diff --git a/Makefile b/Makefile index 0b35e21b31..fbcd1a9bae 100644 --- a/Makefile +++ b/Makefile @@ -481,3 +481,8 @@ govulncheck: .PHONY: vulncheck vulncheck: ## Run govulncheck to find vulnerabilities in code @./scripts/vulncheck.sh ./vuln-ignore + +.PHONY: gen-sdlc-checklist +gen-sdlc-checklist: ## Generate the SDLC checklist + @VERSION="$(VERSION)" AUTHORS="$(AUTHORS)" RELEASE_TYPE="$(RELEASE_TYPE)" \ + ./scripts/gen-sdlc-checklist.sh diff --git a/docs/dev/release.md b/docs/dev/release.md index 293cfd7fad..0b47c8be52 100644 --- a/docs/dev/release.md +++ b/docs/dev/release.md @@ -155,30 +155,22 @@ After the PR is approved it will soon appear in the [Atlas Operator openshift cl # SSDLC checklist publishing -For the time being, preparing the SSDLC checklist for each release is a manual process. Use this [past PR as a starting point](https://github.com/mongodb/mongodb-atlas-kubernetes/pull/1524). - -Copy the closest [sdlc-compliance.md](../releases/v2.2.1/sdlc-compliance.md) file and: -- Update the **version** references to the one being released. -- Update dates and release creators of the current release. - -Update the image signature instructions to match the current version. - -Generate the `linux-amd64.sbom.json` and `linux-arm64.sbom.json` SBOM files and place them in the same directory as the compliance doc `docs/releases/vX.Y.Z`: +You can create the draft for the SSDLC checklist just by running: ```shell -docker sbom --platform "linux/${arch}" -o "docs/releases/v${version}/linux-${arch}.sbom.json" --format "cyclonedx-json" "$image" +$ DATE= VERSION="${version}" AUTHORS="${release_authors}" RELEASE_TYPE= make gen-sdlc-checklist ``` -Where: -- `${arch}` is the architecture to generate, either `amd64` or `arm64`. -- `${version}` is the current version released in `X.Y.Z` format, without the **v** prefix. -- `${image}` is the image reference released, usually something like `mongodb/mongodb-atlas-kubernetes-operator:${version}`. +- You can leave `DATE` unset so the script may use today's date. +- `RELEASE_TYPE` is also optional defaulting to `Minor` releases, set to `Major`when appropriate. -Create a PR with the following new files included in the `releases/vX.Y.Z` directory: +The script generates the directory `docs/releases/v${VERSION}/` with files: - `linux-amd64.sbom.json` - `linux-arm64.sbom.json` - `sdlc-compliance.md` +Add those files to `git`, and create a PR to review the changes to close the release. + # Post install hook release If changes have been made to the post install hook (mongodb-atlas-kubernetes/cmd/post-install/main.go). diff --git a/docs/releases/sdlc-compliance.template.md b/docs/releases/sdlc-compliance.template.md new file mode 100644 index 0000000000..4ec0e0f84f --- /dev/null +++ b/docs/releases/sdlc-compliance.template.md @@ -0,0 +1,48 @@ +SSDLC Compliance Report: Atlas Kubernetes Operator Manager v${VERSION} +================================================================= + +- Release Creators: ${AUTHORS} +- Created On: ${DATE} + +Overview: + +- **Product and Release Name** + + - Atlas Kubernetes Operator v${VERSION}, ${DATE}. + - Release Type: ${RELEASE_TYPE} + +- **Process Document** + - http://go/how-we-develop-software-doc + +- **Tool used to track third party vulnerabilities** + - Silk + +- **Dependency Information** + - See SBOMS Lite manifests (CycloneDX in JSON format) for [Intel](./linux-amd64.sbom.json) or [ARM](./linux-arm64.sbom.json) + +- **Static Analysis Report** + - No reports (filtered before release by CI tests)${IGNORED_VULNERABILITIES} + +- **Release Signature Report** + - Image signatures enforced by CI pipeline. + - See [Signature verification instructions here](../../dev/signed-images.md) + - Self-verification shortcut: + ```shell + make verify IMG=mongodb/mongodb-atlas-kubernetes-operator:${VERSION} SIGNATURE_REPO=mongodb/signatures + ``` + +- **Security Testing Report** + - Available as needed from Cloud Security. + +- **Security Assessment Report** + - Available as needed from Cloud Security. + +Assumptions and attestations: + +1. Internal processes are used to ensure CVEs are identified and mitigated within SLAs. + +2. The Dependency document does not specify third party OSS CVEs fixed by the release and the date we discovered them. + +3. There is no CycloneDX field for original/modified CVSS scor or discovery date. The `x-` prefix indicates this. + +3. Assumption: We can include the SBOMs as links to read-only files on S3. The links can be included as metadata or text file links in release artifacts e.g. as labels on OCI containers. \ No newline at end of file diff --git a/scripts/gen-sdlc-checklist.sh b/scripts/gen-sdlc-checklist.sh new file mode 100755 index 0000000000..ca9162b48a --- /dev/null +++ b/scripts/gen-sdlc-checklist.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +set -eu + +release_date=${DATE:-$(date -u '+%Y-%m-%d')} +release_type=${RELEASE_TYPE:-Minor} + +export DATE="${release_date}" +export VERSION="${VERSION}" +export AUTHORS="${AUTHORS}" +export RELEASE_TYPE="${release_type}" + +ignored_list="" +ignored_vulns=$(grep '^# ' vuln-ignore |grep '\S' | sed 's/^# / - /') +if [ "${ignored_vulns}" != "" ];then + printf -v ignored_list "\n - List of explicitly ignored vulnerabilities:\n%s" "${ignored_vulns}" +else + printf -v ignored_list "\n - No vulnerabilities were ignored for this release." +fi +export IGNORED_VULNERABILITIES="${ignored_list}" + +mkdir -p "docs/releases/v${VERSION}" +img="mongodb/mongodb-atlas-kubernetes-operator:${VERSION}" +IMG_SHAS=$(docker manifest inspect "${img}" | \ + jq -rc '.manifests[] | select(.platform.os != "unknown" and .platform.architecture != "unknown") | .digest') +for sha in ${IMG_SHAS};do + docker pull "${img}@${sha}" + os=$(docker inspect "${img}@${sha}" |jq -r '.[0].Os') + arch=$(docker inspect "${img}@${sha}" |jq -r '.[0].Architecture') + docker sbom --platform "${os}/${arch}" --format "cyclonedx-json" \ + -o "docs/releases/v${VERSION}/${os}-${arch}.sbom.json" "${img}@${sha}" +done + +envsubst < docs/releases/sdlc-compliance.template.md \ + > "docs/releases/v${VERSION}/sdlc-compliance.md" + +echo "SDLC checklist ready:" +ls -l "docs/releases/v${VERSION}"