY: build build: ## Generate an atlas binary in ./bin diff --git a/build/ci/release.yml b/build/ci/release.yml index 9dc9c3e86f..1ab8554178 100644 --- a/build/ci/release.yml +++ b/build/ci/release.yml @@ -74,14 +74,6 @@ functions: - command: ec2.assume_role params: role_arn: ${ecr_role_arn} - - command: subprocess.exec - params: - <<: *go_options - include_expansions_in_env: - - workdir - binary: make - args: - - gen-purls - command: subprocess.exec params: <<: *go_options @@ -91,7 +83,7 @@ functions: - AWS_SESSION_TOKEN - workdir binary: build/package/generate-sbom.sh - "write kondukto credentials": + "run silkbomb": - command: ec2.assume_role params: role_arn: ${kondukto_role_arn} @@ -104,7 +96,6 @@ functions: set -e kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text) echo "KONDUKTO_TOKEN=$kondukto_token" > ${workdir}/kondukto_credentials.env - "run silkbomb": - command: shell.exec params: shell: bash @@ -120,6 +111,7 @@ functions: --sbom-in /workdir/src/github.com/mongodb/mongodb-atlas-cli/compliance/sbom.json \ --repo mongodb_mongodb-atlas-cli \ --branch ${branch_name} + rm ${workdir}/kondukto_credentials.env "package": - command: github.generate_token params: @@ -370,7 +362,6 @@ tasks: - name: generate_and_upload_sbom commands: - func: "generate sbom" - - func: "write kondukto credentials" - func: "run silkbomb" - name: package_goreleaser tags: ["packaging"] diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh index f7f974c289..97393a40b3 100755 --- a/build/package/generate-sbom.sh +++ b/build/package/generate-sbom.sh @@ -21,14 +21,11 @@ export WORKDIR=${workdir:?} # Authenticate Docker to AWS ECR aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 901841024863.dkr.ecr.us-east-1.amazonaws.com -cd "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli" -mkdir ./compliance - -echo "Generating SBOM..." +echo "Generating SBOMs..." docker run --rm \ -v "$WORKDIR/src/github.com/mongodb/mongodb-atlas-cli:/pwd" \ 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 \ update \ --purls /pwd/build/package/purls.txt \ - --sbom-out /pwd/compliance/sbom.json + --sbom-out /pwd/sbom.json \ No newline at end of file diff --git a/build/package/purls.txt b/build/package/purls.txt index fbc98151fc..210b8af279 100644 --- a/build/package/purls.txt +++ b/build/package/purls.txt @@ -5,17 +5,6 @@ pkg:golang/cloud.google.com/go/iam@v1.5.0 pkg:golang/cloud.google.com/go/kms@v1.21.2 pkg:golang/cloud.google.com/go/longrunning@v0.6.6 pkg:golang/github.com/AlecAivazis/survey/v2@v2.3.7 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azcore@v1.18.0 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.9.0 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/internal@v1.11.1 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys@v1.3.1 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal@v1.1.1 -pkg:golang/github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2 -pkg:golang/github.com/Masterminds/semver/v3@v3.3.1 -pkg:golang/github.com/PaesslerAG/gval@v1.0.0 -pkg:golang/github.com/PaesslerAG/jsonpath@v0.1.1 -pkg:golang/github.com/ProtonMail/go-crypto@v1.2.0 -pkg:golang/github.com/STARRY-S/zip@v0.2.1 pkg:golang/github.com/andybalholm/brotli@v1.1.1 pkg:golang/github.com/aws/aws-sdk-go-v2@v1.36.3 pkg:golang/github.com/aws/aws-sdk-go-v2/config@v1.29.14 @@ -31,6 +20,12 @@ pkg:golang/github.com/aws/aws-sdk-go-v2/service/sso@v1.25.3 pkg:golang/github.com/aws/aws-sdk-go-v2/service/ssooidc@v1.30.1 pkg:golang/github.com/aws/aws-sdk-go-v2/service/sts@v1.33.19 pkg:golang/github.com/aws/smithy-go@v1.22.2 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azcore@v1.18.0 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.9.0 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/internal@v1.11.1 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys@v1.3.1 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal@v1.1.1 +pkg:golang/github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2 pkg:golang/github.com/bodgit/plumbing@v1.3.0 pkg:golang/github.com/bodgit/sevenzip@v1.6.0 pkg:golang/github.com/bodgit/windows@v1.0.1 @@ -38,7 +33,6 @@ pkg:golang/github.com/briandowns/spinner@v1.23.2 pkg:golang/github.com/cloudflare/circl@v1.6.0 pkg:golang/github.com/denisbrodbeck/machineid@v1.0.1 pkg:golang/github.com/dsnet/compress@v0.0.2-0.20230904184137-39efe44ab707 -pkg:golang/github.com/ebitengine/purego@v0.8.2 pkg:golang/github.com/fatih/color@v1.14.1 pkg:golang/github.com/felixge/httpsnoop@v1.0.4 pkg:golang/github.com/fsnotify/fsnotify@v1.8.0 @@ -62,6 +56,7 @@ pkg:golang/github.com/kballard/go-shellquote@v0.0.0-20180428030007-95032a82bc51 pkg:golang/github.com/klauspost/compress@v1.18.0 pkg:golang/github.com/klauspost/pgzip@v1.2.6 pkg:golang/github.com/kylelemons/godebug@v1.1.0 +pkg:golang/github.com/Masterminds/semver/v3@v3.3.1 pkg:golang/github.com/mattn/go-colorable@v0.1.13 pkg:golang/github.com/mattn/go-isatty@v0.0.20 pkg:golang/github.com/mgutz/ansi@v0.0.0-20170206155736-9520e82c474b @@ -70,10 +65,13 @@ pkg:golang/github.com/minio/minlz@v1.0.0 pkg:golang/github.com/mongodb-forks/digest@v1.1.0 pkg:golang/github.com/montanaflynn/stats@v0.7.1 pkg:golang/github.com/nwaples/rardecode/v2@v2.1.0 +pkg:golang/github.com/PaesslerAG/gval@v1.0.0 +pkg:golang/github.com/PaesslerAG/jsonpath@v0.1.1 pkg:golang/github.com/pelletier/go-toml@v1.9.5 pkg:golang/github.com/pelletier/go-toml/v2@v2.2.3 pkg:golang/github.com/pierrec/lz4/v4@v4.1.21 pkg:golang/github.com/pkg/browser@v0.0.0-20240102092130-5ac0b6a4141c +pkg:golang/github.com/ProtonMail/go-crypto@v1.2.0 pkg:golang/github.com/sagikazarmark/locafero@v0.7.0 pkg:golang/github.com/shirou/gopsutil/v4@v4.25.3 pkg:golang/github.com/sorairolake/lzip-go@v0.3.5 @@ -83,18 +81,20 @@ pkg:golang/github.com/spf13/cast@v1.7.1 pkg:golang/github.com/spf13/cobra@v1.9.1 pkg:golang/github.com/spf13/pflag@v1.0.6 pkg:golang/github.com/spf13/viper@v1.20.1 +pkg:golang/github.com/STARRY-S/zip@v0.2.1 pkg:golang/github.com/subosito/gotenv@v1.6.0 pkg:golang/github.com/tangzero/inflector@v1.0.0 pkg:golang/github.com/therootcompany/xz@v1.0.1 pkg:golang/github.com/tklauser/go-sysconf@v0.3.12 +pkg:golang/github.com/tklauser/numcpus@v0.6.1 pkg:golang/github.com/ulikunitz/xz@v0.5.12 pkg:golang/github.com/xdg-go/pbkdf2@v1.0.0 pkg:golang/github.com/xdg-go/scram@v1.1.2 pkg:golang/github.com/xdg-go/stringprep@v1.0.4 pkg:golang/github.com/youmark/pkcs8@v0.0.0-20240726163527-a2c0da244d78 -pkg:golang/go.mongodb.org/atlas@v0.38.0 pkg:golang/go.mongodb.org/atlas-sdk/v20240530005@v20240530005.0.0 pkg:golang/go.mongodb.org/atlas-sdk/v20250312002@v20250312002.0.0 +pkg:golang/go.mongodb.org/atlas@v0.38.0 pkg:golang/go.mongodb.org/mongo-driver@v1.17.3 pkg:golang/go.opentelemetry.io/auto/sdk@v1.1.0 pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.60.0 From 6b4176818db731bbe16a6b8d6b94d07758ce0d30 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Thu, 1 May 2025 14:53:15 +0100 Subject: [PATCH 14/17] Fix --- Makefile | 4 +++- build/package/purls.txt | 32 ++++++++++++++++---------------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/Makefile b/Makefile index c7da5f96c7..139462bf30 100644 --- a/Makefile +++ b/Makefile @@ -153,7 +153,9 @@ gen-docs: gen-docs-metadata ## Generate docs for atlascli commands gen-purls: # Generate purls on linux os @echo "==> Generating purls" GOOS=linux GOARCH=amd64 go build -o bin/atlas-linux ./cmd/atlas - go version -m ./bin/atlas-linux | awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | sort > build/package/purls.txt + go version -m ./bin/atlas-linux | \ + awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \ + LC_ALL=C sort > build/package/purls.txt rm bin/atlas-linux .PHONY: build diff --git a/build/package/purls.txt b/build/package/purls.txt index 210b8af279..9c9060be37 100644 --- a/build/package/purls.txt +++ b/build/package/purls.txt @@ -1,12 +1,22 @@ -pkg:golang/cloud.google.com/go/auth@v0.16.0 pkg:golang/cloud.google.com/go/auth/oauth2adapt@v0.2.8 +pkg:golang/cloud.google.com/go/auth@v0.16.0 pkg:golang/cloud.google.com/go/compute/metadata@v0.6.0 pkg:golang/cloud.google.com/go/iam@v1.5.0 pkg:golang/cloud.google.com/go/kms@v1.21.2 pkg:golang/cloud.google.com/go/longrunning@v0.6.6 pkg:golang/github.com/AlecAivazis/survey/v2@v2.3.7 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azcore@v1.18.0 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.9.0 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/internal@v1.11.1 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys@v1.3.1 +pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal@v1.1.1 +pkg:golang/github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2 +pkg:golang/github.com/Masterminds/semver/v3@v3.3.1 +pkg:golang/github.com/PaesslerAG/gval@v1.0.0 +pkg:golang/github.com/PaesslerAG/jsonpath@v0.1.1 +pkg:golang/github.com/ProtonMail/go-crypto@v1.2.0 +pkg:golang/github.com/STARRY-S/zip@v0.2.1 pkg:golang/github.com/andybalholm/brotli@v1.1.1 -pkg:golang/github.com/aws/aws-sdk-go-v2@v1.36.3 pkg:golang/github.com/aws/aws-sdk-go-v2/config@v1.29.14 pkg:golang/github.com/aws/aws-sdk-go-v2/credentials@v1.17.67 pkg:golang/github.com/aws/aws-sdk-go-v2/feature/ec2/imds@v1.16.30 @@ -19,13 +29,8 @@ pkg:golang/github.com/aws/aws-sdk-go-v2/service/kms@v1.38.3 pkg:golang/github.com/aws/aws-sdk-go-v2/service/sso@v1.25.3 pkg:golang/github.com/aws/aws-sdk-go-v2/service/ssooidc@v1.30.1 pkg:golang/github.com/aws/aws-sdk-go-v2/service/sts@v1.33.19 +pkg:golang/github.com/aws/aws-sdk-go-v2@v1.36.3 pkg:golang/github.com/aws/smithy-go@v1.22.2 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azcore@v1.18.0 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.9.0 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/internal@v1.11.1 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys@v1.3.1 -pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal@v1.1.1 -pkg:golang/github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2 pkg:golang/github.com/bodgit/plumbing@v1.3.0 pkg:golang/github.com/bodgit/sevenzip@v1.6.0 pkg:golang/github.com/bodgit/windows@v1.0.1 @@ -56,7 +61,6 @@ pkg:golang/github.com/kballard/go-shellquote@v0.0.0-20180428030007-95032a82bc51 pkg:golang/github.com/klauspost/compress@v1.18.0 pkg:golang/github.com/klauspost/pgzip@v1.2.6 pkg:golang/github.com/kylelemons/godebug@v1.1.0 -pkg:golang/github.com/Masterminds/semver/v3@v3.3.1 pkg:golang/github.com/mattn/go-colorable@v0.1.13 pkg:golang/github.com/mattn/go-isatty@v0.0.20 pkg:golang/github.com/mgutz/ansi@v0.0.0-20170206155736-9520e82c474b @@ -65,13 +69,10 @@ pkg:golang/github.com/minio/minlz@v1.0.0 pkg:golang/github.com/mongodb-forks/digest@v1.1.0 pkg:golang/github.com/montanaflynn/stats@v0.7.1 pkg:golang/github.com/nwaples/rardecode/v2@v2.1.0 -pkg:golang/github.com/PaesslerAG/gval@v1.0.0 -pkg:golang/github.com/PaesslerAG/jsonpath@v0.1.1 -pkg:golang/github.com/pelletier/go-toml@v1.9.5 pkg:golang/github.com/pelletier/go-toml/v2@v2.2.3 +pkg:golang/github.com/pelletier/go-toml@v1.9.5 pkg:golang/github.com/pierrec/lz4/v4@v4.1.21 pkg:golang/github.com/pkg/browser@v0.0.0-20240102092130-5ac0b6a4141c -pkg:golang/github.com/ProtonMail/go-crypto@v1.2.0 pkg:golang/github.com/sagikazarmark/locafero@v0.7.0 pkg:golang/github.com/shirou/gopsutil/v4@v4.25.3 pkg:golang/github.com/sorairolake/lzip-go@v0.3.5 @@ -81,7 +82,6 @@ pkg:golang/github.com/spf13/cast@v1.7.1 pkg:golang/github.com/spf13/cobra@v1.9.1 pkg:golang/github.com/spf13/pflag@v1.0.6 pkg:golang/github.com/spf13/viper@v1.20.1 -pkg:golang/github.com/STARRY-S/zip@v0.2.1 pkg:golang/github.com/subosito/gotenv@v1.6.0 pkg:golang/github.com/tangzero/inflector@v1.0.0 pkg:golang/github.com/therootcompany/xz@v1.0.1 @@ -99,9 +99,9 @@ pkg:golang/go.mongodb.org/mongo-driver@v1.17.3 pkg:golang/go.opentelemetry.io/auto/sdk@v1.1.0 pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@v0.60.0 pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.60.0 -pkg:golang/go.opentelemetry.io/otel@v1.35.0 pkg:golang/go.opentelemetry.io/otel/metric@v1.35.0 pkg:golang/go.opentelemetry.io/otel/trace@v1.35.0 +pkg:golang/go.opentelemetry.io/otel@v1.35.0 pkg:golang/go4.org@v0.0.0-20230225012048-214862532bf5 pkg:golang/golang.org/x/crypto@v0.37.0 pkg:golang/golang.org/x/exp@v0.0.0-20241004190924-225e2abe05e6 @@ -114,9 +114,9 @@ pkg:golang/golang.org/x/term@v0.31.0 pkg:golang/golang.org/x/text@v0.24.0 pkg:golang/golang.org/x/time@v0.11.0 pkg:golang/google.golang.org/api@v0.229.0 -pkg:golang/google.golang.org/genproto@v0.0.0-20250303144028-a0af3efb3deb pkg:golang/google.golang.org/genproto/googleapis/api@v0.0.0-20250414145226-207652e42e2e pkg:golang/google.golang.org/genproto/googleapis/rpc@v0.0.0-20250414145226-207652e42e2e +pkg:golang/google.golang.org/genproto@v0.0.0-20250303144028-a0af3efb3deb pkg:golang/google.golang.org/grpc@v1.72.0 pkg:golang/google.golang.org/protobuf@v1.36.6 pkg:golang/gopkg.in/yaml.v3@v3.0.1 From 4c9ef079206292498c0701f7522b5fa45f19c2b4 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Thu, 1 May 2025 15:11:21 +0100 Subject: [PATCH 15/17] Test fix --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 139462bf30..1ed0094bf8 100644 --- a/Makefile +++ b/Makefile @@ -152,7 +152,7 @@ gen-docs: gen-docs-metadata ## Generate docs for atlascli commands .PHONY: gen-purls gen-purls: # Generate purls on linux os @echo "==> Generating purls" - GOOS=linux GOARCH=amd64 go build -o bin/atlas-linux ./cmd/atlas + GOOS=linux GOARCH=amd64 go build -trimpath -mod=readonly -o bin/atlas-linux ./cmd/atlas go version -m ./bin/atlas-linux | \ awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \ LC_ALL=C sort > build/package/purls.txt From c654e634415f69056e483d8457c429161afa2618 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 2 May 2025 09:46:37 +0100 Subject: [PATCH 16/17] Moves purl check to evg --- .github/workflows/code-health.yml | 21 --------------------- build/ci/check-purls.sh | 23 +++++++++++++++++++++++ build/ci/evergreen.yml | 19 +++++++++++++++++++ 3 files changed, 42 insertions(+), 21 deletions(-) create mode 100755 build/ci/check-purls.sh diff --git a/.github/workflows/code-health.yml b/.github/workflows/code-health.yml index 0a495cc096..0c62ed3d86 100644 --- a/.github/workflows/code-health.yml +++ b/.github/workflows/code-health.yml @@ -326,27 +326,6 @@ jobs: with: go-version-file: 'go.mod' - run: make check-templates - purls_check: - runs-on: ubuntu-latest - steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - with: - config: ${{ vars.PERMISSIONS_CONFIG }} - - name: Checkout repository - uses: actions/checkout@v4 - - name: Install Go - uses: actions/setup-go@v5 - with: - go-version-file: 'go.mod' - - name: Generate purls - run: make gen-purls > /dev/null - - name: Check for uncommitted changes in purls.txt - run: | - if ! git diff --quiet --exit-code build/package/purls.txt; then - echo "build/package/purls.txt is out of date. Please run 'make gen-purls' and commit the result." - git --no-pager diff build/package/purls.txt - exit 1 - fi verify_image: name: Build docker image runs-on: ubuntu-latest diff --git a/build/ci/check-purls.sh b/build/ci/check-purls.sh new file mode 100755 index 0000000000..b15acf9fd7 --- /dev/null +++ b/build/ci/check-purls.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +# Copyright 2025 MongoDB Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -Eeou pipefail + +if ! git diff --quiet --exit-code build/package/purls.txt; then + echo "build/package/purls.txt is out of date. Please run 'make gen-purls' and commit the result." + git --no-pager diff build/package/purls.txt + exit 1 +fi diff --git a/build/ci/evergreen.yml b/build/ci/evergreen.yml index 7dc0f7f4a7..e136a40a72 100644 --- a/build/ci/evergreen.yml +++ b/build/ci/evergreen.yml @@ -533,6 +533,21 @@ functions: binary: make args: - otel + "check purls": + - command: subprocess.exec + type: test + params: + <<: *go_options + binary: make + args: + - gen-purls + - command: subprocess.exec + params: + <<: *go_options + include_expansions_in_env: + - workdir + binary: build/ci/check-purls.sh + tasks: - name: compile tags: ["code_health"] @@ -1726,6 +1741,10 @@ tasks: vars: span: "coverage" attr: "total=${percentage},count=${count}" + - name: check_purls + tags: ["code_health"] + commands: + - func: "check purls" - name: snyk_monitor tags: - snyk From 3633dd40f9882bfd82db7e854396f1fe5b1c5c67 Mon Sep 17 00:00:00 2001 From: Melanija Cvetic Date: Fri, 2 May 2025 13:13:06 +0100 Subject: [PATCH 17/17] Adds gen-purls as pre-commit --- Makefile | 1 - scripts/pre-commit.sh | 7 +++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1ed0094bf8..d5fef420ab 100644 --- a/Makefile +++ b/Makefile @@ -156,7 +156,6 @@ gen-purls: # Generate purls on linux os go version -m ./bin/atlas-linux | \ awk '$$1 == "dep" || $$1 == "=>" { print "pkg:golang/" $$2 "@" $$3 }' | \ LC_ALL=C sort > build/package/purls.txt - rm bin/atlas-linux .PHONY: build build: ## Generate an atlas binary in ./bin diff --git a/scripts/pre-commit.sh b/scripts/pre-commit.sh index 539319c74a..6e3fdfdb89 100755 --- a/scripts/pre-commit.sh +++ b/scripts/pre-commit.sh @@ -39,6 +39,13 @@ if [[ -n "${STAGED_GO_FILES}" ]]; then git add docs fi +STAGED_GO_MOD_FILES=$(git diff --cached --name-only | grep -E "^go\.(mod|sum)$" || true) + +if [[ -n "${STAGED_GO_MOD_FILES}" ]]; then + make gen-purls > /dev/null + git add build/package/purls.txt +fi + STAGED_EVG_FILES=$(git diff --cached --name-only | grep "evergreen.yml$") for FILE in ${STAGED_EVG_FILES}