CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand (#3916)

Author: cveticm

.github/workflows/generate-augmented-sbom.yml

@@ -0,0 +1,100 @@
+name: Augment SBOM
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 1.42.2)"
+        required: true
+        type: string
+
+permissions:  
+  id-token: write  
+  contents: read  
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+
+    steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
+
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+            go-version-file: 'go.mod'
+
+      - name: Download Linux ARM64 binary
+        run: |
+          curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version }}/mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64.tar.gz" \
+            -o release.tar.gz
+
+      - name: Extract binary
+        run: |
+          tar -xzf release.tar.gz
+
+      - name: Generate PURLs from binary
+        run: |
+          go version -m ./mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64/bin/atlas | \
+            awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+            LC_ALL=C sort > purls.txt
+          cat purls.txt
+
+      - name: Generate SBOM with Silkbomb
+        run: |
+          docker run \
+            --pull=always \
+            --platform="linux/amd64" \
+            --rm \
+            -v "${PWD}:/pwd" \
+            "${SILKBOMB_IMG}" \
+            update \
+            --purls "/pwd/purls.txt" \
+            --sbom-out "/pwd/sbom_lite.json"
+          cat "sbom_lite.json"
+
+      - name: Get current date
+        id: date
+        run: |
+          echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_ENV"
+
+      - name: Augment SBOM with Kondukto
+        run: |
+          docker run \
+            --pull=always \
+            --platform="linux/amd64" \
+            --rm \
+            -v "${PWD}:/pwd" \
+            -e "KONDUKTO_TOKEN=${KONDUKTO_TOKEN}" \
+            "${SILKBOMB_IMG}" \
+            augment \
+            --sbom-in "/pwd/sbom_lite.json" \
+            --repo "${KONDUKTO_REPO}" \
+            --branch "${KONDUKTO_BRANCH_PREFIX}-linux-arm64" \
+            --sbom-out "/pwd/linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json"
+
+      - name: Generate SSDLC report
+        env:
+            AUTHOR: ${{ github.actor }}
+            VERSION: ${{ inputs.release_version }}
+            AUGMENTED_REPORT: "true"
+        run: ./build/package/gen-ssdlc-report.sh
+
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json
+            ssdlc-compliance-${{ inputs.release_version }}-${{ env.date }}.md
+          if-no-files-found: error

.github/workflows/update-ssdlc-report.yaml

@@ -38,6 +38,7 @@ jobs:
         env:
           AUTHOR: ${{ steps.extract.outputs.author }}
           VERSION: ${{ steps.extract.outputs.version }}
+          AUGMENTED_REPORT: "false"
         run: ./build/package/gen-ssdlc-report.sh
       - name: set Apix Bot token
         id: app-token

build/package/gen-ssdlc-report.sh

@@ -28,19 +28,33 @@ if [ -z "${VERSION:-}" ]; then
   VERSION=$(git tag --list 'atlascli/v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
 fi
 
+if [ "${AUGMENTED_REPORT}" = "true" ]; then
+  target_dir="."
+  file_name="ssdlc-compliance-${VERSION}-${DATE}.md"
+  SBOM_TEXT="  - See Augmented SBOM manifests (CycloneDX in JSON format):
+      - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json'
+      - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies."
+
+else # If not augmented, generate the standard report
+  target_dir="compliance/v${VERSION}"
+  file_name="ssdlc-compliance-${VERSION}.md"
+  SBOM_TEXT="  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json"
+  # Ensure AtlasCLI version directory exists
+  mkdir -p "${target_dir}"
+fi
+
 export AUTHOR
 export VERSION
+export SBOM_TEXT
 
 echo "Generating SSDLC checklist for AtlasCLI version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
 
-# Ensure AtlasCLI version directory exists
-mkdir -p "compliance/v${VERSION}"
-
 envsubst < docs/releases/ssdlc-compliance.template.md \
-  > "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md"
+  > "${target_dir}/${file_name}"
 
-echo "SDLC checklist ready. Files in compliance/v${VERSION}/:"
-ls -l "compliance/v${VERSION}/"
+echo "SDLC checklist ready. Files in ${target_dir}/:"
+ls -l "${target_dir}/"
 
 echo "Printing the generated report:"
-cat "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md"
+cat "${target_dir}/${file_name}"

docs/releases/ssdlc-compliance.template.md

@@ -16,8 +16,7 @@ Overview:
   - [Kondukto](https://arcticglow.kondukto.io/)
 
 - **Dependency Information**
-  - See SBOM Lite manifests (CycloneDX in JSON format):
-    - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json
+${SBOM_TEXT}
 
 - **Security Testing Report**
   - Available as needed from Cloud Security.
@@ -27,4 +26,4 @@ Overview:
 
 Assumptions and attestations:
 
-- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.