RUST-1925 SSDLC compliance for libmongocrypt Rust binding (#29)

Author: abr-egn

.evergreen/check-semgrep.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -o errexit
+
+source ./.evergreen/configure-rust.sh
+
+. ${DRIVERS_TOOLS}/.evergreen/find-python3.sh
+PYTHON=$(find_python3)
+
+if [[ -f "semgrep/bin/activate" ]]; then
+    echo 'using existing virtualenv'
+    . semgrep/bin/activate
+else
+    echo 'Creating new virtualenv'  
+    ${PYTHON} -m venv semgrep
+    echo 'Activating new virtualenv'
+    . semgrep/bin/activate
+    python3 -m pip install semgrep
+fi
+
+OPTS="--config p/rust --exclude-rule rust.lang.security.unsafe-usage.unsafe-usage"
+
+# Generate a SARIF report
+semgrep ${OPTS} --sarif > mongo-rust-libmongocrypt.json.sarif
+# And human-readable output
+semgrep ${OPTS} --error

.evergreen/config.yml

@@ -31,6 +31,7 @@ pre:
       export PROJECT_DIRECTORY="$(pwd)"
       export MONGOCRYPT_LIB_DIR="$PROJECT_DIRECTORY/native/${libmongocrypt_os}/lib"
       export LD_LIBRARY_PATH="$MONGOCRYPT_LIB_DIR:$LD_LIBRARY_PATH"
+      export DRIVERS_TOOLS="$(pwd)/../drivers-tools"
 
       cat <<EOT > expansion.yml
       PREPARE_SHELL: |
@@ -39,6 +40,7 @@ pre:
         export PROJECT_DIRECTORY="$PROJECT_DIRECTORY"
         export MONGOCRYPT_LIB_DIR="$MONGOCRYPT_LIB_DIR"
         export LD_LIBRARY_PATH="$LD_LIBRARY_PATH"
+        export DRIVERS_TOOLS="$DRIVERS_TOOLS"
       EOT
       cat expansion.yml
 - command: expansions.update
@@ -109,6 +111,16 @@ tasks:
         ${PREPARE_SHELL}
         .evergreen/run-valgrind.sh
 
+- name: "semgrep"
+  commands:
+    - command: shell.exec
+      type: test
+      params:
+        working_dir: "src"
+        script: |
+          ${PREPARE_SHELL}
+          .evergreen/check-semgrep.sh
+
 buildvariants:
 - name: ubuntu
   display_name: "Ubuntu 18.04"
@@ -119,6 +131,7 @@ buildvariants:
   - name: ".compile"
   - name: ".test"
   - name: "valgrind"
+  - name: "semgrep"
 - name: macos
   display_name: "MacOS 10.14"
   run_on: macos-1014

.evergreen/install-dependencies.sh

@@ -33,4 +33,14 @@ tar xzf libmongocrypt-all.tar.gz
 
 if [ "Windows_NT" == "$OS" ]; then
     chmod +x ${MONGOCRYPT_LIB_DIR}/../bin/*.dll
-fi
+fi
+
+## drivers-tools
+
+if [[ -z "$DRIVERS_TOOLS" ]]; then
+    echo >&2 "\$DRIVERS_TOOLS must be set"
+    exit 1
+fi
+
+rm -rf $DRIVERS_TOOLS
+git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS

.evergreen/sign-release.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -o errexit
+set +x
+
+if [[ -z "$CRATE" ]]; then
+    echo >&2 "CRATE is required"
+    exit 1
+fi
+if [[ -z "$ARTIFACTORY_PASSWORD" ]]; then
+    echo >&2 "ARTIFACTORY_PASSWORD is required"
+    exit 1
+fi
+if [[ -z "$ARTIFACTORY_USERNAME" ]]; then
+    echo >&2 "ARTIFACTORY_USERNAME is required"
+    exit 1
+fi
+if [[ -z "$GARASIGN_USERNAME" ]]; then
+    echo >&2 "GARASIGN_USERNAME is required"
+    exit 1
+fi
+if [[ -z "$GARASIGN_PASSWORD" ]]; then
+    echo >&2 "GARASIGN_PASSWORD is required"
+    exit 1
+fi
+
+CRATE_VERSION=$(cargo metadata --format-version=1 --no-deps | jq --raw-output '.packages[0].version')
+
+echo "${ARTIFACTORY_PASSWORD}" | docker login --password-stdin --username ${ARTIFACTORY_USERNAME} artifactory.corp.mongodb.com
+
+echo "GRS_CONFIG_USER1_USERNAME=${GARASIGN_USERNAME}" >> "signing-envfile"
+echo "GRS_CONFIG_USER1_PASSWORD=${GARASIGN_PASSWORD}" >> "signing-envfile"
+
+docker run \
+  --env-file=signing-envfile \
+  --rm \
+  -v $(pwd):$(pwd) \
+  -w $(pwd) \
+  artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
+  /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${CRATE}-${CRATE_VERSION}.sig --detach-sign target/package/${CRATE}-${CRATE_VERSION}.crate"
+
+rm signing-envfile

.gitignore

@@ -0,0 +1,4 @@
+semgrep
+mongo-rust-libmongocrypt.json.sarif
+.rustup
+.cargo

RELEASING.md

@@ -9,6 +9,10 @@ New versions of both the `mongocrypt-sys` and `mongocrypt` crates can be release
 
         VERSION=<version to be published> \
         TOKEN=<crates.io auth token> \
+        ARTIFACTORY_USERNAME=<artifactory username> \
+        ARTIFACTORY_PASSWORD=<artifactory password> \
+        GARASIGN_USERNAME=<garasign username> \
+        GARASIGN_PASSWORD=<garasign password> \
         CRATE=<mongocrypt | mongocrypt-sys> \
         ./publish.sh
 

mongocrypt-sys/sbom.json

@@ -0,0 +1,10 @@
+{
+    "serialNumber": "urn:uuid:8eec5dde-14e8-49de-bb5d-a7a9613098f5",
+    "version": 1,
+    "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.5",
+    "metadata": {
+        "timestamp": "2024-05-01T15:43:13Z"
+    }
+}

mongocrypt/sbom.json

@@ -0,0 +1,10 @@
+{
+    "serialNumber": "urn:uuid:ac436a86-72bd-487e-89ba-7e0f224d8026",
+    "version": 1,
+    "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.5",
+    "metadata": {
+        "timestamp": "2024-05-01T15:43:13Z"
+    }
+}

publish.sh

@@ -24,5 +24,6 @@ git checkout $CRATE-$VERSION
 
 cd $CRATE
 cargo publish --token $TOKEN "$@"
+$(dirname $0).evergreen/sign-release.sh
 
 git checkout main