mongodb-js
diff --git a/‎.evergreen/compass_package.sh‎
Lines changed: 4 additions & 1 deletion b/‎.evergreen/compass_package.sh‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎.evergreen/create-sbom.sh‎
Lines changed: 25 additions & 0 deletions b/‎.evergreen/create-sbom.sh‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎.evergreen/functions.yml‎
Lines changed: 35 additions & 3 deletions b/‎.evergreen/functions.yml‎
Lines changed: 35 additions & 3 deletions
diff --git a/‎.evergreen/generative-ai-accuracy-test-empty.yml‎
Lines changed: 9 additions & 0 deletions b/‎.evergreen/generative-ai-accuracy-test-empty.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.evergreen/generative-ai-accuracy-test.yml‎
Lines changed: 2 additions & 2 deletions b/‎.evergreen/generative-ai-accuracy-test.yml‎
Lines changed: 2 additions & 2 deletions
@@ -1,12 +1,15 @@
 #! /usr/bin/env bash
-
 set -e
+set -x
 
 if [[ "$OSTYPE" == "cygwin" ]]; then
   echo "Starting Installer Service..."
   net start MSIServer
 fi
 
+# Ensure .sbom is always created with fresh data
+rm -rvf .sbom && mkdir -pv .sbom
+
 echo "Creating signed release build..."
 npm run package-compass $COMPASS_DISTRIBUTION;
 
 
@@ -0,0 +1,25 @@
+#! /usr/bin/env bash
+set -e
+set -x
+
+# create SBOM
+CRYPT_SHARED_VERSION=$(cat packages/compass/src/deps/csfle/version)
+
+set +x
+echo "${ARTIFACTORY_PASSWORD}" > /tmp/artifactory_password
+set -x
+
+trap_handler() {
+  rm -f /tmp/artifactory_password
+}
+trap trap_handler ERR EXIT
+
+scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
+ssh -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -p "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME" \
+  "(cat /tmp/dependencies.json | jq -r '.[] | "'"pkg:npm/" + .name + "@" + .version'"' > /tmp/purls.txt) && \
+  echo "pkg:generic/mongo_crypt_shared@${CRYPT_SHARED_VERSION}" >> /tmp/purls.txt && \
+  (cat /tmp/artifactory_password | docker login artifactory.corp.mongodb.com --username '${ARTIFACTORY_USERNAME}' --password-stdin ; rm -f /tmp/artifactor_password ) && \
+  docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 && \
+  docker run --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
+    --purls /tmp/purls.txt --sbom_out /tmp/sbom.json"
+scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom.json,purls.txt} .sbom/
@@ -378,13 +378,14 @@ functions:
 
           # Write the host info so that it can be used by the signing tool
           if [[ $OSTYPE == "cygwin" ]]; then
-            identity_file=$(cygpath -wa "$identity_file")
+            identity_file_ospath=$(cygpath -wa "$identity_file")
           else
-            identity_file=$(eval echo "$identity_file")
+            identity_file_ospath=$(eval echo "$identity_file")
           fi
           cat <<EOL > signing_host_info.yml
           SIGNING_SERVER_HOSTNAME: $hostname
-          SIGNING_SERVER_PRIVATE_KEY: $identity_file
+          SIGNING_SERVER_PRIVATE_KEY: $identity_file_ospath
+          SIGNING_SERVER_PRIVATE_KEY_CYGPATH: $identity_file
           SIGNING_SERVER_USERNAME: $user
           SIGNING_SERVER_PORT: 22
           EOL
@@ -405,13 +406,30 @@ functions:
           COMPASS_DISTRIBUTION: ${compass_distribution}
           SIGNING_SERVER_HOSTNAME: ${SIGNING_SERVER_HOSTNAME}
           SIGNING_SERVER_PRIVATE_KEY: ${SIGNING_SERVER_PRIVATE_KEY}
+          SIGNING_SERVER_PRIVATE_KEY_CYGPATH: ${SIGNING_SERVER_PRIVATE_KEY_CYGPATH}
           SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
           SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
         script: |
           set -e
 
           eval $(.evergreen/print-compass-env.sh)
           .evergreen/compass_package.sh
+    - command: shell.exec
+      params:
+        working_dir: src
+        shell: bash
+        env:
+          ARTIFACTORY_USERNAME: ${artifactory_username}
+          ARTIFACTORY_PASSWORD: ${artifactory_password}
+          SIGNING_SERVER_HOSTNAME: ${SIGNING_SERVER_HOSTNAME}
+          SIGNING_SERVER_PRIVATE_KEY: ${SIGNING_SERVER_PRIVATE_KEY}
+          SIGNING_SERVER_PRIVATE_KEY_CYGPATH: ${SIGNING_SERVER_PRIVATE_KEY_CYGPATH}
+          SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
+          SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
+        script: |
+          set -e
+
+          .evergreen/create-sbom.sh
 
   publish:
     - command: shell.exec
@@ -738,6 +756,20 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${linux_tar_sign_filename}
         content_type: application/pgp-signature
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/.sbom/purls.txt
+        remote_file: ${project}/${revision}_${revision_order_id}/${task_id}/purls.txt
+        content_type: text/plain
+        optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/.sbom/sbom.json
+        remote_file: ${project}/${revision}_${revision_order_id}/${task_id}/sbom.json
+        content_type: application/json
+        optional: true
 
   get-all-artifacts:
     - command: shell.exec
 
@@ -0,0 +1,9 @@
+# This evergreen .yml is intentionally left empty.
+# We want the compass-generative-ai-accuracy evergreen project to run
+# daily on the latest commit. This file is here so that we have a
+# .yml config to point the evergreen project to so that
+# it can uses the most recent commits when the daily run happens.
+
+# The .yml that runs those tests is `generative-ai-accuracy-test.yml`.
+# We don't want it to run on every commit as that would be too many
+# requests to our ai model (expensive).
@@ -1,6 +1,6 @@
 # This evergreen .yml is only used in periodic builds.
-# We don't want it to run on every patch as that would be too many
-# requests to our ai model (expensive).
+# We don't want it to run on every commit as that would be
+# too many requests to our ai model (expensive).
 
 unset_function_vars: true
 stepback: false