-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CLOUDP-245405: Generate SDLC checklist (#1539)
Signed-off-by: jose.vazquez <jose.vazquez@mongodb.com>
- Loading branch information
Showing
4 changed files
with
98 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
SSDLC Compliance Report: Atlas Kubernetes Operator Manager v${VERSION} | ||
================================================================= | ||
|
||
- Release Creators: ${AUTHORS} | ||
- Created On: ${DATE} | ||
|
||
Overview: | ||
|
||
- **Product and Release Name** | ||
|
||
- Atlas Kubernetes Operator v${VERSION}, ${DATE}. | ||
- Release Type: ${RELEASE_TYPE} | ||
|
||
- **Process Document** | ||
- http://go/how-we-develop-software-doc | ||
|
||
- **Tool used to track third party vulnerabilities** | ||
- Silk | ||
|
||
- **Dependency Information** | ||
- See SBOMS Lite manifests (CycloneDX in JSON format) for [Intel](./linux-amd64.sbom.json) or [ARM](./linux-arm64.sbom.json) | ||
|
||
- **Static Analysis Report** | ||
- No reports (filtered before release by CI tests)${IGNORED_VULNERABILITIES} | ||
|
||
- **Release Signature Report** | ||
- Image signatures enforced by CI pipeline. | ||
- See [Signature verification instructions here](../../dev/signed-images.md) | ||
- Self-verification shortcut: | ||
```shell | ||
make verify IMG=mongodb/mongodb-atlas-kubernetes-operator:${VERSION} SIGNATURE_REPO=mongodb/signatures | ||
``` | ||
|
||
- **Security Testing Report** | ||
- Available as needed from Cloud Security. | ||
|
||
- **Security Assessment Report** | ||
- Available as needed from Cloud Security. | ||
|
||
Assumptions and attestations: | ||
|
||
1. Internal processes are used to ensure CVEs are identified and mitigated within SLAs. | ||
|
||
2. The Dependency document does not specify third party OSS CVEs fixed by the release and the date we discovered them. | ||
|
||
3. There is no CycloneDX field for original/modified CVSS scor or discovery date. The `x-` prefix indicates this. | ||
|
||
3. Assumption: We can include the SBOMs as links to read-only files on S3. The links can be included as metadata or text file links in release artifacts e.g. as labels on OCI containers. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
#!/bin/bash | ||
|
||
set -eu | ||
|
||
release_date=${DATE:-$(date -u '+%Y-%m-%d')} | ||
release_type=${RELEASE_TYPE:-Minor} | ||
|
||
export DATE="${release_date}" | ||
export VERSION="${VERSION}" | ||
export AUTHORS="${AUTHORS}" | ||
export RELEASE_TYPE="${release_type}" | ||
|
||
ignored_list="" | ||
ignored_vulns=$(grep '^# ' vuln-ignore |grep '\S' | sed 's/^# / - /') | ||
if [ "${ignored_vulns}" != "" ];then | ||
printf -v ignored_list "\n - List of explicitly ignored vulnerabilities:\n%s" "${ignored_vulns}" | ||
else | ||
printf -v ignored_list "\n - No vulnerabilities were ignored for this release." | ||
fi | ||
export IGNORED_VULNERABILITIES="${ignored_list}" | ||
|
||
mkdir -p "docs/releases/v${VERSION}" | ||
img="mongodb/mongodb-atlas-kubernetes-operator:${VERSION}" | ||
IMG_SHAS=$(docker manifest inspect "${img}" | \ | ||
jq -rc '.manifests[] | select(.platform.os != "unknown" and .platform.architecture != "unknown") | .digest') | ||
for sha in ${IMG_SHAS};do | ||
docker pull "${img}@${sha}" | ||
os=$(docker inspect "${img}@${sha}" |jq -r '.[0].Os') | ||
arch=$(docker inspect "${img}@${sha}" |jq -r '.[0].Architecture') | ||
docker sbom --platform "${os}/${arch}" --format "cyclonedx-json" \ | ||
-o "docs/releases/v${VERSION}/${os}-${arch}.sbom.json" "${img}@${sha}" | ||
done | ||
|
||
envsubst < docs/releases/sdlc-compliance.template.md \ | ||
> "docs/releases/v${VERSION}/sdlc-compliance.md" | ||
|
||
echo "SDLC checklist ready:" | ||
ls -l "docs/releases/v${VERSION}" |