use Silkbomb 2.0

Author: fetsko

etc/update-sbom.sh

@@ -13,7 +13,7 @@ echo "pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" > $PURLS_FILE
 
 # Use silkbomb to update the sbom.json file
 docker run --platform="linux/amd64" -it --rm -v ${ROOT_DIR}:/pwd \
-  artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \
+  artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \
   update --sbom-in /pwd/sbom.json --purls /pwd/purls.txt --sbom-out /pwd/sbom.json
 
 rm $PURLS_FILE

ext/libmongocrypt/libmongocrypt/Earthfile

@@ -461,7 +461,7 @@ sign:
 #
 # See https://docs.devprod.prod.corp.mongodb.com/mms/python/src/sbom/silkbomb/ for documentation of silkbomb.
 silkbomb:
-    FROM artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
+    FROM artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
     # Alias the silkbom executable to a simpler name:
     RUN ln -s /python/src/sbom/silkbomb/bin /usr/local/bin/silkbomb
 
@@ -484,39 +484,24 @@ sbom-generate:
     # Save the result back to the host:
     SAVE ARTIFACT /s/cyclonedx.sbom.json AS LOCAL etc/cyclonedx.sbom.json
 
-# sbom-download:
-#   Download the Augmented SBOM file from Silk.
+# sbom-augment:
+#   Augment the SBOM file with vulnerability information from Kondukto.
 #
 # See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for instructions to get secrets from AWS Secrets Manager. Secrets are available under `drivers/libmongocrypt`.
 #
-sbom-download:
+sbom-augment:
     ARG --required out
     ARG --required branch
     FROM +silkbomb
     WORKDIR /s
+    COPY etc/cyclonedx.sbom.json /s/
     # Download the Augmented SBOM file:
-    RUN --no-cache --secret silk_client_id --secret silk_client_secret \
-        SILK_CLIENT_ID=${silk_client_id} \
-        SILK_CLIENT_SECRET=${silk_client_secret} \
-        silkbomb download \
+    RUN --no-cache --secret kondukto_token KONDUKTO_TOKEN=${kondukto_token} \
+        silkbomb augment \
+        --sbom-in cyclonedx.sbom.json \
         --sbom-out cyclonedx.augmented.sbom.json \
-        --silk-asset-group libmongocrypt-${branch}
+        --repo mongodb/libmongocrypt-helper-ruby \
+        --branch ${branch}
     # Save the result back to the host:
     SAVE ARTIFACT /s/cyclonedx.augmented.sbom.json AS LOCAL ${out}
     RUN echo "Augmented SBOM saved to ${out}"
-
-# silk-create-asset-group:
-#   Create an asset group for Silk.
-#
-# See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for instructions to get secrets from AWS Secrets Manager. Secrets are available under `drivers/libmongocrypt`.
-#
-silk-create-asset-group:
-    ARG --required branch
-    FROM +env.alpine
-    RUN __install curl jq
-    COPY etc/silk-create-asset-group.sh /s/silk-create-asset-group.sh
-    RUN --no-cache --secret silk_client_id --secret silk_client_secret \
-        silk_client_id=${silk_client_id} \
-        silk_client_secret=${silk_client_secret} \
-        branch=${branch} \
-            /s/silk-create-asset-group.sh

ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh

@@ -10,5 +10,5 @@ else
 fi
 
 echo "pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION" > purls.txt
-$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json
+$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json
 rm purls.txt

ext/libmongocrypt/libmongocrypt/doc/releasing.md

@@ -9,7 +9,7 @@ Version numbers of libmongocrypt must follow the format 1.[0-9].[0-9] for releas
 
 ### Check for Vulnerabilities
 
-Snyk and Silk are used to satisfy vulnerability scanning requirements of [DRIVERS-714](https://jira.mongodb.org/browse/DRIVERS-714). Prior to releasing, ensure necessary reported vulnerabilities meet requirements described in: [MongoDB Software Security Development Lifecycle Policy](https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc/edit?tab=t.0#bookmark=id.l09k96qt24jm).
+Snyk and Kondukto are used to satisfy vulnerability scanning requirements of [DRIVERS-714](https://jira.mongodb.org/browse/DRIVERS-714). Prior to releasing, ensure necessary reported vulnerabilities meet requirements described in: [MongoDB Software Security Development Lifecycle Policy](https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc/edit?tab=t.0#bookmark=id.l09k96qt24jm).
 
 #### Check Snyk
 
@@ -44,16 +44,15 @@ snyk monitor \
 
 Check the updated reference targets in Snyk for detected vulnerabilities.
 
-#### Check Silk
+#### Check Kondukto
 
-Get credentials for Silk from the `drivers/libmongocrypt` vault in [AWS Secrets Manager](https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets).
+Get credentials for Kondukto from the `drivers/libmongocrypt` vault in [AWS Secrets Manager](https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets).
 
 Download the Augmented SBOM using:
 ```bash
 ./.evergreen/earthly.sh \
-   --secret silk_client_id=${silk_client_id} \
-   --secret silk_client_secret=${silk_client_secret} \
-   +sbom-download \
+   --secret kondukto_token=${kondukto_token} \
+   +sbom-augment \
    --out cyclonedx.augmented.sbom.json \
    --branch <branch>
 ```
@@ -86,9 +85,8 @@ Do the following when releasing:
    - Attach the Augmented SBOM file. Download the Augmented SBOM using:
      ```bash
      ./.evergreen/earthly.sh \
-        --secret silk_client_id=${silk_client_id} \
-        --secret silk_client_secret=${silk_client_secret} \
-        +sbom-download \
+        --secret kondukto_token=${kondukto_token} \
+        +sbom-augment \
         --out cyclonedx.augmented.sbom.json \
         --branch <branch>
      ```
@@ -99,14 +97,6 @@ Do the following when releasing:
 
 - If this is a new minor release (e.g. `x.y.0`):
    - File a DOCSP ticket to update the installation instructions on [Install libmongocrypt](https://www.mongodb.com/docs/manual/core/csfle/reference/libmongocrypt/). ([Example](https://jira.mongodb.org/browse/DOCSP-36863))
-   - Create a new Silk asset group. Use the newly created release branch (e.g. `rx.y`) as the `--branch` argument:
-     ```bash
-     ./.evergreen/earthly.sh \
-        --secret silk_client_id=${silk_client_id} \
-        --secret silk_client_secret=${silk_client_secret} \
-        +silk-create-asset-group \
-        --branch <branch>
-     ```
    - Create a new Snyk reference target. The following instructions use the example branch `rx.y`:
 
      Run `cmake` to ensure generated source files are present:

ext/libmongocrypt/libmongocrypt/etc/silk-create-asset-group.sh

@@ -10,7 +10,7 @@ Not available. <!-- DRIVERS-2892: replace with link to public-facing document on
 
 ## Tool used to track third party vulnerabilities
 
-Silk and Snyk.
+Kondukto and Snyk.
 
 ## Third-Party Dependency Information
 

ext/libmongocrypt/libmongocrypt/etc/ssdlc_compliance_report.md

@@ -15,7 +15,7 @@ This section provides a template that may be used for actual vulnerability repor
 
 - **Date Detected:** YYYY-MM-DD
 - **Severity:** Low, Medium, High, or Critical
-- **Detector:** Silk or Snyk
+- **Detector:** Kondukto or Snyk
 - **Description:** A short vulnerability description.
 - **Dependency:** Name and version of the 3rd party dependency.
 - **Upstream Status:** False Positive, Won't Fix, Fix Pending, or Fix Available. This is the fix status for the 3rd party dependency, not libmongocrypt. "Fix Available" should include the version and/or date when the fix was released, e.g. "Fix Available (1.2.3, 1970-01-01)".