CLOUDP-245405: Generate SDLC checklist (#1539)

Signed-off-by: jose.vazquez <jose.vazquez@mongodb.com>

Makefile

@@ -481,3 +481,8 @@ govulncheck:
 .PHONY: vulncheck
 vulncheck: ## Run govulncheck to find vulnerabilities in code
 	@./scripts/vulncheck.sh ./vuln-ignore
+
+.PHONY: gen-sdlc-checklist
+gen-sdlc-checklist: ## Generate the SDLC checklist
+	@VERSION="$(VERSION)" AUTHORS="$(AUTHORS)" RELEASE_TYPE="$(RELEASE_TYPE)" \
+	./scripts/gen-sdlc-checklist.sh

docs/dev/release.md

@@ -155,30 +155,22 @@ After the PR is approved it will soon appear in the [Atlas Operator openshift cl
 
 # SSDLC checklist publishing
 
-For the time being, preparing the SSDLC checklist for each release is a manual process. Use this [past PR as a starting point](https://github.com/mongodb/mongodb-atlas-kubernetes/pull/1524).
-
-Copy the closest [sdlc-compliance.md](../releases/v2.2.1/sdlc-compliance.md) file and:
-- Update the **version** references to the one being released.
-- Update dates and release creators of the current release.
-
-Update the image signature instructions to match the current version.
-
-Generate the `linux-amd64.sbom.json` and `linux-arm64.sbom.json` SBOM files and place them in the same directory as the compliance doc `docs/releases/vX.Y.Z`:
+You can create the draft for the SSDLC checklist just by running:
 
 ```shell
-docker sbom --platform "linux/${arch}" -o "docs/releases/v${version}/linux-${arch}.sbom.json" --format "cyclonedx-json" "$image"
+$ DATE= VERSION="${version}" AUTHORS="${release_authors}" RELEASE_TYPE= make gen-sdlc-checklist
 ```
 
-Where:
-- `${arch}` is the architecture to generate, either `amd64` or `arm64`.
-- `${version}` is the current version released in `X.Y.Z` format, without the **v** prefix.
-- `${image}` is the image reference released, usually something like `mongodb/mongodb-atlas-kubernetes-operator:${version}`.
+- You can leave `DATE` unset so the script may use today's date.
+- `RELEASE_TYPE` is also optional defaulting to `Minor` releases, set to `Major`when appropriate.
 
-Create a PR with the following new files included in the `releases/vX.Y.Z` directory:
+The script generates the directory `docs/releases/v${VERSION}/` with files:
 - `linux-amd64.sbom.json`
 - `linux-arm64.sbom.json`
 - `sdlc-compliance.md`
 
+Add those files to `git`, and create a PR to review the changes to close the release.
+
 # Post install hook release
 
 If changes have been made to the post install hook (mongodb-atlas-kubernetes/cmd/post-install/main.go).

docs/releases/sdlc-compliance.template.md

@@ -0,0 +1,48 @@
+SSDLC Compliance Report: Atlas Kubernetes Operator Manager v${VERSION}
+=================================================================
+
+- Release Creators: ${AUTHORS}
+- Created On:       ${DATE}
+
+Overview:
+
+- **Product and Release Name**
+
+    - Atlas Kubernetes Operator v${VERSION}, ${DATE}.
+    - Release Type: ${RELEASE_TYPE}
+
+- **Process Document**
+  - http://go/how-we-develop-software-doc
+
+- **Tool used to track third party vulnerabilities**
+  - Silk
+
+- **Dependency Information**
+  - See SBOMS Lite manifests (CycloneDX in JSON format) for [Intel](./linux-amd64.sbom.json) or [ARM](./linux-arm64.sbom.json)
+
+- **Static Analysis Report**
+  - No reports (filtered before release by CI tests)${IGNORED_VULNERABILITIES}
+
+- **Release Signature Report**
+  - Image signatures enforced by CI pipeline.
+  - See [Signature verification instructions here](../../dev/signed-images.md)
+  - Self-verification shortcut:
+    ```shell
+    make verify IMG=mongodb/mongodb-atlas-kubernetes-operator:${VERSION} SIGNATURE_REPO=mongodb/signatures
+    ```
+
+- **Security Testing Report**
+  - Available as needed from Cloud Security.
+
+- **Security Assessment Report**
+  - Available as needed from Cloud Security.
+
+Assumptions and attestations:
+
+1. Internal processes are used to ensure CVEs are identified and mitigated within SLAs.
+
+2. The Dependency document does not specify third party OSS CVEs fixed by the release and the date we discovered them.
+
+3. There is no CycloneDX field for original/modified CVSS scor or discovery date. The `x-` prefix indicates this.
+
+3. Assumption: We can include the SBOMs as links to read-only files on S3. The links can be included as metadata or text file links in release artifacts e.g. as labels on OCI containers.

scripts/gen-sdlc-checklist.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -eu
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+release_type=${RELEASE_TYPE:-Minor}
+
+export DATE="${release_date}"
+export VERSION="${VERSION}"
+export AUTHORS="${AUTHORS}"
+export RELEASE_TYPE="${release_type}"
+
+ignored_list=""
+ignored_vulns=$(grep '^# ' vuln-ignore |grep '\S' | sed 's/^# /    - /')
+if [ "${ignored_vulns}" != "" ];then
+  printf -v ignored_list "\n  - List of explicitly ignored vulnerabilities:\n%s" "${ignored_vulns}"
+else
+  printf -v ignored_list "\n  - No vulnerabilities were ignored for this release."
+fi
+export IGNORED_VULNERABILITIES="${ignored_list}"
+
+mkdir -p "docs/releases/v${VERSION}"
+img="mongodb/mongodb-atlas-kubernetes-operator:${VERSION}"
+IMG_SHAS=$(docker manifest inspect "${img}" | \
+  jq -rc '.manifests[] | select(.platform.os != "unknown" and .platform.architecture != "unknown") | .digest')
+for sha in ${IMG_SHAS};do
+  docker pull "${img}@${sha}"
+  os=$(docker inspect "${img}@${sha}" |jq -r '.[0].Os')
+  arch=$(docker inspect "${img}@${sha}" |jq -r '.[0].Architecture')
+  docker sbom --platform "${os}/${arch}" --format "cyclonedx-json" \
+    -o "docs/releases/v${VERSION}/${os}-${arch}.sbom.json" "${img}@${sha}"
+done
+
+envsubst < docs/releases/sdlc-compliance.template.md \
+  > "docs/releases/v${VERSION}/sdlc-compliance.md"
+
+echo "SDLC checklist ready:"
+ls -l "docs/releases/v${VERSION}"