chore: Generate augmented SBOM on demand (#3384)

oarbusi · Copilot · web-flow · commit a2606fc030c7 · 2025-06-11T10:41:20.000+02:00
* generate augmented SBOM on demand

* Update .github/workflows/generate-augmented-sbom.yml

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* remove unncessary step name

* unify into a script

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml
@@ -0,0 +1,67 @@
+name: Augment SBOM
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: "Release version (e.g. 1.35.1)"
+        required: true
+        type: string
+
+permissions:  
+  id-token: write  
+  contents: read  
+
+jobs:
+  augment-sbom:
+    runs-on: ubuntu-latest
+
+    env:
+      KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
+      KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
+      KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
+      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
+        with:
+            go-version-file: 'go.mod'
+
+      - name: Generate PURLs from release artifacts
+        run: |
+          ./scripts/generate-purls-from-release.sh "${{ inputs.release_version }}"
+
+      - name: Generate SBOM with Silkbomb
+        run: |
+          make generate-sbom
+          cat "compliance/sbom.json"
+
+      - name: Get current date
+        id: date
+        run: |
+          echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_ENV"
+
+      - name: Augment SBOM with Kondukto
+        env:
+          DATE: ${{ env.date }}
+          RELEASE_VERSION: ${{ inputs.release_version }}
+        run: |
+          make augment-sbom
+
+      - name: Generate SSDLC report
+        env:
+            AUTHOR: ${{ github.actor }}
+            VERSION: ${{ inputs.release_version }}
+            AUGMENTED_REPORT: "true"
+        run: ./scripts/gen-ssdlc-report.sh
+
+      - name: Upload augmented SBOM as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: augmented_sbom_and_ssdlc_report
+          path: |
+            compliance/augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json
+            compliance/ssdlc-compliance-${{ inputs.release_version }}-${{ env.date }}.md
+          if-no-files-found: error
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -175,7 +175,7 @@ jobs:
           KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
           KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
           KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
-      - name: Upload SBOM as release asset
+      - name: Upload SBOM as release artifact
         uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
         with:
           files: compliance/sbom.json
diff --git a/.gitignore b/.gitignore
@@ -10,6 +10,7 @@ bin
 __debug_*
 *~
 compliance/sbom.json
+compliance/augmented-sbom-v*.json
 
 #used for schema code generation but is not commited to avoid constant updates
 tools/codegen/open-api-spec.yml
diff --git a/Makefile b/Makefile
@@ -236,4 +236,8 @@ generate-sbom: ## Generate SBOM
 
 .PHONY: upload-sbom
 upload-sbom: ## Upload SBOM
-	./scripts/upload-sbom.sh
+	./scripts/upload-sbom.sh
+
+.PHONY: augment-sbom
+augment-sbom: ## Augment SBOM
+	./scripts/augment-sbom.sh
diff --git a/scripts/augment-sbom.sh b/scripts/augment-sbom.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}"
+DATE=$(date +'%Y-%m-%d')
+
+echo "Augmenting SBOM..."
+docker run \
+	--pull=always \
+	--platform="linux/amd64" \
+	--rm \
+	-v "${PWD}:/pwd" \
+	-e KONDUKTO_TOKEN \
+	"$SILKBOMB_IMG" \
+	augment \
+	--sbom-in "/pwd/compliance/sbom.json" \
+	--repo "$KONDUKTO_REPO" \
+	--branch "$KONDUKTO_BRANCH_PREFIX-linux-arm64" \
+	--sbom-out "/pwd/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json"
diff --git a/scripts/extract-purls.sh b/scripts/extract-purls.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "$#" -ne 2 ]; then
+  echo "Usage: $0 <binary_path> <output_file>"
+  exit 1
+fi
+
+BINARY_PATH="$1"
+OUTPUT_FILE="$2"
+
+go version -m "$BINARY_PATH" | \
+  awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \
+  LC_ALL=C sort > "$OUTPUT_FILE" 
diff --git a/scripts/generate-purls-from-release.sh b/scripts/generate-purls-from-release.sh
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ "$#" -ne 1 ]; then
+  echo "Usage: $0 <release_version>"
+  exit 1
+fi
+
+RELEASE_VERSION="$1"
+OUT_DIR="compliance"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+EXTRACT_PURL_SCRIPT="${SCRIPT_DIR}/extract-purls.sh"
+
+if [ ! -x "$EXTRACT_PURL_SCRIPT" ]; then
+  echo "extract-purls.sh not found or not executable"
+  exit 1
+fi
+
+mkdir -p "$OUT_DIR"
+
+# Define platforms and temp files
+PLATFORMS=(
+  "linux_amd64"
+  "darwin_amd64"
+  "windows_amd64"
+)
+BIN_PATHS=()
+PURL_FILES=()
+
+for PLATFORM in "${PLATFORMS[@]}"; do
+  ZIP_FILE="release-${PLATFORM}.zip"
+  case "$PLATFORM" in
+    linux_amd64)
+      BIN_PATH="./terraform-provider-mongodbatlas_v${RELEASE_VERSION}"
+      ;;
+    darwin_amd64)
+      BIN_PATH="./terraform-provider-mongodbatlas_v${RELEASE_VERSION}"
+      ;;
+    windows_amd64)
+      BIN_PATH="./terraform-provider-mongodbatlas_v${RELEASE_VERSION}.exe"
+      ;;
+  esac
+  PURL_FILE="${OUT_DIR}/purls-${PLATFORM}.txt"
+  BIN_PATHS+=("$BIN_PATH")
+  PURL_FILES+=("$PURL_FILE")
+
+  # Download
+  curl -L "https://github.com/mongodb/terraform-provider-mongodbatlas/releases/download/v${RELEASE_VERSION}/terraform-provider-mongodbatlas_${RELEASE_VERSION}_${PLATFORM}.zip" \
+    -o "$ZIP_FILE"
+  # Extract
+  unzip -o "$ZIP_FILE"
+  # Extract PURLs
+  "$EXTRACT_PURL_SCRIPT" "$BIN_PATH" "$PURL_FILE"
+  # Clean up zip and extracted bin after use
+  rm -f "$ZIP_FILE"
+  rm -f "$BIN_PATH"
+done
+
+# Combine, sort, and deduplicate
+cat "${PURL_FILES[@]}" | LC_ALL=C sort | uniq > "${OUT_DIR}/purls.txt"
+cat "${OUT_DIR}/purls.txt"
+
+# Clean up temp purl files
+rm -f "${PURL_FILES[@]}" 
diff --git a/scripts/generate-purls.sh b/scripts/generate-purls.sh
@@ -2,6 +2,14 @@
 set -euo pipefail
 : "${LINKER_FLAGS:=}"
 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+EXTRACT_PURL_SCRIPT="${SCRIPT_DIR}/extract-purls.sh"
+
+if [ ! -x "$EXTRACT_PURL_SCRIPT" ]; then
+  echo "extract-purls.sh not found or not executable"
+  exit 1
+fi
+
 echo "==> Generating purls"
 
 # Define output and temp files
@@ -16,15 +24,15 @@ PURL_ALL="${OUT_DIR}/purls.txt"
 
 # Build and extract for Linux
 GOOS=linux GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${LINUX_BIN}"
-go version -m "${LINUX_BIN}" | awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | LC_ALL=C sort > "${PURL_LINUX}"
+"$EXTRACT_PURL_SCRIPT" "${LINUX_BIN}" "${PURL_LINUX}"
 
 # Build and extract for Darwin
 GOOS=darwin GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${DARWIN_BIN}"
-go version -m "${DARWIN_BIN}" | awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | LC_ALL=C sort > "${PURL_DARWIN}"
+"$EXTRACT_PURL_SCRIPT" "${DARWIN_BIN}" "${PURL_DARWIN}"
 
 # Build and extract for Windows
 GOOS=windows GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${WIN_BIN}"
-go version -m "${WIN_BIN}" | awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | LC_ALL=C sort > "${PURL_WIN}"
+"$EXTRACT_PURL_SCRIPT" "${WIN_BIN}" "${PURL_WIN}"
 
 # Combine, sort, and deduplicate
 cat "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}" | LC_ALL=C sort | uniq > "${PURL_ALL}"
