@@ -28,7 +28,7 @@ buildvariants:
28
28
- spotless
29
29
30
30
- name : code-quality-and-correctness
31
- display_name : " Code Quality and Correctness "
31
+ display_name : " Code Quality and Security "
32
32
expansions :
33
33
_platform : ubuntu2204-64-jdk-8
34
34
run_on : [ ubuntu2204-small ]
@@ -119,18 +119,29 @@ tasks:
119
119
variant : " release"
120
120
- name : sbom
121
121
variant : code-quality-and-correctness
122
+ - name : semgrep
123
+ variant : code-quality-and-correctness
122
124
exec_timeout_secs : 300 # 5m
123
125
commands :
124
126
- func : " publish augmented SBOM"
127
+ - func : " publish static code analysis"
128
+ - func : " generate compliance report"
129
+ - func : " publish compliance report"
125
130
126
131
- name : ssdlc-artifacts-snapshot
127
132
run_on : ubuntu2204-small
133
+ allow_for_git_tag : false
128
134
depends_on :
129
135
- name : sbom
130
136
variant : code-quality-and-correctness
137
+ - name : semgrep
138
+ variant : code-quality-and-correctness
131
139
exec_timeout_secs : 300 # 5m
132
140
commands :
133
141
- func : " publish augmented SBOM"
142
+ - func : " publish static code analysis"
143
+ - func : " generate compliance report"
144
+ - func : " publish compliance report"
134
145
135
146
functions :
136
147
" push SBOM Lite to Silk " :
@@ -383,6 +394,9 @@ functions:
383
394
# set the state needed irrespective of _platform
384
395
ARTIFACTS_DIR=artifacts
385
396
S3_ARTIFACTS_DIR='mongo-jdbc-driver/artifacts/${version_id}/${build_variant}'
397
+ AUGMENTED_SBOM_NAME="mongo-jdbc-driver.augmented.sbom.json"
398
+ COMPLIANCE_REPORT_NAME="mongodb-jdbc-compliance-report.md"
399
+ STATIC_CODE_ANALYSIS_NAME="mongo-jdbc-driver.sast.sarif"
386
400
387
401
# Get the version from trigger.
388
402
# Tag triggered runs are releases and the version is set in the tag.
@@ -411,7 +425,10 @@ functions:
411
425
export PROJECT_DIRECTORY="$(pwd)"
412
426
413
427
export SBOM_LITE_NAME="mongo-jdbc-driver.cdx.json"
414
- export AUGMENTED_SBOM_NAME="mongo-jdbc-driver.augmented.sbom.json"
428
+ export AUGMENTED_SBOM_NAME="$AUGMENTED_SBOM_NAME"
429
+ export COMPLIANCE_REPORT_NAME=$COMPLIANCE_REPORT_NAME
430
+ export STATIC_CODE_ANALYSIS_NAME=$STATIC_CODE_ANALYSIS_NAME
431
+
415
432
export SSDLC_DIR="$ARTIFACTS_DIR/ssdlc"
416
433
mkdir -p $SSDLC_DIR
417
434
@@ -423,6 +440,8 @@ functions:
423
440
JAVA_HOME: "$JAVA_HOME"
424
441
SBOM_LITE_NAME: "$SBOM_LITE_NAME"
425
442
AUGMENTED_SBOM_NAME: "$AUGMENTED_SBOM_NAME"
443
+ STATIC_CODE_ANALYSIS_NAME: "$STATIC_CODE_ANALYSIS_NAME"
444
+ COMPLIANCE_REPORT_NAME: "$COMPLIANCE_REPORT_NAME"
426
445
SSDLC_DIR: "$SSDLC_DIR"
427
446
PREPARE_SHELL: |
428
447
export ADF_TEST_LOCAL_USER=${adf_test_local_user}
@@ -444,7 +463,8 @@ functions:
444
463
export AUGMENTED_SBOM_NAME="$AUGMENTED_SBOM_NAME"
445
464
export SSDLC_DIR="$SSDLC_DIR"
446
465
export SBOM_LITE="$ARTIFACTS_DIR/ssdlc/$SBOM_LITE_NAME"
447
-
466
+ export COMPLIANCE_REPORT_NAME="$COMPLIANCE_REPORT_NAME"
467
+ export STATIC_CODE_ANALYSIS_NAME="$STATIC_CODE_ANALYSIS_NAME"
448
468
EOT
449
469
450
470
- command : expansions.update
@@ -653,7 +673,6 @@ functions:
653
673
shell : bash
654
674
working_dir : mongo-jdbc-driver
655
675
script : |
656
- ${prepare_shell}
657
676
echo "Version = ${MDBJDBC_VER}"
658
677
sed -i "s@{RELEASE_VERSION}@${MDBJDBC_VER}@" mongo-jdbc-downloads_template.json
659
678
echo "-------------------------"
@@ -680,9 +699,8 @@ functions:
680
699
shell : bash
681
700
working_dir : mongo-jdbc-driver
682
701
script : |
683
- ${prepare_shell}
684
702
echo "Running static code analysis with Semgrep..."
685
-
703
+
686
704
venv='venv'
687
705
# Setup or use the existing virtualenv for semgrep
688
706
if [[ -f "$venv/bin/activate" ]]; then
@@ -700,10 +718,10 @@ functions:
700
718
# confirm
701
719
semgrep --version
702
720
set +e
703
- semgrep --config p/java --verbose --exclude "vendor" --error --severity=ERROR --sarif-output=mongo-jdbc-driver.sast.sarif > mongo-jdbc-driver.sast.cmd.verbose.out 2>&1
721
+ semgrep --config p/java --verbose --exclude "vendor" --error --severity=ERROR --sarif-output=${STATIC_CODE_ANALYSIS_NAME} > mongo-jdbc-driver.sast.cmd.verbose.out 2>&1
704
722
SCAN_RESULT=$?
705
723
set -e
706
-
724
+
707
725
# Exit with a failure if the scan found an issue
708
726
exit $SCAN_RESULT
709
727
- command : s3.put
@@ -717,3 +735,112 @@ functions:
717
735
content_type : application/json
718
736
bucket : evg-bucket-mongo-jdbc-driver
719
737
permissions : public-read
738
+
739
+ " publish static code analysis " :
740
+ - command : ec2.assume_role
741
+ params :
742
+ role_arn : ${assume_role_arn}
743
+ duration_seconds : 3600
744
+ - command : s3.get
745
+ params :
746
+ aws_key : ${AWS_ACCESS_KEY_ID}
747
+ aws_secret : ${AWS_SECRET_ACCESS_KEY}
748
+ aws_session_token : ${AWS_SESSION_TOKEN}
749
+ local_file : artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
750
+ remote_file : artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
751
+ content_type : application/json
752
+ bucket : evg-bucket-mongo-jdbc-driver
753
+ - command : s3.put
754
+ params :
755
+ aws_key : ${release_aws_key}
756
+ aws_secret : ${release_aws_secret}
757
+ local_file : artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
758
+ remote_file : mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
759
+ content_type : application/json
760
+ bucket : translators-connectors-releases
761
+ permissions : public-read
762
+ display_name : mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
763
+
764
+
765
+ " generate compliance report " :
766
+ - command : shell.exec
767
+ type : test
768
+ params :
769
+ shell : bash
770
+ working_dir : mongo-jdbc-driver
771
+ script : |
772
+ echo "Author = ${author}"
773
+ echo "Author email = ${author_email}"
774
+ echo "Version = ${MDBJDBC_VER}"
775
+ SBOM_URL="https://translators-connectors-releases.s3.amazonaws.com/mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sbom.json"
776
+ SARIF_URL="https://translators-connectors-releases.s3.amazonaws.com/mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif"
777
+ echo "Sbom url = $SBOM_URL"
778
+ echo "Sarif Url = $SARIF_URL"
779
+
780
+ echo "----- Generating ${COMPLIANCE_REPORT_NAME} -----"
781
+
782
+ # Copy template
783
+ cp resources/release/mongo_jdbc_compliance_report_template.md ${COMPLIANCE_REPORT_NAME}
784
+
785
+ # Update the version
786
+ echo "Update the version"
787
+ echo "sed -i.bu "s,%VERSION%,${MDBJDBC_VER},g" ${COMPLIANCE_REPORT_NAME}"
788
+ sed -i.bu "s,%VERSION%,${MDBJDBC_VER},g" ${COMPLIANCE_REPORT_NAME}
789
+
790
+ # Update the SBOM link
791
+ echo "Update the SBOM link"
792
+ echo "sed -i.bu "s,%SBOM_URL%,$SBOM_URL,g"${COMPLIANCE_REPORT_NAME}"
793
+ sed -i.bu "s,%SBOM_URL%,$SBOM_URL,g" ${COMPLIANCE_REPORT_NAME}
794
+
795
+ # Update the SARIF link
796
+ echo "Update the SARIF link"
797
+ echo "sed -i.bu "s,%SARIF_URL%,$SARIF_URL,g" ${COMPLIANCE_REPORT_NAME}"
798
+ sed -i.bu "s,%SARIF_URL%,$SARIF_URL,g" ${COMPLIANCE_REPORT_NAME}
799
+
800
+ # Update the author information
801
+ echo "Update the author name"
802
+ echo "sed -i.bu "s,%AUTHOR%,${author},g" ${COMPLIANCE_REPORT_NAME}"
803
+ sed -i.bu "s,%AUTHOR%,${author},g" ${COMPLIANCE_REPORT_NAME}
804
+
805
+ echo "update the author email"
806
+ echo "sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}"
807
+ sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}
808
+ echo "---------------------------"
809
+ - command : ec2.assume_role
810
+ params :
811
+ role_arn : ${assume_role_arn}
812
+ duration_seconds : 3600
813
+ - command : s3.put
814
+ params :
815
+ aws_key : ${AWS_ACCESS_KEY_ID}
816
+ aws_secret : ${AWS_SECRET_ACCESS_KEY}
817
+ aws_session_token : ${AWS_SESSION_TOKEN}
818
+ local_file : mongo-jdbc-driver/${COMPLIANCE_REPORT_NAME}
819
+ remote_file : artifacts/${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
820
+ content_type : text/markdown
821
+ bucket : evg-bucket-mongo-jdbc-driver
822
+ permissions : public-read
823
+
824
+ " publish compliance report " :
825
+ - command : ec2.assume_role
826
+ params :
827
+ role_arn : ${assume_role_arn}
828
+ duration_seconds : 3600
829
+ - command : s3.get
830
+ params :
831
+ aws_key : ${AWS_ACCESS_KEY_ID}
832
+ aws_secret : ${AWS_SECRET_ACCESS_KEY}
833
+ aws_session_token : ${AWS_SESSION_TOKEN}
834
+ local_file : artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
835
+ remote_file : artifacts/${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
836
+ content_type : text/markdown
837
+ bucket : evg-bucket-mongo-jdbc-driver
838
+ - command : s3.put
839
+ params :
840
+ aws_key : ${release_aws_key}
841
+ aws_secret : ${release_aws_secret}
842
+ local_file : artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
843
+ remote_file : mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
844
+ content_type : text/markdown
845
+ bucket : translators-connectors-releases
846
+ permissions : public-read
0 commit comments