Skip to content

Commit 7671fd2

Browse files
nbagnardnbagnard
authored
SQL-2108: Add compliance report generation and publication (#272)
* Add compliance report generation and publication * Address review feedback * Revert variant name change
1 parent 66a7cea commit 7671fd2

File tree

2 files changed

+158
-8
lines changed

2 files changed

+158
-8
lines changed

.evg.yml

Lines changed: 135 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ buildvariants:
2828
- spotless
2929

3030
- name: code-quality-and-correctness
31-
display_name: "Code Quality and Correctness"
31+
display_name: "Code Quality and Security"
3232
expansions:
3333
_platform: ubuntu2204-64-jdk-8
3434
run_on: [ ubuntu2204-small ]
@@ -119,18 +119,29 @@ tasks:
119119
variant: "release"
120120
- name: sbom
121121
variant: code-quality-and-correctness
122+
- name: semgrep
123+
variant: code-quality-and-correctness
122124
exec_timeout_secs: 300 # 5m
123125
commands:
124126
- func: "publish augmented SBOM"
127+
- func: "publish static code analysis"
128+
- func: "generate compliance report"
129+
- func: "publish compliance report"
125130

126131
- name: ssdlc-artifacts-snapshot
127132
run_on: ubuntu2204-small
133+
allow_for_git_tag: false
128134
depends_on:
129135
- name: sbom
130136
variant: code-quality-and-correctness
137+
- name: semgrep
138+
variant: code-quality-and-correctness
131139
exec_timeout_secs: 300 # 5m
132140
commands:
133141
- func: "publish augmented SBOM"
142+
- func: "publish static code analysis"
143+
- func: "generate compliance report"
144+
- func: "publish compliance report"
134145

135146
functions:
136147
"push SBOM Lite to Silk":
@@ -383,6 +394,9 @@ functions:
383394
# set the state needed irrespective of _platform
384395
ARTIFACTS_DIR=artifacts
385396
S3_ARTIFACTS_DIR='mongo-jdbc-driver/artifacts/${version_id}/${build_variant}'
397+
AUGMENTED_SBOM_NAME="mongo-jdbc-driver.augmented.sbom.json"
398+
COMPLIANCE_REPORT_NAME="mongodb-jdbc-compliance-report.md"
399+
STATIC_CODE_ANALYSIS_NAME="mongo-jdbc-driver.sast.sarif"
386400
387401
# Get the version from trigger.
388402
# Tag triggered runs are releases and the version is set in the tag.
@@ -411,7 +425,10 @@ functions:
411425
export PROJECT_DIRECTORY="$(pwd)"
412426
413427
export SBOM_LITE_NAME="mongo-jdbc-driver.cdx.json"
414-
export AUGMENTED_SBOM_NAME="mongo-jdbc-driver.augmented.sbom.json"
428+
export AUGMENTED_SBOM_NAME="$AUGMENTED_SBOM_NAME"
429+
export COMPLIANCE_REPORT_NAME=$COMPLIANCE_REPORT_NAME
430+
export STATIC_CODE_ANALYSIS_NAME=$STATIC_CODE_ANALYSIS_NAME
431+
415432
export SSDLC_DIR="$ARTIFACTS_DIR/ssdlc"
416433
mkdir -p $SSDLC_DIR
417434
@@ -423,6 +440,8 @@ functions:
423440
JAVA_HOME: "$JAVA_HOME"
424441
SBOM_LITE_NAME: "$SBOM_LITE_NAME"
425442
AUGMENTED_SBOM_NAME: "$AUGMENTED_SBOM_NAME"
443+
STATIC_CODE_ANALYSIS_NAME: "$STATIC_CODE_ANALYSIS_NAME"
444+
COMPLIANCE_REPORT_NAME: "$COMPLIANCE_REPORT_NAME"
426445
SSDLC_DIR: "$SSDLC_DIR"
427446
PREPARE_SHELL: |
428447
export ADF_TEST_LOCAL_USER=${adf_test_local_user}
@@ -444,7 +463,8 @@ functions:
444463
export AUGMENTED_SBOM_NAME="$AUGMENTED_SBOM_NAME"
445464
export SSDLC_DIR="$SSDLC_DIR"
446465
export SBOM_LITE="$ARTIFACTS_DIR/ssdlc/$SBOM_LITE_NAME"
447-
466+
export COMPLIANCE_REPORT_NAME="$COMPLIANCE_REPORT_NAME"
467+
export STATIC_CODE_ANALYSIS_NAME="$STATIC_CODE_ANALYSIS_NAME"
448468
EOT
449469
450470
- command: expansions.update
@@ -653,7 +673,6 @@ functions:
653673
shell: bash
654674
working_dir: mongo-jdbc-driver
655675
script: |
656-
${prepare_shell}
657676
echo "Version = ${MDBJDBC_VER}"
658677
sed -i "s@{RELEASE_VERSION}@${MDBJDBC_VER}@" mongo-jdbc-downloads_template.json
659678
echo "-------------------------"
@@ -680,9 +699,8 @@ functions:
680699
shell: bash
681700
working_dir: mongo-jdbc-driver
682701
script: |
683-
${prepare_shell}
684702
echo "Running static code analysis with Semgrep..."
685-
703+
686704
venv='venv'
687705
# Setup or use the existing virtualenv for semgrep
688706
if [[ -f "$venv/bin/activate" ]]; then
@@ -700,10 +718,10 @@ functions:
700718
# confirm
701719
semgrep --version
702720
set +e
703-
semgrep --config p/java --verbose --exclude "vendor" --error --severity=ERROR --sarif-output=mongo-jdbc-driver.sast.sarif > mongo-jdbc-driver.sast.cmd.verbose.out 2>&1
721+
semgrep --config p/java --verbose --exclude "vendor" --error --severity=ERROR --sarif-output=${STATIC_CODE_ANALYSIS_NAME} > mongo-jdbc-driver.sast.cmd.verbose.out 2>&1
704722
SCAN_RESULT=$?
705723
set -e
706-
724+
707725
# Exit with a failure if the scan found an issue
708726
exit $SCAN_RESULT
709727
- command: s3.put
@@ -717,3 +735,112 @@ functions:
717735
content_type: application/json
718736
bucket: evg-bucket-mongo-jdbc-driver
719737
permissions: public-read
738+
739+
"publish static code analysis":
740+
- command: ec2.assume_role
741+
params:
742+
role_arn: ${assume_role_arn}
743+
duration_seconds: 3600
744+
- command: s3.get
745+
params:
746+
aws_key: ${AWS_ACCESS_KEY_ID}
747+
aws_secret: ${AWS_SECRET_ACCESS_KEY}
748+
aws_session_token: ${AWS_SESSION_TOKEN}
749+
local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
750+
remote_file: artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
751+
content_type: application/json
752+
bucket: evg-bucket-mongo-jdbc-driver
753+
- command: s3.put
754+
params:
755+
aws_key: ${release_aws_key}
756+
aws_secret: ${release_aws_secret}
757+
local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
758+
remote_file: mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
759+
content_type: application/json
760+
bucket: translators-connectors-releases
761+
permissions: public-read
762+
display_name: mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
763+
764+
765+
"generate compliance report":
766+
- command: shell.exec
767+
type: test
768+
params:
769+
shell: bash
770+
working_dir: mongo-jdbc-driver
771+
script: |
772+
echo "Author = ${author}"
773+
echo "Author email = ${author_email}"
774+
echo "Version = ${MDBJDBC_VER}"
775+
SBOM_URL="https://translators-connectors-releases.s3.amazonaws.com/mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sbom.json"
776+
SARIF_URL="https://translators-connectors-releases.s3.amazonaws.com/mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif"
777+
echo "Sbom url = $SBOM_URL"
778+
echo "Sarif Url = $SARIF_URL"
779+
780+
echo "----- Generating ${COMPLIANCE_REPORT_NAME} -----"
781+
782+
# Copy template
783+
cp resources/release/mongo_jdbc_compliance_report_template.md ${COMPLIANCE_REPORT_NAME}
784+
785+
# Update the version
786+
echo "Update the version"
787+
echo "sed -i.bu "s,%VERSION%,${MDBJDBC_VER},g" ${COMPLIANCE_REPORT_NAME}"
788+
sed -i.bu "s,%VERSION%,${MDBJDBC_VER},g" ${COMPLIANCE_REPORT_NAME}
789+
790+
# Update the SBOM link
791+
echo "Update the SBOM link"
792+
echo "sed -i.bu "s,%SBOM_URL%,$SBOM_URL,g"${COMPLIANCE_REPORT_NAME}"
793+
sed -i.bu "s,%SBOM_URL%,$SBOM_URL,g" ${COMPLIANCE_REPORT_NAME}
794+
795+
# Update the SARIF link
796+
echo "Update the SARIF link"
797+
echo "sed -i.bu "s,%SARIF_URL%,$SARIF_URL,g" ${COMPLIANCE_REPORT_NAME}"
798+
sed -i.bu "s,%SARIF_URL%,$SARIF_URL,g" ${COMPLIANCE_REPORT_NAME}
799+
800+
# Update the author information
801+
echo "Update the author name"
802+
echo "sed -i.bu "s,%AUTHOR%,${author},g" ${COMPLIANCE_REPORT_NAME}"
803+
sed -i.bu "s,%AUTHOR%,${author},g" ${COMPLIANCE_REPORT_NAME}
804+
805+
echo "update the author email"
806+
echo "sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}"
807+
sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}
808+
echo "---------------------------"
809+
- command: ec2.assume_role
810+
params:
811+
role_arn: ${assume_role_arn}
812+
duration_seconds: 3600
813+
- command: s3.put
814+
params:
815+
aws_key: ${AWS_ACCESS_KEY_ID}
816+
aws_secret: ${AWS_SECRET_ACCESS_KEY}
817+
aws_session_token: ${AWS_SESSION_TOKEN}
818+
local_file: mongo-jdbc-driver/${COMPLIANCE_REPORT_NAME}
819+
remote_file: artifacts/${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
820+
content_type: text/markdown
821+
bucket: evg-bucket-mongo-jdbc-driver
822+
permissions: public-read
823+
824+
"publish compliance report":
825+
- command: ec2.assume_role
826+
params:
827+
role_arn: ${assume_role_arn}
828+
duration_seconds: 3600
829+
- command: s3.get
830+
params:
831+
aws_key: ${AWS_ACCESS_KEY_ID}
832+
aws_secret: ${AWS_SECRET_ACCESS_KEY}
833+
aws_session_token: ${AWS_SESSION_TOKEN}
834+
local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
835+
remote_file: artifacts/${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
836+
content_type: text/markdown
837+
bucket: evg-bucket-mongo-jdbc-driver
838+
- command: s3.put
839+
params:
840+
aws_key: ${release_aws_key}
841+
aws_secret: ${release_aws_secret}
842+
local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
843+
remote_file: mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
844+
content_type: text/markdown
845+
bucket: translators-connectors-releases
846+
permissions: public-read

resources/release/mongo_jdbc_compliance_report_template.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
2+
# Mongo JDBC Driver SSDLC Compliance Report - %VERSION%
3+
4+
**Release Creator**
5+
%AUTHOR% - %AUTHOR_EMAIL%
6+
7+
**Process Document**
8+
https://www.mongodb.com/resources/products/capabilities/supply-chain-security-in-mongodb-s-software-development-lifecycle
9+
10+
**Tool used to track third party vulnerabilities**
11+
Silk Security
12+
13+
**Third-Party Dependency Information**
14+
See SBOM at URL: %SBOM_URL%
15+
16+
**Static Analysis Findings**
17+
See report at URL: %SARIF_URL%
18+
19+
**Signature Information**
20+
Product is signed with signatures available which can be verified by following the instructions from our [README](https://github.com/mongodb/mongo-jdbc-driver#).
21+
22+
**Known Vulnerabilities**
23+
Any vulnerabilities that may be shown in the links referenced above have been reviewed and accepted by the appropriate reviewers.

0 commit comments

Comments
 (0)