CSHARP-5053: Generate ssdlc_compliance_report.md

evergreen/evergreen.yml

@@ -237,6 +237,32 @@ functions:
       params:
         file: mo-expansion.yml
 
+  generate-ssdlc-report:
+    - command: shell.exec
+      params:
+        working_dir: "mongo-csharp-driver"
+        env:
+          PRODUCT_NAME: "mongo-csharp-driver"
+          github_commit: ${github_commit}
+        script: |
+          ${PREPARE_SHELL}
+          ./evergreen/generate-ssdlc-report.sh
+    - command: ec2.assume_role
+      params:
+        role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
+    - command: s3.put
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_file: ./mongo-csharp-driver/artifacts/ssdlc/ssdlc_compliance_report.md
+        remote_file: mongo-csharp-driver/${PACKAGE_VERSION}/ssdlc_compliance_report.md
+        bucket: csharp-driver-release-assets
+        region: us-west-2
+        permissions: private
+        content_type: text/markdown
+        display_name: ssdlc_compliance_report.md
+
   ocsp-bootstrap-mongo-orchestration:
     - command: shell.exec
       params:
@@ -864,7 +890,7 @@ functions:
       params:
         key_id: ${papertrail_key_id}
         secret_key: ${papertrail_secret_key}
-        product: ${PRODUCT_NAME}
+        product: "mongo-csharp-driver"
         version: ${PACKAGE_VERSION}
         filenames:
           - "mongo-csharp-driver/artifacts/nuget/MongoDB.Bson.${PACKAGE_VERSION}.nupkg"
@@ -1800,9 +1826,6 @@ tasks:
           vars:
             PACKAGES_SOURCE: "https://api.nuget.org/v3/index.json"
             PACKAGES_SOURCE_KEY: ${nuget_api_key}
-        - func: trace-artifacts
-          vars:
-            PRODUCT_NAME: "mongo-csharp-driver"
 
     - name: push-packages-myget
       commands:
@@ -1819,6 +1842,12 @@ tasks:
         - func: build-apidocs
         - func: upload-apidocs
 
+    - name: generate-ssdlc-reports
+      commands:
+        - func: download-packages
+        - func: trace-artifacts
+        - func: generate-ssdlc-report
+
     - name: validate-apidocs
       commands:
         - func: install-dotnet
@@ -2663,3 +2692,15 @@ buildvariants:
         - name: build-packages
           variant: ".build-packages"
         ## add dependency onto packages smoke test once it implemented
+
+- matrix_name: ssdlc-reports
+  matrix_spec:
+    os: "ubuntu-2004"
+  display_name: "SSDLC Reports"
+  tags: ["release-tag"]
+  tasks:
+    - name: generate-ssdlc-reports
+      git_tag_only: true
+      depends_on:
+      - name: push-packages-nuget
+        variant: ".push-packages"

evergreen/generate-ssdlc-report.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -o errexit # Exit the script with error if any of the commands fail
+
+# Environment variables used as input:
+# PRODUCT_NAME
+# PACKAGE_VERSION
+# github_commit
+
+echo "$PRODUCT_NAME"
+echo "$PACKAGE_VERSION"
+echo "$github_commit"
+
+echo "Creating SSDLC reports"
+
+declare -r SSDLC_PATH="./artifacts/ssdlc"
+mkdir -p "${SSDLC_PATH}"
+
+echo "Creating SSDLC compliance report"
+declare -r TEMPLATE_SSDLC_REPORT_PATH="./evergreen/template_ssdlc_compliance_report.md"
+declare -r SSDLC_REPORT_PATH="${SSDLC_PATH}/ssdlc_compliance_report.md"
+cp "${TEMPLATE_SSDLC_REPORT_PATH}" "${SSDLC_REPORT_PATH}"
+
+declare -a SED_EDIT_IN_PLACE_OPTION
+if [[ "$OSTYPE" == "darwin"* ]]; then
+  SED_EDIT_IN_PLACE_OPTION=(-i '')
+else
+  SED_EDIT_IN_PLACE_OPTION=(-i)
+fi
+sed "${SED_EDIT_IN_PLACE_OPTION[@]}" \
+    -e "s/\${PRODUCT_NAME}/${PRODUCT_NAME}/g" \
+    -e "s/\${PACKAGE_VERSION}/$PACKAGE_VERSION/g" \
+    -e "s/\${github_commit}/$github_commit/g" \
+    -e "s/\${REPORT_DATE_UTC}/$(date -u +%Y-%m-%d)/g" \
+    "${SSDLC_REPORT_PATH}"
+ls "${SSDLC_REPORT_PATH}"

evergreen/template_ssdlc_compliance_report.md

@@ -0,0 +1,59 @@
+# ${PRODUCT_NAME} SSDLC compliance report
+
+This report is available
+<a href=https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/ssdlc_compliance_report.md>here</a>.
+
+<table>
+  <tr>
+    <th>Product name</th>
+    <td><a href="https://github.com/mongodb/mongo-csharp-driver">${PRODUCT_NAME}</a></td>
+  </tr>
+  <tr>
+    <th>Product version</th>
+    <td>${PACKAGE_VERSION}</td>
+  </tr>
+  <tr>
+    <th>Report date, UTC</th>
+    <td>${REPORT_DATE_UTC}</td>
+  </tr>
+</table>
+
+## Release creator
+
+This information is available in multiple ways:
+
+<table>
+  <tr>
+    <th>Evergreen</th>
+    <td>
+        See the "Submitted by" field in <a href="https://spruce.mongodb.com/version/dot_net_driver_v${PACKAGE_VERSION}_${github_commit}">Evergreen release patch</a>.
+    </td>
+  </tr>
+   <tr>
+    <th>Papertrail</th>
+    <td>
+        Refer to data in Papertrail. There is currently no official way to serve that data.
+    </td>
+  </tr>
+</table>
+
+## Process document
+
+Blocked on <https://jira.mongodb.org/browse/CSHARP-5047>.
+
+The MongoDB SSDLC policy is available at
+<https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc>.
+
+## Third-darty dependency information
+
+There are no dependencies to report vulnerabilities of.
+Our [SBOM](https://docs.devprod.prod.corp.mongodb.com/mms/python/src/sbom/silkbomb/docs/CYCLONEDX/) lite
+is <https://github.com/mongodb/mongo-csharp-driver/blob/v${PACKAGE_VERSION}/sbom.json>.
+
+## Static analysis findings
+
+Coverity static analysis report is available <a href="https://coverity.corp.mongodb.com/login">here</a>, under mongodb-csharp-driver project.
+
+## Signature information
+
+Blocked on <https://jira.mongodb.org/browse/CSHARP-3050>.