SQL-2998, SQL-2807: Update SBOM push/pull using Silkbomb and other common SSDLC functionality via common-test-infra#385
Conversation
mattChiaravalloti
changed the title
nbagnard
left a comment
nbagnard
left a comment
There was a problem hiding this comment.
Pretty good cleaning work making this all more generic!
I just noticed a few things to adjust and/or where the shared test infra logic could be used.
| exec_timeout_secs: 3600 # 1h | ||
| commands: | ||
| - func: "static code analysis" | ||
| - func: "generate static code analysis" |
There was a problem hiding this comment.
You'll need to add a variable for the ruleset to use in the common script.
For most of our projects we use semgrep --config p/rust because those are Rust projects.
For the JDBC driver, we need to use semgrep --config p/java.
Right now, it is not doing anything. If you look at the verbose logs: "Ran 9 rules on 0 files: 0 findings."
You'll also want to add a variable for setting a different value for --exclude. Otherwise, all projects will exclude the "integration_test". For the JDBC driver, we exclude incorrectly "vendor" which is a copy-pasting left over from the BIC. The default exclusion list for Java is enough because there is no vulnerability reported. Which means that we could forgo the --exclude option altogether. We can also set it to "--exclude demo" because demo is an internal helper.
| put_to_bucket: "evg-bucket-mongo-jdbc-driver" | ||
| published_sbom_path: ${working_dir}/${SBOM_FILENAME} | ||
| published_sarif_path: ${working_dir}/${STATIC_CODE_ANALYSIS_NAME} | ||
| compliance_report_template_path: ${PROJECT_DIRECTORY}/resources/release/mongo_jdbc_compliance_report_template.md |
There was a problem hiding this comment.
I think you can use the generic compliance report template: evergreen/resources/compliance_report_template.md
This way, you will have the "Compliance Report Created Date" info added. I saw no other difference.
You will need to add signing_section_bookmark: "verify-integrity-of-mongodb-jdbc-driver-packages" and repo_name: "mongo-jdbc-driver".
This will get the correct link to the README section related to verify the integrity of the artifacts.
| get_from_bucket: "evg-bucket-mongo-jdbc-driver" | ||
| local_file_path: ${SSDLC_DIR}/${STATIC_CODE_ANALYSIS_NAME} | ||
| published_file_path: ${working_dir}/${STATIC_CODE_ANALYSIS_NAME} | ||
| - func: "generate compliance report" |
There was a problem hiding this comment.
Same changes than for the release task above apply here.
| permissions: public-read | ||
|
|
||
| "scan sbom": | ||
| "scan sbom for jdbc": |
There was a problem hiding this comment.
You can use scan_sbom in the shared test infra repo. All projects are using Grype and the failure threshold is the same.
bucaojit
left a comment
bucaojit
left a comment
There was a problem hiding this comment.
Nice work cleaning up the evergreen script.
The changes look good, I agree with Natacha's comments.
|
Note: I am reverting the config file name until this PR is back. It otherwise will block the release process. |
3 participants
This PR updates the evergreen configs to remove many SSDLC-related functions in favor of common versions in
sql-engines-common-test-infra. The primary goal was to updateaugment sbomto use new logic described in the ticket; when that functionality was added tocommon-test-infra, it could not be used here until the entire project was set up to usecommon-test-infrafor all SSDLC functions. That is why this PR includes updates to all SSDLC functions.