CSHARP-5048: Integrate with silk and get SBOM document for releases (#…

…1340)

evergreen/download-augmented-sbom.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# Environment variables used as input:
+# SILK_CLIENT_ID
+# SILK_CLIENT_SECRET
+
+declare -r SSDLC_PATH="./artifacts/ssdlc"
+mkdir -p "${SSDLC_PATH}"
+
+echo "Downloading augmented sbom from silk"
+
+docker run --platform="linux/amd64" --rm -v ${PWD}:/pwd \
+  -e SILK_CLIENT_ID \
+  -e SILK_CLIENT_SECRET \
+  artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \
+  download --silk-asset-group mongodb-dotnet-csharp-driver --sbom-out /pwd/${SSDLC_PATH}/augmented-sbom.json

evergreen/evergreen.yml

@@ -254,6 +254,29 @@ functions:
       params:
         file: mo-expansion.yml
 
+  download-and-promote-augmented-sbom-to-s3-bucket:
+    - command: shell.exec
+      params:
+        working_dir: "mongo-csharp-driver"
+        include_expansions_in_env:
+          - "SILK_CLIENT_ID"
+          - "SILK_CLIENT_SECRET"
+        script: |
+          ${PREPARE_SHELL}
+          ./evergreen/download-augmented-sbom.sh
+    - command: s3.put
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_file: ./mongo-csharp-driver/artifacts/ssdlc/augmented-sbom.json
+        remote_file: mongo-csharp-driver/${PACKAGE_VERSION}/augmented-sbom.json
+        bucket: csharp-driver-release-assets
+        region: us-west-2
+        permissions: private
+        content_type: application/json
+        display_name: augmented-sbom.json
+
   generate-ssdlc-report:
     - command: shell.exec
       params:
@@ -264,9 +287,6 @@ functions:
         script: |
           ${PREPARE_SHELL}
           ./evergreen/generate-ssdlc-report.sh
-    - command: ec2.assume_role
-      params:
-        role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
     - command: s3.put
       params:
         aws_key: ${AWS_ACCESS_KEY_ID}
@@ -1898,8 +1918,12 @@ tasks:
 
     - name: generate-ssdlc-reports
       commands:
+        - command: ec2.assume_role
+          params:
+            role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
         - func: download-packages
         - func: trace-artifacts
+        - func: download-and-promote-augmented-sbom-to-s3-bucket
         - func: generate-ssdlc-report
 
     - name: validate-apidocs

evergreen/template_ssdlc_compliance_report.md

@@ -1,7 +1,7 @@
 # ${PRODUCT_NAME} SSDLC compliance report
 
 This report is available
-<a href=https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/ssdlc_compliance_report.md>here</a>.
+<a href="https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/ssdlc_compliance_report.md">here</a>.
 
 <table>
   <tr>
@@ -46,13 +46,11 @@ The MongoDB SSDLC policy is available at
 
 ## Third-darty dependency information
 
-There are no dependencies to report vulnerabilities of.
-Our [SBOM](https://docs.devprod.prod.corp.mongodb.com/mms/python/src/sbom/silkbomb/docs/CYCLONEDX/) lite
-is <https://github.com/mongodb/mongo-csharp-driver/blob/v${PACKAGE_VERSION}/sbom.json>.
+Our third party report is available <a href="https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/augmented-sbom.json">here</a>.
 
 ## Static analysis findings
 
-Coverity static analysis report is available <a href="https://coverity.corp.mongodb.com/login">here</a>, under mongodb-csharp-driver project.
+Coverity static analysis report is available <a href="https://us-west-2.console.aws.amazon.com/s3/object/csharp-driver-release-assets?region=us-west-2&bucketType=general&prefix=${PRODUCT_NAME}/${PACKAGE_VERSION}/static_code_analysis.csv">here</a>.
 
 ## Signature information