chore: Onboard to Silkbomb to generate SSDLC reports, SBOM and generate augmented SBOM on demand (#620)

Author: oarbusi

.github/workflows/autorelease.yaml

@@ -10,13 +10,17 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    outputs:
+      release_tag: ${{ steps.set_tag.outputs.release_tag }}
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Release env
+        id: set_tag
         working-directory: ./tools
         run: |
           ./releaser/scripts/setghenv.sh
+          echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT
       - name: Create Release 
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
         with:
@@ -29,3 +33,50 @@ jobs:
           LATEST_SDK_RELEASE=$(echo "${LATEST_SDK_TAG}" | cut -d '.' -f 1)
           echo "tag: ${LATEST_SDK_TAG}, release: ${LATEST_SDK_RELEASE}"
           curl -sSfL "https://proxy.golang.org/go.mongodb.org/atlas-sdk/${LATEST_SDK_RELEASE}/@v/${LATEST_SDK_TAG}.info"
+  compliance:
+    needs: release
+    runs-on: ubuntu-latest
+    env:
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+      RELEASE_TAG: ${{ needs.release.outputs.release_tag }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+            ref: ${{ env.RELEASE_TAG }}
+      - name: Generate PURLs and SBOM
+        run: make gen-purls gen-sbom
+      - name: Upload SBOM to Kondukto
+        run: make upload-sbom
+        env:
+          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      - name: Upload SBOM as release artifact
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
+        with:
+          files: compliance/sbom.json
+          tag_name: ${{ env.RELEASE_TAG }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  generate-ssdlc-report:
+    needs: compliance
+    runs-on: ubuntu-latest
+    env:
+      RELEASE_TAG: ${{ needs.release.outputs.release_tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: ./.github/templates/run-script-and-commit
+        with:
+          script_call: |
+            TAG="${{ env.RELEASE_TAG }}"
+            VERSION="${TAG#v}"
+            AUTHOR="${{ github.actor }}"
+            export AUTHOR VERSION
+            ./scripts/compliance/gen-ssdlc-report.sh
+          file_to_commit: 'compliance/v*/ssdlc-compliance-*.md'
+          commit_message: "chore: Update SSDLC report for ${{ env.RELEASE_TAG }}"
+          apix_bot_pat: ${{ secrets.APIX_BOT_PAT }}
+          remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
+          gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}

.github/workflows/generate-augmented-sbom.yml

@@ -0,0 +1,48 @@
+name: Augment SBOM
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 3.12.1)"
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
+
+      - name: Augment SBOM with Kondukto
+        env:
+          RELEASE_VERSION: ${{ inputs.release_version }}
+        run: ./scripts/compliance/augment-sbom.sh 
+      - name: Generate SSDLC report
+        env:
+            AUTHOR: ${{ github.actor }}
+            VERSION: ${{ inputs.release_version }}
+            AUGMENTED_REPORT: "true"
+        run: ./scripts/compliance/gen-ssdlc-report.sh
+
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            compliance/augmented-sbom-v${{ inputs.release_version }}-${{ steps.date.outputs.date }}.json
+            compliance/ssdlc-compliance-${{ inputs.release_version }}-${{ steps.date.outputs.date }}.md
+          if-no-files-found: error

CONTRIBUTING.md

@@ -134,5 +134,19 @@ We recommend to create separate PR containing only documentation files each time
 Documentation team will be assigned as reviewer automatically and will help with review of the PR.
 
 
+## Third Party Dependencies and Vulnerability Scanning
 
+We scan our dependencies for vulnerabilities and incompatible licenses using [Snyk](https://snyk.io/).
+To run Snyk locally please follow their [CLI reference](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI).
 
+We also use Kondukto to scan for third-party dependency vulnerabilities. Kondukto creates tickets in MongoDB's issue tracking system for any vulnerabilities found.
+
+### SBOM and Compliance
+We generate Software Bill of Materials (SBOM) files for each release as part of MongoDB's SSDLC initiative. SBOM Lite files are automatically generated and included as release artifacts. Compliance reports are generated after each release and stored in the compliance/<release-version> directory.
+
+Augmented SBOMs can be generated on customer request for any released version. This can only be done by MongoDB employees as it requires access to our GitHub workflow.
+
+### Papertrail Integration
+All releases are recorded using a MongoDB-internal application called Papertrail. This records various pieces of information about releases, including the date and time of the release, who triggered the release (by pushing to Evergreen), and a checksum of each release file.
+
+This is done automatically as part of the release.

Makefile

@@ -72,3 +72,19 @@ openapi-pipeline: install-goimports
 gen-docs:
 	$(MAKE) -C tools generate_docs
 	./scripts/toc.sh
+
+.PHONY: gen-purls
+gen-purls:
+	./scripts/compliance/gen-purls.sh
+
+.PHONY: gen-sbom
+gen-sbom:
+	./scripts/compliance/gen-sbom.sh
+
+.PHONY: gen-ssdlc-report
+gen-ssdlc-report:
+	./scripts/compliance/gen-ssdlc-report.sh
+
+.PHONY: upload-sbom
+upload-sbom:
+	./scripts/compliance/upload-sbom.sh

scripts/compliance/augment-sbom.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}"
+DATE=$(date +'%Y-%m-%d')
+
+echo "Augmenting SBOM..."
+docker run \
+	--pull=always \
+	--platform="linux/amd64" \
+	--rm \
+	-v "${PWD}:/pwd" \
+	-e KONDUKTO_TOKEN \
+	"$SILKBOMB_IMG" \
+	augment \
+	--sbom-in "/pwd/compliance/sbom.json" \
+	--repo "$KONDUKTO_REPO" \
+	--branch "$KONDUKTO_BRANCH_PREFIX-linux-arm64" \
+	--sbom-out "/pwd/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json"

scripts/compliance/extract-purls.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "$#" -ne 2 ]; then
+  echo "Usage: $0 <binary_path> <output_file>"
+  exit 1
+fi
+
+BINARY_PATH="$1"
+OUTPUT_FILE="$2"
+
+go version -m "$BINARY_PATH" | \
+  awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+  LC_ALL=C sort > "$OUTPUT_FILE"

scripts/compliance/gen-purls.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+OUT_DIR="compliance"
+PURL_FILE="${OUT_DIR}/purls.txt"
+mkdir -p "$OUT_DIR"
+
+# Generate purls for all dependencies (including indirect)
+echo "==> Generating purls from go.mod dependencies"
+go list -m all | tail -n +2 | awk '{print "pkg:golang/" $1 "@" $2}' | LC_ALL=C sort | uniq > "$PURL_FILE"
+
+echo "PURLs written to $PURL_FILE"

scripts/compliance/gen-sbom.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Generating SBOM..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  "$SILKBOMB_IMG" \
+  update \
+  --purls /pwd/compliance/purls.txt \
+  --sbom-out /pwd/compliance/sbom.json

scripts/compliance/gen-ssdlc-report.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+
+export DATE="${release_date}"
+
+if [ -z "${AUTHOR:-}" ]; then
+  AUTHOR=$(git config user.name)
+fi
+
+if [ -z "${VERSION:-}" ]; then
+  VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
+fi
+
+if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/atlas-cli-plugin-terraform/releases/download/v${VERSION}/sbom.json"
+  # Ensure atlas-cli-plugin-terraform version directory exists
+  mkdir -p "${target_dir}"
+fi
+
+export AUTHOR
+export VERSION
+export SBOM_TEXT
+
+echo "Generating SSDLC report for Atlas CLI plugin for Terraform's MongoDB Atlas Provider version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+
+envsubst < templates/ssdlc-compliance.template.md \
+  > "${target_dir}/${file_name}"
+
+echo "SSDLC compliance report ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
+
+echo "Printing the generated report:"
+cat "${target_dir}/${file_name}"

scripts/compliance/upload-sbom.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Uploading SBOMs..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  -e KONDUKTO_TOKEN \
+  "$SILKBOMB_IMG" \
+  upload \
+  --sbom-in /pwd/compliance/sbom.json \
+  --repo "$KONDUKTO_REPO" \
+  --branch "$KONDUKTO_BRANCH_PREFIX"