sbom and augmented sbom

Author: oarbusi

.github/workflows/generate-augmented-sbom.yml

@@ -0,0 +1,52 @@
+name: Augment SBOM
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 3.12.1)"
+        required: true
+        type: string
+      resource:
+        description: "Resource name (e.g. organization, project, etc.)"
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
+
+      - name: Augment SBOM with Kondukto
+        env:
+          RELEASE_VERSION: ${{ inputs.release_version }}
+        run: ./scripts/compliance/augment-sbom.sh 
+      - name: Generate SSDLC report
+        env:
+            AUTHOR: ${{ github.actor }}
+            VERSION: ${{ inputs.release_version }}
+            AUGMENTED_REPORT: "true"
+        run: ./scripts/compliance/gen-ssdlc-report.sh
+
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            compliance/augmented-sbom-v${{ inputs.release_version }}-${{ steps.date.outputs.date }}.json
+            compliance/ssdlc-compliance-${{ inputs.release_version }}-${{ steps.date.outputs.date }}.md
+          if-no-files-found: error

.github/workflows/release.yml

@@ -67,3 +67,48 @@ jobs:
           ARTIFACTORY_REGISTRY: ${{ secrets.ARTIFACTORY_REGISTRY }}
           ARTIFACTORY_SIGN_USER: ${{ secrets.ARTIFACTORY_SIGN_USER }}
           ARTIFACTORY_SIGN_PASSWORD: ${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}
+  compliance:
+    needs: release
+    runs-on: ubuntu-latest
+    env:
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+            ref: ${{ inputs.version_number }}
+      - name: Generate PURLs and SBOM
+        run: make gen-purls gen-sbom
+      - name: Upload SBOM to Kondukto
+        run: make upload-sbom
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - name: Upload SBOM as release artifact
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
+        with:
+          files: compliance/sbom.json
+          tag_name: ${{ inputs.version_number }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-ssdlc-report:
+    needs: compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: ./.github/templates/run-script-and-commit
+        with:
+          script_call: |
+            TAG="${{ inputs.version_number }}"
+            VERSION="${TAG#v}"
+            AUTHOR="${{ github.actor }}"
+            export AUTHOR VERSION
+            ./scripts/compliance/gen-ssdlc-report.sh
+          file_to_commit: 'compliance/v*/ssdlc-compliance-*.md'
+          commit_message: "chore: Update SSDLC report for ${{ inputs.version_number }}"
+          apix_bot_pat: ${{ secrets.APIX_BOT_PAT }}
+          remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
+          gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}

Makefile

@@ -64,4 +64,20 @@ generate-manifest-windows: ## Generate the manifest file for windows OSes
 .DEFAULT_GOAL := help
 help:
 	@grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' | sort
+
+.PHONY: gen-purls
+gen-purls:
+	./scripts/compliance/gen-purls.sh
+
+.PHONY: gen-sbom
+gen-sbom:
+	./scripts/compliance/gen-sbom.sh
+
+.PHONY: gen-ssdlc-report
+gen-ssdlc-report:
+	./scripts/compliance/gen-ssdlc-report.sh
+
+.PHONY: upload-sbom
+upload-sbom:
+	./scripts/compliance/upload-sbom.sh
 

scripts/compliance/augment-sbom.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}"
+DATE=$(date +'%Y-%m-%d')
+
+echo "Augmenting SBOM..."
+docker run \
+	--pull=always \
+	--platform="linux/amd64" \
+	--rm \
+	-v "${PWD}:/pwd" \
+	-e KONDUKTO_TOKEN \
+	"$SILKBOMB_IMG" \
+	augment \
+	--sbom-in "/pwd/compliance/sbom.json" \
+	--repo "$KONDUKTO_REPO" \
+	--branch "$KONDUKTO_BRANCH_PREFIX-linux-arm64" \
+	--sbom-out "/pwd/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json"

scripts/compliance/extract-purls.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "$#" -ne 2 ]; then
+  echo "Usage: $0 <binary_path> <output_file>"
+  exit 1
+fi
+
+BINARY_PATH="$1"
+OUTPUT_FILE="$2"
+
+go version -m "$BINARY_PATH" | \
+  awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+  LC_ALL=C sort > "$OUTPUT_FILE" 

scripts/compliance/gen-purls.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+: "${LINKER_FLAGS:=}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+EXTRACT_PURL_SCRIPT="${SCRIPT_DIR}/extract-purls.sh"
+
+if [ ! -x "$EXTRACT_PURL_SCRIPT" ]; then
+  echo "extract-purls.sh not found or not executable"
+  exit 1
+fi
+
+echo "==> Generating purls"
+
+# Define output and temp files
+OUT_DIR="compliance"
+LINUX_BIN="${OUT_DIR}/bin-linux"
+DARWIN_BIN="${OUT_DIR}/bin-darwin"
+WIN_BIN="${OUT_DIR}/bin-win.exe"
+PURL_LINUX="${OUT_DIR}/purls-linux.txt"
+PURL_DARWIN="${OUT_DIR}/purls-darwin.txt"
+PURL_WIN="${OUT_DIR}/purls-win.txt"
+PURL_ALL="${OUT_DIR}/purls.txt"
+
+# Build and extract for Linux
+GOOS=linux GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${LINUX_BIN}" ./cmd/plugin
+"$EXTRACT_PURL_SCRIPT" "${LINUX_BIN}" "${PURL_LINUX}"
+
+# Build and extract for Darwin
+GOOS=darwin GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${DARWIN_BIN}" ./cmd/plugin
+"$EXTRACT_PURL_SCRIPT" "${DARWIN_BIN}" "${PURL_DARWIN}"
+
+# Build and extract for Windows
+GOOS=windows GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${WIN_BIN}" ./cmd/plugin
+"$EXTRACT_PURL_SCRIPT" "${WIN_BIN}" "${PURL_WIN}"
+
+# Combine, sort, and deduplicate
+cat "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}" | LC_ALL=C sort | uniq > "${PURL_ALL}"
+
+# Clean up temp files
+rm -f "${LINUX_BIN}" "${DARWIN_BIN}" "${WIN_BIN}" "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}"

scripts/compliance/gen-sbom.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Generating SBOM..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  "$SILKBOMB_IMG" \
+  update \
+  --purls /pwd/compliance/purls.txt \
+  --sbom-out /pwd/compliance/sbom.json

scripts/compliance/gen-ssdlc-report.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+
+export DATE="${release_date}"
+
+if [ -z "${AUTHOR:-}" ]; then
+  AUTHOR=$(git config user.name)
+fi
+
+if [ -z "${VERSION:-}" ]; then
+  VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
+fi
+
+if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/atlas-cli-plugin-terraform/releases/download/v${VERSION}/sbom.json"
+  # Ensure atlas-cli-plugin-terraform version directory exists
+  mkdir -p "${target_dir}"
+fi
+
+export AUTHOR
+export VERSION
+export SBOM_TEXT
+
+echo "Generating SSDLC report for Atlas CLI plugin for Terraform's MongoDB Atlas Provider version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+
+envsubst < templates/ssdlc-compliance.template.md \
+  > "${target_dir}/${file_name}"
+
+echo "SSDLC compliance report ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
+
+echo "Printing the generated report:"
+cat "${target_dir}/${file_name}"

scripts/compliance/upload-sbom.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Uploading SBOMs..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  -e KONDUKTO_TOKEN \
+  "$SILKBOMB_IMG" \
+  upload \
+  --sbom-in /pwd/compliance/sbom.json \
+  --repo "$KONDUKTO_REPO" \
+  --branch "$KONDUKTO_BRANCH_PREFIX" 
+  

templates/ssdlc-compliance.template.md

@@ -0,0 +1,29 @@
+SSDLC Compliance Report: MongoDB Atlas CLI Plugin Terraform ${VERSION}
+=================================================================
+
+- Release Creator: ${AUTHOR}
+- Created On: ${DATE}
+
+Overview:
+
+- **Product and Release Name**
+- MongoDB Atlas CLI Plugin Terraform ${VERSION}, ${DATE}.
+
+- **Process Document**
+- https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities
+
+- **Tool used to track third party vulnerabilities**
+- [Kondukto](https://arcticglow.kondukto.io/)
+
+- **Dependency Information**
+${SBOM_TEXT}
+
+- **Security Testing Report**
+- Available as needed from Cloud Security.
+
+- **Security Assessment Report**
+- Available as needed from Cloud Security.
+
+Assumptions and attestations:
+
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.