chore: Onboard to Silkbomb to generate SSDLC reports, SBOM and generate augmented SBOM on demand (#49)

* sbom and augmented sbom

* clean up input

* eof

* correct secrets

* pr comments

* contributing

* typo

Author: oarbusi

.github/workflows/generate-augmented-sbom.yml

@@ -0,0 +1,48 @@
+name: Augment SBOM
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 3.12.1)"
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
+
+      - name: Augment SBOM with Kondukto
+        env:
+          RELEASE_VERSION: ${{ inputs.release_version }}
+        run: ./scripts/compliance/augment-sbom.sh 
+      - name: Generate SSDLC report
+        env:
+            AUTHOR: ${{ github.actor }}
+            VERSION: ${{ inputs.release_version }}
+            AUGMENTED_REPORT: "true"
+        run: ./scripts/compliance/gen-ssdlc-report.sh
+
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            compliance/augmented-sbom-v${{ inputs.release_version }}-${{ steps.date.outputs.date }}.json
+            compliance/ssdlc-compliance-${{ inputs.release_version }}-${{ steps.date.outputs.date }}.md
+          if-no-files-found: error

.github/workflows/release.yml

@@ -67,3 +67,48 @@ jobs:
           ARTIFACTORY_REGISTRY: ${{ secrets.ARTIFACTORY_REGISTRY }}
           ARTIFACTORY_SIGN_USER: ${{ secrets.ARTIFACTORY_SIGN_USER }}
           ARTIFACTORY_SIGN_PASSWORD: ${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}
+  compliance:
+    needs: release
+    runs-on: ubuntu-latest
+    env:
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+            ref: ${{ inputs.version_number }}
+      - name: Generate PURLs and SBOM
+        run: make gen-purls gen-sbom
+      - name: Upload SBOM to Kondukto
+        run: make upload-sbom
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - name: Upload SBOM as release artifact
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
+        with:
+          files: compliance/sbom.json
+          tag_name: ${{ inputs.version_number }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  generate-ssdlc-report:
+    needs: compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: ./.github/templates/run-script-and-commit
+        with:
+          script_call: |
+            TAG="${{ inputs.version_number }}"
+            VERSION="${TAG#v}"
+            AUTHOR="${{ github.actor }}"
+            export AUTHOR VERSION
+            ./scripts/compliance/gen-ssdlc-report.sh
+          file_to_commit: 'compliance/v*/ssdlc-compliance-*.md'
+          commit_message: "chore: Update SSDLC report for ${{ inputs.version_number }}"
+          apix_bot_pat: ${{ secrets.APIX_BOT_PAT }}
+          remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # Contributing to the Atlas CLI plugin for Terraform's MongoDB Atlas Provider
 
-WIP
+Thank you for your interest in contributing! This project welcomes contributions from the community. Please follow the guidelines below to get started, build, and contribute effectively. For compliance and release processes, see the sections below.
 
 ## Building
 
@@ -9,3 +9,23 @@ You can build the binary plugin by running `make build`. You'll need to have Go
 ## Using the plugin from the CLI
 
 You can also use the plugin with your changes from the CLI by running: `make local` and following the instructions displayed.
+
+## Third Party Dependencies and Vulnerability Scanning
+
+We scan our dependencies for vulnerabilities and incompatible licenses using [Snyk](https://snyk.io/).
+To run Snyk locally please follow their [CLI reference](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI).
+
+We also use Kondukto to scan for third-party dependency vulnerabilities. Kondukto creates tickets in MongoDB's issue tracking system for any vulnerabilities found.
+
+### SBOM and Compliance
+We generate Software Bill of Materials (SBOM) files for each release as part of MongoDB's SSDLC initiative. SBOM Lite files are automatically generated and included as release artifacts. Compliance reports are generated after each release and stored in the compliance/<release-version> directory.
+
+Augmented SBOMs can be generated on customer request for any released version. This can only be done by MongoDB employees as it requires access to our GitHub workflow.
+
+### Papertrail Integration
+All releases are recorded using a MongoDB-internal application called Papertrail. This records various pieces of information about releases, including the date and time of the release, who triggered the release (by pushing to Evergreen), and a checksum of each release file.
+
+This is done automatically as part of the release.
+
+### Release Artifact Signing
+All releases are signed automatically as part of the release process.

Makefile

@@ -64,4 +64,20 @@ generate-manifest-windows: ## Generate the manifest file for windows OSes
 .DEFAULT_GOAL := help
 help:
 	@grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' | sort
+
+.PHONY: gen-purls
+gen-purls:
+	./scripts/compliance/gen-purls.sh
+
+.PHONY: gen-sbom
+gen-sbom:
+	./scripts/compliance/gen-sbom.sh
+
+.PHONY: gen-ssdlc-report
+gen-ssdlc-report:
+	./scripts/compliance/gen-ssdlc-report.sh
+
+.PHONY: upload-sbom
+upload-sbom:
+	./scripts/compliance/upload-sbom.sh
 

scripts/compliance/augment-sbom.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}"
+DATE=$(date +'%Y-%m-%d')
+
+echo "Augmenting SBOM..."
+docker run \
+	--pull=always \
+	--platform="linux/amd64" \
+	--rm \
+	-v "${PWD}:/pwd" \
+	-e KONDUKTO_TOKEN \
+	"$SILKBOMB_IMG" \
+	augment \
+	--sbom-in "/pwd/compliance/sbom.json" \
+	--repo "$KONDUKTO_REPO" \
+	--branch "$KONDUKTO_BRANCH_PREFIX-linux-arm64" \
+	--sbom-out "/pwd/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json"

scripts/compliance/extract-purls.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "$#" -ne 2 ]; then
+  echo "Usage: $0 <binary_path> <output_file>"
+  exit 1
+fi
+
+BINARY_PATH="$1"
+OUTPUT_FILE="$2"
+
+go version -m "$BINARY_PATH" | \
+  awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+  LC_ALL=C sort > "$OUTPUT_FILE"

scripts/compliance/gen-purls.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+: "${LINKER_FLAGS:=}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+EXTRACT_PURL_SCRIPT="${SCRIPT_DIR}/extract-purls.sh"
+
+if [ ! -x "$EXTRACT_PURL_SCRIPT" ]; then
+  echo "extract-purls.sh not found or not executable"
+  exit 1
+fi
+
+echo "==> Generating purls"
+
+# Define output and temp files
+OUT_DIR="compliance"
+LINUX_BIN="${OUT_DIR}/bin-linux"
+DARWIN_BIN="${OUT_DIR}/bin-darwin"
+WIN_BIN="${OUT_DIR}/bin-win.exe"
+PURL_LINUX="${OUT_DIR}/purls-linux.txt"
+PURL_DARWIN="${OUT_DIR}/purls-darwin.txt"
+PURL_WIN="${OUT_DIR}/purls-win.txt"
+PURL_ALL="${OUT_DIR}/purls.txt"
+
+# Build and extract for Linux
+GOOS=linux GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${LINUX_BIN}" ./cmd/plugin
+"$EXTRACT_PURL_SCRIPT" "${LINUX_BIN}" "${PURL_LINUX}"
+
+# Build and extract for Darwin
+GOOS=darwin GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${DARWIN_BIN}" ./cmd/plugin
+"$EXTRACT_PURL_SCRIPT" "${DARWIN_BIN}" "${PURL_DARWIN}"
+
+# Build and extract for Windows
+GOOS=windows GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${WIN_BIN}" ./cmd/plugin
+"$EXTRACT_PURL_SCRIPT" "${WIN_BIN}" "${PURL_WIN}"
+
+# Combine, sort, and deduplicate
+cat "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}" | LC_ALL=C sort | uniq > "${PURL_ALL}"
+
+# Clean up temp files
+rm -f "${LINUX_BIN}" "${DARWIN_BIN}" "${WIN_BIN}" "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}"

scripts/compliance/gen-sbom.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Generating SBOM..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  "$SILKBOMB_IMG" \
+  update \
+  --purls /pwd/compliance/purls.txt \
+  --sbom-out /pwd/compliance/sbom.json

scripts/compliance/gen-ssdlc-report.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+
+export DATE="${release_date}"
+
+if [ -z "${AUTHOR:-}" ]; then
+  AUTHOR=$(git config user.name)
+fi
+
+if [ -z "${VERSION:-}" ]; then
+  VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
+fi
+
+if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/atlas-cli-plugin-terraform/releases/download/v${VERSION}/sbom.json"
+  # Ensure atlas-cli-plugin-terraform version directory exists
+  mkdir -p "${target_dir}"
+fi
+
+export AUTHOR
+export VERSION
+export SBOM_TEXT
+
+echo "Generating SSDLC report for Atlas CLI plugin for Terraform's MongoDB Atlas Provider version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+
+envsubst < templates/ssdlc-compliance.template.md \
+  > "${target_dir}/${file_name}"
+
+echo "SSDLC compliance report ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
+
+echo "Printing the generated report:"
+cat "${target_dir}/${file_name}"

scripts/compliance/upload-sbom.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Uploading SBOMs..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  -e KONDUKTO_TOKEN \
+  "$SILKBOMB_IMG" \
+  upload \
+  --sbom-in /pwd/compliance/sbom.json \
+  --repo "$KONDUKTO_REPO" \
+  --branch "$KONDUKTO_BRANCH_PREFIX"