@@ -177,6 +177,24 @@ functions:
177
177
${prepare_shell}
178
178
cargo fmt --all -- --check
179
179
180
+ " check unused dependencies " :
181
+ - command : shell.exec
182
+ type : test
183
+ params :
184
+ shell : bash
185
+ working_dir : mongosql-odbc-driver
186
+ script : |
187
+ ${prepare_shell}
188
+ cargo install cargo-machete
189
+ set +e
190
+ cargo machete
191
+ RETURN=$?
192
+ set -e
193
+ if [ $RETURN -ne 0 ]; then
194
+ >&2 echo "Unused dependencies found"
195
+ >&2 cargo machete
196
+ fi
197
+
180
198
" generate SBOM " :
181
199
- command : shell.exec
182
200
type : test
@@ -253,7 +271,7 @@ functions:
253
271
chmod +x ./$SBOM_DIR/jq
254
272
echo "------------------------------------"
255
273
echo "<<<< Done installing SBOM tools"
256
-
274
+
257
275
echo ">>>> Generate SBOM..."
258
276
echo "-- Generating SBOMs with the licenses information --"
259
277
cargo cyclonedx --target all -v -f json
@@ -270,18 +288,18 @@ functions:
270
288
echo "------------------------------------"
271
289
272
290
echo "-- Merging the SBOMs with the licenses information and the SBOM with the vulnerabilities information in $SBOM_FINAL --"
273
-
291
+
274
292
temp_output="temp_output.json"
275
293
if [[ -f "$temp_output" ]] ; then
276
294
rm "$temp_output"
277
295
fi
278
296
touch $temp_output
279
-
297
+
280
298
while IFS= read -r line
281
299
do
282
300
if [[ "$line" == *"purl"* ]]; then
283
301
bash_purl=$(echo $line | cut -d '"' -f4)
284
- command=$(echo "./$SBOM_DIR/jq '.components[] | select(.purl == \"$bash_purl\").licenses' $SBOM_LICENSES")
302
+ command=$(echo "./$SBOM_DIR/jq '.components[] | select(.purl == \"$bash_purl\").licenses' $SBOM_LICENSES | ./$SBOM_DIR/jq -s 'flatten(1)' ")
285
303
# Add the license information back in the augmented SBOM.
286
304
licenseInfo=$(eval " $command")
287
305
if [[ -z "$licenseInfo" ]]; then
@@ -294,12 +312,12 @@ functions:
294
312
295
313
done < $SBOM_VULN
296
314
echo "------------------------------------"
297
-
315
+
298
316
echo "-- Adding the name of the team responsible for each dependency as required by Silk and format the json file --"
299
317
echo "./$SBOM_DIR/jq '.components[].properties += [{\"name\": \"internal:team_responsible\", \"value\": \"Atlas SQL\"}]' $temp_output > $SBOM_FINAL"
300
318
./$SBOM_DIR/jq '.components[].properties += [{"name": "internal:team_responsible", "value": "Atlas SQL"}]' $temp_output > $SBOM_FINAL
301
319
echo "------------------------------------"
302
-
320
+
303
321
echo "-- Adding VEX info for vulnerabilities still present in SBOM--"
304
322
IFS=','; for vuln_id in $ALLOW_VULNS; do
305
323
echo "-- Updating SBOM with VEX info for vulnerability with id $vuln_id--"
@@ -329,7 +347,7 @@ functions:
329
347
working_dir : mongosql-odbc-driver
330
348
script : |
331
349
${prepare_shell}
332
-
350
+
333
351
echo ">>>> Scan SBOM for vulnerabilities..."
334
352
if [[ "$ALLOW_VULNS" != "" ]]; then
335
353
echo "Vulnerability ids to ignore : $ALLOW_VULNS"
@@ -345,12 +363,12 @@ functions:
345
363
done
346
364
echo "------------------------------------"
347
365
fi
348
-
366
+
349
367
echo "-- Scanning dependency for vulnerabilities --"
350
368
./$SBOM_DIR/grype sbom:$SBOM_LICENSES --fail-on low
351
369
echo "---------------------------------------------"
352
370
echo "<<<< Done scanning SBOM"
353
-
371
+
354
372
" generate compliance report " :
355
373
- command : shell.exec
356
374
params :
@@ -424,9 +442,9 @@ functions:
424
442
SILK_CLIENT_ID=${SILK_CLIENT_ID}
425
443
SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
426
444
EOF
427
-
445
+
428
446
echo "SBOM_FINAL = $SBOM_FINAL"
429
-
447
+
430
448
echo "-- Uploading initial SBOM Lite to Silk --"
431
449
docker run -i --platform="linux/amd64" --rm -v "$PWD":/pwd \
432
450
--env-file silkbomb.env \
@@ -447,7 +465,7 @@ functions:
447
465
SILK_CLIENT_ID=${SILK_CLIENT_ID}
448
466
SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
449
467
EOF
450
-
468
+
451
469
echo "-- Downloading augmented SBOM --"
452
470
docker run -i --platform="linux/amd64" --rm -v "$PWD":/pwd \
453
471
--env-file silkbomb.env \
@@ -463,7 +481,6 @@ functions:
463
481
content_type : application/json
464
482
bucket : mciuploads
465
483
permissions : public-read
466
-
467
484
468
485
" publish augmented SBOM " :
469
486
- command : s3.get
@@ -534,7 +551,7 @@ functions:
534
551
-v $(pwd):$(pwd) -w $(pwd) \
535
552
${garasign_jsign_image} \
536
553
/bin/bash -c "jsign -a mongo-authenticode-2021 --replace --tsaurl http://timestamp.digicert.com -d SHA-256 ${MSI_FILENAME}"
537
-
554
+
538
555
# Generating checksums
539
556
if [ -e $msi_filename ]; then
540
557
shasum -a 1 ${MSI_FILENAME} | tee ${MSI_FILENAME}.sha1
@@ -1877,14 +1894,14 @@ functions:
1877
1894
content_type : text/plain
1878
1895
bucket : mciuploads
1879
1896
permissions : public-read
1880
-
1897
+
1881
1898
" publish static code analysis " :
1882
1899
- command : s3.get
1883
1900
params :
1884
1901
aws_key : ${aws_key}
1885
1902
aws_secret : ${aws_secret}
1886
1903
local_file : mongosql-odbc-driver/${STATIC_CODE_ANALYSIS_NAME}
1887
- remote_file : mongosql-odbc-driver/artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
1904
+ remote_file : mongosql-odbc-driver/artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
1888
1905
content_type : application/json
1889
1906
bucket : mciuploads
1890
1907
- command : s3.put
@@ -1915,6 +1932,11 @@ tasks:
1915
1932
- func : " install rust toolchain"
1916
1933
- func : " check rustfmt"
1917
1934
1935
+ - name : unused-deps
1936
+ commands :
1937
+ - func : " install rust toolchain"
1938
+ - func : " check unused dependencies"
1939
+
1918
1940
- name : sbom
1919
1941
commands :
1920
1942
- func : " install rust toolchain"
@@ -2158,7 +2180,6 @@ tasks:
2158
2180
- func : " generate compliance report"
2159
2181
- func : " publish compliance report"
2160
2182
2161
-
2162
2183
task_groups :
2163
2184
- name : windows-windows-test-unit-group
2164
2185
setup_group_can_fail_task : false
@@ -2205,6 +2226,7 @@ buildvariants:
2205
2226
tasks :
2206
2227
- name : clippy
2207
2228
- name : rustfmt
2229
+ - name : unused-deps
2208
2230
- name : asan-compile
2209
2231
2210
2232
- name : code-quality-security
0 commit comments