sbom and ssdlc report generation

Author: oarbusi

scripts/compliance/augment-sbom.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}"
+DATE=$(date +'%Y-%m-%d')
+
+echo "Augmenting SBOM..."
+docker run \
+	--pull=always \
+	--platform="linux/amd64" \
+	--rm \
+	-v "${PWD}:/pwd" \
+	-e KONDUKTO_TOKEN \
+	"$SILKBOMB_IMG" \
+	augment \
+	--sbom-in "/pwd/compliance/sbom.json" \
+	--repo "$KONDUKTO_REPO" \
+	--branch "$KONDUKTO_BRANCH_PREFIX" \
+	--sbom-out "/pwd/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json"

scripts/compliance/gen-purls.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Reference: .cursor/rules - be surgical, only output PURLs, use jq for JSON parsing
+
+if ! command -v jq &> /dev/null; then
+  echo "jq is required but not installed. Please install jq to use this script."
+  exit 1
+fi
+
+mkdir -p compliance
+
+PKG_JSON=package.json
+
+# Output all npm dependencies, devDependencies, and peerDependencies as PURLs to compliance/purls.txt
+yq -r --output-format json '.dependencies | to_entries | .[] |  "pkg:npm/" + .key + "@" + .value' package.json > compliance/purls.txt
+yq -r --output-format json '.devDependencies | to_entries | .[] |  "pkg:npm/" + .key + "@" + .value' package.json >> compliance/purls.txt
+yq -r --output-format json '.peerDependencies | to_entries | .[] |  "pkg:npm/" + .key + "@" + .value' package.json >> compliance/purls.txt

scripts/compliance/gen-sbom.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Generating SBOM..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  "$SILKBOMB_IMG" \
+  update \
+  --purls /pwd/compliance/purls.txt \
+  --sbom-out /pwd/compliance/sbom.json

scripts/compliance/gen-ssdlc-report.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+
+export DATE="${release_date}"
+
+if [ -z "${AUTHOR:-}" ]; then
+  AUTHOR=$(git config user.name)
+fi
+
+if [ -z "${VERSION:-}" ]; then
+  VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
+fi
+
+if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/terraform-provider-mongodbatlas/releases/download/terraform-provider-mongodbatlas%2Fv${VERSION}/sbom.json"
+  # Ensure terraform-provider-mongodbatlas version directory exists
+  mkdir -p "${target_dir}"
+fi
+
+export AUTHOR
+export VERSION
+export SBOM_TEXT
+
+echo "Generating SSDLC report for MongoDB Atlas AWS CDK Resources version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+
+envsubst < templates/ssdlc-compliance.template.md \
+  > "${target_dir}/${file_name}"
+
+echo "SSDLC compliance report ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
+
+echo "Printing the generated report:"
+cat "${target_dir}/${file_name}"

scripts/compliance/upload-sbom.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+echo "Uploading SBOMs..."
+docker run --rm \
+  -v "$PWD:/pwd" \
+  -e KONDUKTO_TOKEN \
+  "$SILKBOMB_IMG" \
+  upload \
+  --sbom-in /pwd/compliance/sbom.json \
+  --repo "$KONDUKTO_REPO"  \
+  --branch "$KONDUKTO_BRANCH_PREFIX"

templates/ssdlc-compliance.template.md

@@ -0,0 +1,29 @@
+SSDLC Compliance Report: MongoDB Atlas AWS CDK Resources ${VERSION}
+=================================================================
+
+- Release Creator: ${AUTHOR}
+- Created On:       ${DATE}
+
+Overview:
+
+- **Product and Release Name**
+  - MongoDB Atlas AWS CDK Resources ${VERSION}, ${DATE}.
+
+- **Process Document**
+  - https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities
+
+- **Tool used to track third party vulnerabilities**
+  - [Kondukto](https://arcticglow.kondukto.io/)
+
+- **Dependency Information**
+${SBOM_TEXT}
+
+- **Security Testing Report**
+  - Available as needed from Cloud Security.
+
+- **Security Assessment Report**
+  - Available as needed from Cloud Security.
+
+Assumptions and attestations:
+
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.