diff --git a/etc/update-sbom.sh b/etc/update-sbom.sh index 08980c0..1853151 100755 --- a/etc/update-sbom.sh +++ b/etc/update-sbom.sh @@ -13,7 +13,7 @@ echo "pkg:github/mongodb/libmongocrypt@${LIBMONGOCRYPT_VERSION}" > $PURLS_FILE # Use silkbomb to update the sbom.json file docker run --platform="linux/amd64" -it --rm -v ${ROOT_DIR}:/pwd \ - artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \ + artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \ update --sbom-in /pwd/sbom.json --purls /pwd/purls.txt --sbom-out /pwd/sbom.json rm $PURLS_FILE diff --git a/ext/libmongocrypt/libmongocrypt/Earthfile b/ext/libmongocrypt/libmongocrypt/Earthfile index ff50742..5403638 100644 --- a/ext/libmongocrypt/libmongocrypt/Earthfile +++ b/ext/libmongocrypt/libmongocrypt/Earthfile @@ -461,7 +461,7 @@ sign: # # See https://docs.devprod.prod.corp.mongodb.com/mms/python/src/sbom/silkbomb/ for documentation of silkbomb. silkbomb: - FROM artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 + FROM artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 # Alias the silkbom executable to a simpler name: RUN ln -s /python/src/sbom/silkbomb/bin /usr/local/bin/silkbomb @@ -484,39 +484,24 @@ sbom-generate: # Save the result back to the host: SAVE ARTIFACT /s/cyclonedx.sbom.json AS LOCAL etc/cyclonedx.sbom.json -# sbom-download: -# Download the Augmented SBOM file from Silk. +# sbom-augment: +# Augment the SBOM file with vulnerability information from Kondukto. # # See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for instructions to get secrets from AWS Secrets Manager. Secrets are available under `drivers/libmongocrypt`. # -sbom-download: +sbom-augment: ARG --required out ARG --required branch FROM +silkbomb WORKDIR /s + COPY etc/cyclonedx.sbom.json /s/ # Download the Augmented SBOM file: - RUN --no-cache --secret silk_client_id --secret silk_client_secret \ - SILK_CLIENT_ID=${silk_client_id} \ - SILK_CLIENT_SECRET=${silk_client_secret} \ - silkbomb download \ + RUN --no-cache --secret kondukto_token KONDUKTO_TOKEN=${kondukto_token} \ + silkbomb augment \ + --sbom-in cyclonedx.sbom.json \ --sbom-out cyclonedx.augmented.sbom.json \ - --silk-asset-group libmongocrypt-${branch} + --repo mongodb/libmongocrypt-helper-ruby \ + --branch ${branch} # Save the result back to the host: SAVE ARTIFACT /s/cyclonedx.augmented.sbom.json AS LOCAL ${out} RUN echo "Augmented SBOM saved to ${out}" - -# silk-create-asset-group: -# Create an asset group for Silk. -# -# See https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets for instructions to get secrets from AWS Secrets Manager. Secrets are available under `drivers/libmongocrypt`. -# -silk-create-asset-group: - ARG --required branch - FROM +env.alpine - RUN __install curl jq - COPY etc/silk-create-asset-group.sh /s/silk-create-asset-group.sh - RUN --no-cache --secret silk_client_id --secret silk_client_secret \ - silk_client_id=${silk_client_id} \ - silk_client_secret=${silk_client_secret} \ - branch=${branch} \ - /s/silk-create-asset-group.sh diff --git a/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh b/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh index e0c9031..e42aa39 100755 --- a/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh +++ b/ext/libmongocrypt/libmongocrypt/bindings/python/update-sbom.sh @@ -10,5 +10,5 @@ else fi echo "pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION" > purls.txt -$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json +$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json rm purls.txt diff --git a/ext/libmongocrypt/libmongocrypt/doc/releasing.md b/ext/libmongocrypt/libmongocrypt/doc/releasing.md index ba8a3d4..9d7c8b9 100644 --- a/ext/libmongocrypt/libmongocrypt/doc/releasing.md +++ b/ext/libmongocrypt/libmongocrypt/doc/releasing.md @@ -9,7 +9,7 @@ Version numbers of libmongocrypt must follow the format 1.[0-9].[0-9] for releas ### Check for Vulnerabilities -Snyk and Silk are used to satisfy vulnerability scanning requirements of [DRIVERS-714](https://jira.mongodb.org/browse/DRIVERS-714). Prior to releasing, ensure necessary reported vulnerabilities meet requirements described in: [MongoDB Software Security Development Lifecycle Policy](https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc/edit?tab=t.0#bookmark=id.l09k96qt24jm). +Snyk and Kondukto are used to satisfy vulnerability scanning requirements of [DRIVERS-714](https://jira.mongodb.org/browse/DRIVERS-714). Prior to releasing, ensure necessary reported vulnerabilities meet requirements described in: [MongoDB Software Security Development Lifecycle Policy](https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc/edit?tab=t.0#bookmark=id.l09k96qt24jm). #### Check Snyk @@ -44,16 +44,15 @@ snyk monitor \ Check the updated reference targets in Snyk for detected vulnerabilities. -#### Check Silk +#### Check Kondukto -Get credentials for Silk from the `drivers/libmongocrypt` vault in [AWS Secrets Manager](https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets). +Get credentials for Kondukto from the `drivers/libmongocrypt` vault in [AWS Secrets Manager](https://wiki.corp.mongodb.com/display/DRIVERS/Using+AWS+Secrets+Manager+to+Store+Testing+Secrets). Download the Augmented SBOM using: ```bash ./.evergreen/earthly.sh \ - --secret silk_client_id=${silk_client_id} \ - --secret silk_client_secret=${silk_client_secret} \ - +sbom-download \ + --secret kondukto_token=${kondukto_token} \ + +sbom-augment \ --out cyclonedx.augmented.sbom.json \ --branch ``` @@ -86,9 +85,8 @@ Do the following when releasing: - Attach the Augmented SBOM file. Download the Augmented SBOM using: ```bash ./.evergreen/earthly.sh \ - --secret silk_client_id=${silk_client_id} \ - --secret silk_client_secret=${silk_client_secret} \ - +sbom-download \ + --secret kondukto_token=${kondukto_token} \ + +sbom-augment \ --out cyclonedx.augmented.sbom.json \ --branch ``` @@ -99,14 +97,6 @@ Do the following when releasing: - If this is a new minor release (e.g. `x.y.0`): - File a DOCSP ticket to update the installation instructions on [Install libmongocrypt](https://www.mongodb.com/docs/manual/core/csfle/reference/libmongocrypt/). ([Example](https://jira.mongodb.org/browse/DOCSP-36863)) - - Create a new Silk asset group. Use the newly created release branch (e.g. `rx.y`) as the `--branch` argument: - ```bash - ./.evergreen/earthly.sh \ - --secret silk_client_id=${silk_client_id} \ - --secret silk_client_secret=${silk_client_secret} \ - +silk-create-asset-group \ - --branch - ``` - Create a new Snyk reference target. The following instructions use the example branch `rx.y`: Run `cmake` to ensure generated source files are present: diff --git a/ext/libmongocrypt/libmongocrypt/etc/silk-create-asset-group.sh b/ext/libmongocrypt/libmongocrypt/etc/silk-create-asset-group.sh deleted file mode 100755 index 9581662..0000000 --- a/ext/libmongocrypt/libmongocrypt/etc/silk-create-asset-group.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail -set -o nounset - -# Check for required commands: -if ! command -v jq > /dev/null 2>&1; then - echo "jq not found. Install jq" - exit 1 -fi - -if ! command -v curl > /dev/null 2>&1; then - echo "curl not found. Install curl" - exit 1 -fi - -# Check for required environment variables: -: "${silk_client_id:?}" -: "${silk_client_secret:?}" -: "${branch:?}" - -# Get Silk token: -json_payload=$(cat <