You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+19-1Lines changed: 19 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -205,11 +205,29 @@ Furthermore, after adding the necessary structure, ensure that applicable docume
205
205
- Run `make gen-docs`- This generates the documentation for the introduced command.
206
206
- Review the PR with the doc team.
207
207
208
-
### Third Party Dependencies
208
+
### Third Party Dependencies and Vulnerability Scanning
209
209
210
210
We scan our dependencies for vulnerabilities and incompatible licenses using [Snyk](https://snyk.io/).
211
211
To run Snyk locally please follow their [CLI reference](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI).
212
212
213
+
We also use Kundukto to scan for third-party dependency vulnerabilities. Kundukto creates tickets in MongoDB's issue tracking system for any vulnerabilities found.
214
+
215
+
#### Dependency Tracking
216
+
Developers maintain the purls.txt file containing Package URLs for all third-party dependencies. This file must be kept current when dependencies change and is enforced via CI.
217
+
218
+
#### SBOM and Compliance
219
+
We generate Software Bill of Materials (SBOM) files for each release as part of MongoDB's SSDLC initiative. SBOM Lite files are automatically generated and included as release artifacts. Compliance reports are generated after each release and stored in the compliance/<release-version> directory.
220
+
221
+
Augmented SBOMs can be generated on customer request for any released version. This can only be done by MongoDB employees as it requires access to our GitHub workflow.
222
+
223
+
#### Papertrail Integration
224
+
All releases are recorded using a MongoDB-internal application called Papertrail. This records various pieces of information about releases, including the date and time of the release, who triggered the release (by pushing to Evergreen), and a checksum of each release file.
225
+
226
+
This is done automatically as part of the release.
227
+
228
+
#### Release Artifact Signing
229
+
All releases are signed automatically as part of the release process.
230
+
213
231
## Maintainer's Guide
214
232
215
233
Reviewers, please ensure that the CLA has been signed by referring to [the contributors tool](https://contributors.corp.mongodb.com/) (internal link).
Copy file name to clipboardExpand all lines: RELEASING.md
+16-20Lines changed: 16 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,22 +33,34 @@ Our Docker image release for AtlasCLI is managed through the [docker-release.yml
33
33
34
34
### Release Steps
35
35
36
-
#### Step 1: Build and Stage
36
+
#### Step 1: SBOM Generation
37
+
38
+
An SBOM Lite is generated using the maintained purls.txt file and uploaded to Kundukto. The SBOM Lite is also included as an artifact in the public repository release.
39
+
40
+
#### Step 2: Build and Stage
37
41
38
42
The AtlasCLI Docker image is built from the ([Dockerfile](Dockerfile)) and tagged in three ways:
39
43
`latest`, `vX.Y.Z` (reflecting the latest release version, e.g., `v1.22.0`), and `vX.Y.Z-date`
40
44
(adding the current date, e.g., `v1.22.0-2024-01-01`).
41
45
This image is initially published to a staging registry to prepare for signature in the next step.
42
46
43
-
#### Step 2: Sign and Publish
47
+
#### Step 3: Sign and Publish
44
48
45
49
We retrieve the image from the staging registry and use its [OCI index](https://github.com/opencontainers/image-spec/blob/main/image-index.md) to identify the three
46
50
relevant digests. Each digest is signed using [cosign](https://github.com/sigstore/cosign), and the corresponding signature is stored
47
51
in the MongoDB cosign repository. The signed image is then pushed to the public repository.
48
52
49
-
#### Step 3: Verify Signature
53
+
#### Step 4: Verify Signature
54
+
55
+
The Docker image's signature is verified to confirm its authenticity.
56
+
57
+
#### Step 5: Trace Artifacts
50
58
51
-
The final step involves verifying the Docker image's signature to confirm its authenticity.
59
+
Papertrail runs to record detailed metadata about the release for improved traceability and accountability.
60
+
61
+
#### Step 6: Compliance Reporting
62
+
63
+
A GitHub workflow generates a compliance report after the release and opens a PR with the report.
52
64
53
65
## Manual Release (Deprecated)
54
66
@@ -71,19 +83,3 @@ This will do the following things:
71
83
3. The [evergreen](build/ci/release.yml) release task will run after a tag event from master.
72
84
4. If everything goes smoothly, the release will be published in the
73
85
[release page](https://github.com/mongodb/mongodb-atlas-cli/releases), and [download center](https://www.mongodb.com/try/download/atlascli).
74
-
75
-
## Generate the SBOM
76
-
77
-
The Software Bill of Materials (SBOM) is a description of the components that make up a software artifact.
78
-
79
-
### Atlas CLI Binary
80
-
We use `go version` to generate the SBOM for Atlas CLI binaries. You can generate the SBOM via the following command:
81
-
```bash
82
-
go version -m <path_to_atlasCLI_binary>
83
-
```
84
-
85
-
### Atlas CLI Docker image
86
-
We use `docker sbom` to generate the SBOM for the Atlas CLI docker image. You can generate the SBOM via the following command:
0 commit comments