From ab3a9402b788cc4042b6e22f2d00f863c906403d Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Tue, 11 Jun 2024 19:09:47 +0200
Subject: [PATCH 1/3] fix(ci): switch to augmented SBOM integration with Silk
 MONGOSH-1773

---
 .evergreen.yml                                 |  4 ++++
 .../download-crypt-shared-and-generate-sbom.sh | 18 ++++++++++++++++--
 .evergreen/evergreen.yml.in                    |  4 ++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/.evergreen.yml b/.evergreen.yml
index 3a8a73fe24..fd904add83 100644
--- a/.evergreen.yml
+++ b/.evergreen.yml
@@ -7552,6 +7552,10 @@ functions:
           # for static analysis report generation
           GITHUB_TOKEN: ${github_token}
           GITHUB_PR_NUMBER: ${github_pr_number}
+          # for Silk SBOM integration
+          SILK_ASSET_GROUP: mongosh-${executable_os_id}
+          SILK_CLIENT_ID: ${silk_client_id}
+          SILK_CLIENT_SECRET: ${silk_client_secret}
   package_artifact:
     - command: expansions.write
       type: setup
diff --git a/.evergreen/download-crypt-shared-and-generate-sbom.sh b/.evergreen/download-crypt-shared-and-generate-sbom.sh
index c4512aea59..fe311b84fa 100755
--- a/.evergreen/download-crypt-shared-and-generate-sbom.sh
+++ b/.evergreen/download-crypt-shared-and-generate-sbom.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 set -e
 set -x
+
 npm run evergreen-release download-crypt-shared-library
 
 ls -lhA dist
@@ -9,12 +10,25 @@ echo "pkg:generic/mongo_crypt_shared@$(cat dist/.mongosh_crypt_*.version)" >> di
 cat dist/.purls.txt
 
 set +x
-docker login artifactory.corp.mongodb.com --username ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}
+echo "${ARTIFACTORY_PASSWORD}" | docker login artifactory.corp.mongodb.com --username "${ARTIFACTORY_USERNAME}" --password-stdin
+cat << EOF > silkbomb.env
+SILK_CLIENT_ID=${SILK_CLIENT_ID}
+SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
+EOF
 set -x
 
+trap_handler() {
+  rm -f silkbomb.env
+}
+trap trap_handler ERR EXIT
+
 docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
 docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
-  --purls /pwd/dist/.purls.txt --sbom_out /pwd/dist/.sbom.json
+  --purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json
+docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
+  --env-file silkbomb.env --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json
+docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
+  --env-file silkbomb.env --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json
 
 npm run create-static-analysis-report
 (cd .sbom && tar czvf ../static-analysis-report.tgz codeql.md codeql.sarif.json)
diff --git a/.evergreen/evergreen.yml.in b/.evergreen/evergreen.yml.in
index 9e17b89c76..1ca34f2e60 100644
--- a/.evergreen/evergreen.yml.in
+++ b/.evergreen/evergreen.yml.in
@@ -524,6 +524,10 @@ functions:
           # for static analysis report generation
           GITHUB_TOKEN: ${github_token}
           GITHUB_PR_NUMBER: ${github_pr_number}
+          # for Silk SBOM integration
+          SILK_ASSET_GROUP: mongosh-${executable_os_id}
+          SILK_CLIENT_ID: ${silk_client_id}
+          SILK_CLIENT_SECRET: ${silk_client_secret}
   package_artifact:
     - command: expansions.write
       type: setup

From d4351eedf19149e25dfc225cd19d2069d33d94fc Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Tue, 11 Jun 2024 19:46:43 +0200
Subject: [PATCH 2/3] fixup: pass `--env-file` at right place in command line

---
 .evergreen/download-crypt-shared-and-generate-sbom.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.evergreen/download-crypt-shared-and-generate-sbom.sh b/.evergreen/download-crypt-shared-and-generate-sbom.sh
index fe311b84fa..597e2fc0f5 100755
--- a/.evergreen/download-crypt-shared-and-generate-sbom.sh
+++ b/.evergreen/download-crypt-shared-and-generate-sbom.sh
@@ -25,10 +25,10 @@ trap trap_handler ERR EXIT
 docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
 docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
   --purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json
-docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
-  --env-file silkbomb.env --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json
-docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
-  --env-file silkbomb.env --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json
+docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
+  --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json
+docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
+  --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json
 
 npm run create-static-analysis-report
 (cd .sbom && tar czvf ../static-analysis-report.tgz codeql.md codeql.sarif.json)

From 9170d3c749aed318dcc9d538c8ac79942521620a Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Thu, 13 Jun 2024 19:20:03 +0200
Subject: [PATCH 3/3] fixup: undo invalid merge conflict resolution

---
 .evergreen.yml              | 10 ++++++++++
 .evergreen/evergreen.yml.in | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/.evergreen.yml b/.evergreen.yml
index eeff58bbc4..ba33d8d1c0 100644
--- a/.evergreen.yml
+++ b/.evergreen.yml
@@ -7646,6 +7646,16 @@ functions:
           FIRST_PARTY_DEPENDENCY_FILENAMES: .sbom/mongosh-darwin-x64-first-party-deps.json,.sbom/mongosh-darwin-arm64-first-party-deps.json,.sbom/mongosh-linux-x64-first-party-deps.json,.sbom/mongosh-linux-x64-openssl11-first-party-deps.json,.sbom/mongosh-linux-x64-openssl3-first-party-deps.json,.sbom/mongosh-linux-arm64-first-party-deps.json,.sbom/mongosh-linux-arm64-openssl11-first-party-deps.json,.sbom/mongosh-linux-arm64-openssl3-first-party-deps.json,.sbom/mongosh-linux-ppc64le-first-party-deps.json,.sbom/mongosh-linux-s390x-first-party-deps.json,.sbom/mongosh-win32-first-party-deps.json
           GITHUB_TOKEN: ${github_token}
           GITHUB_PR_NUMBER: ${github_pr_number}
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/static-analysis-report.tgz
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-static-analysis-report.tgz
+        bucket: mciuploads
+        permissions: private
+        visibility: signed
+        content_type: application/x-gzip
   package_artifact:
     - command: expansions.write
       type: setup
diff --git a/.evergreen/evergreen.yml.in b/.evergreen/evergreen.yml.in
index 9fea661c0a..2c57bc545a 100644
--- a/.evergreen/evergreen.yml.in
+++ b/.evergreen/evergreen.yml.in
@@ -554,6 +554,16 @@ functions:
           FIRST_PARTY_DEPENDENCY_FILENAMES: <% out(firstPartyDepsFilenames.map(f => `.sbom/${f}`).join(',')) %>
           GITHUB_TOKEN: ${github_token}
           GITHUB_PR_NUMBER: ${github_pr_number}
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/static-analysis-report.tgz
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-static-analysis-report.tgz
+        bucket: mciuploads
+        permissions: private
+        visibility: signed
+        content_type: application/x-gzip
   package_artifact:
     - command: expansions.write
       type: setup