From 2dc5445f857b69ef4178767b64ba19aea47521ef Mon Sep 17 00:00:00 2001 From: Oriol Arbusi Abadal Date: Wed, 18 Jun 2025 12:44:59 +0200 Subject: [PATCH 1/7] sbom and augmented sbom --- .github/workflows/generate-augmented-sbom.yml | 52 +++++++++++++++++++ .github/workflows/release.yml | 45 ++++++++++++++++ Makefile | 16 ++++++ scripts/compliance/augment-sbom.sh | 19 +++++++ scripts/compliance/extract-purls.sh | 14 +++++ scripts/compliance/gen-purls.sh | 41 +++++++++++++++ scripts/compliance/gen-sbom.sh | 10 ++++ scripts/compliance/gen-ssdlc-report.sh | 45 ++++++++++++++++ scripts/compliance/upload-sbom.sh | 13 +++++ templates/ssdlc-compliance.template.md | 29 +++++++++++ 10 files changed, 284 insertions(+) create mode 100644 .github/workflows/generate-augmented-sbom.yml create mode 100755 scripts/compliance/augment-sbom.sh create mode 100755 scripts/compliance/extract-purls.sh create mode 100755 scripts/compliance/gen-purls.sh create mode 100755 scripts/compliance/gen-sbom.sh create mode 100755 scripts/compliance/gen-ssdlc-report.sh create mode 100755 scripts/compliance/upload-sbom.sh create mode 100644 templates/ssdlc-compliance.template.md diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml new file mode 100644 index 0000000..554b78c --- /dev/null +++ b/.github/workflows/generate-augmented-sbom.yml @@ -0,0 +1,52 @@ +name: Augment SBOM + +on: + workflow_dispatch: + inputs: + release_version: + description: "Release version (e.g. 3.12.1)" + required: true + type: string + resource: + description: "Resource name (e.g. organization, project, etc.)" + required: true + type: string + +permissions: + id-token: write + contents: read + +jobs: + augment-sbom: + runs-on: ubuntu-latest + env: + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} + steps: + - uses: actions/checkout@v4 + + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT" + + - name: Augment SBOM with Kondukto + env: + RELEASE_VERSION: ${{ inputs.release_version }} + run: ./scripts/compliance/augment-sbom.sh + - name: Generate SSDLC report + env: + AUTHOR: ${{ github.actor }} + VERSION: ${{ inputs.release_version }} + AUGMENTED_REPORT: "true" + run: ./scripts/compliance/gen-ssdlc-report.sh + + - name: Upload augmented SBOM as artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + with: + name: augmented_sbom_and_ssdlc_report + path: | + compliance/augmented-sbom-v${{ inputs.release_version }}-${{ steps.date.outputs.date }}.json + compliance/ssdlc-compliance-${{ inputs.release_version }}-${{ steps.date.outputs.date }}.md + if-no-files-found: error \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 39473c0..04c7666 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,3 +67,48 @@ jobs: ARTIFACTORY_REGISTRY: ${{ secrets.ARTIFACTORY_REGISTRY }} ARTIFACTORY_SIGN_USER: ${{ secrets.ARTIFACTORY_SIGN_USER }} ARTIFACTORY_SIGN_PASSWORD: ${{ secrets.ARTIFACTORY_SIGN_PASSWORD }} + compliance: + needs: release + runs-on: ubuntu-latest + env: + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + ref: ${{ inputs.version_number }} + - name: Generate PURLs and SBOM + run: make gen-purls gen-sbom + - name: Upload SBOM to Kondukto + run: make upload-sbom + env: + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} + - name: Upload SBOM as release artifact + uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 + with: + files: compliance/sbom.json + tag_name: ${{ inputs.version_number }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + generate-ssdlc-report: + needs: compliance + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - uses: ./.github/templates/run-script-and-commit + with: + script_call: | + TAG="${{ inputs.version_number }}" + VERSION="${TAG#v}" + AUTHOR="${{ github.actor }}" + export AUTHOR VERSION + ./scripts/compliance/gen-ssdlc-report.sh + file_to_commit: 'compliance/v*/ssdlc-compliance-*.md' + commit_message: "chore: Update SSDLC report for ${{ inputs.version_number }}" + apix_bot_pat: ${{ secrets.APIX_BOT_PAT }} + remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }} + gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }} diff --git a/Makefile b/Makefile index 6fbead2..e211920 100644 --- a/Makefile +++ b/Makefile @@ -64,4 +64,20 @@ generate-manifest-windows: ## Generate the manifest file for windows OSes .DEFAULT_GOAL := help help: @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' | sort + +.PHONY: gen-purls +gen-purls: + ./scripts/compliance/gen-purls.sh + +.PHONY: gen-sbom +gen-sbom: + ./scripts/compliance/gen-sbom.sh + +.PHONY: gen-ssdlc-report +gen-ssdlc-report: + ./scripts/compliance/gen-ssdlc-report.sh + +.PHONY: upload-sbom +upload-sbom: + ./scripts/compliance/upload-sbom.sh diff --git a/scripts/compliance/augment-sbom.sh b/scripts/compliance/augment-sbom.sh new file mode 100755 index 0000000..73b32af --- /dev/null +++ b/scripts/compliance/augment-sbom.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +set -euo pipefail + +: "${RELEASE_VERSION:?RELEASE_VERSION environment variable not set}" +DATE=$(date +'%Y-%m-%d') + +echo "Augmenting SBOM..." +docker run \ + --pull=always \ + --platform="linux/amd64" \ + --rm \ + -v "${PWD}:/pwd" \ + -e KONDUKTO_TOKEN \ + "$SILKBOMB_IMG" \ + augment \ + --sbom-in "/pwd/compliance/sbom.json" \ + --repo "$KONDUKTO_REPO" \ + --branch "$KONDUKTO_BRANCH_PREFIX-linux-arm64" \ + --sbom-out "/pwd/compliance/augmented-sbom-v${RELEASE_VERSION}-${DATE}.json" diff --git a/scripts/compliance/extract-purls.sh b/scripts/compliance/extract-purls.sh new file mode 100755 index 0000000..3da99d5 --- /dev/null +++ b/scripts/compliance/extract-purls.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +set -euo pipefail + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 " + exit 1 +fi + +BINARY_PATH="$1" +OUTPUT_FILE="$2" + +go version -m "$BINARY_PATH" | \ + awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \ + LC_ALL=C sort > "$OUTPUT_FILE" \ No newline at end of file diff --git a/scripts/compliance/gen-purls.sh b/scripts/compliance/gen-purls.sh new file mode 100755 index 0000000..f3e8911 --- /dev/null +++ b/scripts/compliance/gen-purls.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +set -euo pipefail +: "${LINKER_FLAGS:=}" + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +EXTRACT_PURL_SCRIPT="${SCRIPT_DIR}/extract-purls.sh" + +if [ ! -x "$EXTRACT_PURL_SCRIPT" ]; then + echo "extract-purls.sh not found or not executable" + exit 1 +fi + +echo "==> Generating purls" + +# Define output and temp files +OUT_DIR="compliance" +LINUX_BIN="${OUT_DIR}/bin-linux" +DARWIN_BIN="${OUT_DIR}/bin-darwin" +WIN_BIN="${OUT_DIR}/bin-win.exe" +PURL_LINUX="${OUT_DIR}/purls-linux.txt" +PURL_DARWIN="${OUT_DIR}/purls-darwin.txt" +PURL_WIN="${OUT_DIR}/purls-win.txt" +PURL_ALL="${OUT_DIR}/purls.txt" + +# Build and extract for Linux +GOOS=linux GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${LINUX_BIN}" ./cmd/plugin +"$EXTRACT_PURL_SCRIPT" "${LINUX_BIN}" "${PURL_LINUX}" + +# Build and extract for Darwin +GOOS=darwin GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${DARWIN_BIN}" ./cmd/plugin +"$EXTRACT_PURL_SCRIPT" "${DARWIN_BIN}" "${PURL_DARWIN}" + +# Build and extract for Windows +GOOS=windows GOARCH=amd64 go build -ldflags "${LINKER_FLAGS}" -o "${WIN_BIN}" ./cmd/plugin +"$EXTRACT_PURL_SCRIPT" "${WIN_BIN}" "${PURL_WIN}" + +# Combine, sort, and deduplicate +cat "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}" | LC_ALL=C sort | uniq > "${PURL_ALL}" + +# Clean up temp files +rm -f "${LINUX_BIN}" "${DARWIN_BIN}" "${WIN_BIN}" "${PURL_LINUX}" "${PURL_DARWIN}" "${PURL_WIN}" diff --git a/scripts/compliance/gen-sbom.sh b/scripts/compliance/gen-sbom.sh new file mode 100755 index 0000000..eb78528 --- /dev/null +++ b/scripts/compliance/gen-sbom.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +set -euo pipefail + +echo "Generating SBOM..." +docker run --rm \ + -v "$PWD:/pwd" \ + "$SILKBOMB_IMG" \ + update \ + --purls /pwd/compliance/purls.txt \ + --sbom-out /pwd/compliance/sbom.json \ No newline at end of file diff --git a/scripts/compliance/gen-ssdlc-report.sh b/scripts/compliance/gen-ssdlc-report.sh new file mode 100755 index 0000000..94b8752 --- /dev/null +++ b/scripts/compliance/gen-ssdlc-report.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +set -euo pipefail + +release_date=${DATE:-$(date -u '+%Y-%m-%d')} + +export DATE="${release_date}" + +if [ -z "${AUTHOR:-}" ]; then + AUTHOR=$(git config user.name) +fi + +if [ -z "${VERSION:-}" ]; then + VERSION=$(git tag --list 'v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2) +fi + +if [ "${AUGMENTED_REPORT:-false}" = "true" ]; then + target_dir="." + file_name="ssdlc-compliance-${VERSION}-${DATE}.md" + SBOM_TEXT=" - See Augmented SBOM manifests (CycloneDX in JSON format): + - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json' + - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies." + +else # If not augmented, generate the standard report + target_dir="compliance/v${VERSION}" + file_name="ssdlc-compliance-${VERSION}.md" + SBOM_TEXT=" - See SBOM Lite manifests (CycloneDX in JSON format): + - https://github.com/mongodb/atlas-cli-plugin-terraform/releases/download/v${VERSION}/sbom.json" + # Ensure atlas-cli-plugin-terraform version directory exists + mkdir -p "${target_dir}" +fi + +export AUTHOR +export VERSION +export SBOM_TEXT + +echo "Generating SSDLC report for Atlas CLI plugin for Terraform's MongoDB Atlas Provider version ${VERSION}, author ${AUTHOR} and release date ${DATE}..." + +envsubst < templates/ssdlc-compliance.template.md \ + > "${target_dir}/${file_name}" + +echo "SSDLC compliance report ready. Files in ${target_dir}/:" +ls -l "${target_dir}/" + +echo "Printing the generated report:" +cat "${target_dir}/${file_name}" \ No newline at end of file diff --git a/scripts/compliance/upload-sbom.sh b/scripts/compliance/upload-sbom.sh new file mode 100755 index 0000000..b2552ae --- /dev/null +++ b/scripts/compliance/upload-sbom.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -euo pipefail + +echo "Uploading SBOMs..." +docker run --rm \ + -v "$PWD:/pwd" \ + -e KONDUKTO_TOKEN \ + "$SILKBOMB_IMG" \ + upload \ + --sbom-in /pwd/compliance/sbom.json \ + --repo "$KONDUKTO_REPO" \ + --branch "$KONDUKTO_BRANCH_PREFIX" + \ No newline at end of file diff --git a/templates/ssdlc-compliance.template.md b/templates/ssdlc-compliance.template.md new file mode 100644 index 0000000..88aa679 --- /dev/null +++ b/templates/ssdlc-compliance.template.md @@ -0,0 +1,29 @@ +SSDLC Compliance Report: MongoDB Atlas CLI Plugin Terraform ${VERSION} +================================================================= + +- Release Creator: ${AUTHOR} +- Created On: ${DATE} + +Overview: + +- **Product and Release Name** +- MongoDB Atlas CLI Plugin Terraform ${VERSION}, ${DATE}. + +- **Process Document** +- https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities + +- **Tool used to track third party vulnerabilities** +- [Kondukto](https://arcticglow.kondukto.io/) + +- **Dependency Information** +${SBOM_TEXT} + +- **Security Testing Report** +- Available as needed from Cloud Security. + +- **Security Assessment Report** +- Available as needed from Cloud Security. + +Assumptions and attestations: + +- Internal processes are used to ensure CVEs are identified and mitigated within SLAs. \ No newline at end of file From eef268b1e2aff0ac1d47bf36bc41fa3e03a077b3 Mon Sep 17 00:00:00 2001 From: Oriol Arbusi Abadal Date: Wed, 18 Jun 2025 14:12:59 +0200 Subject: [PATCH 2/7] clean up input --- .github/workflows/generate-augmented-sbom.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml index 554b78c..aeb0337 100644 --- a/.github/workflows/generate-augmented-sbom.yml +++ b/.github/workflows/generate-augmented-sbom.yml @@ -7,10 +7,6 @@ on: description: "Release version (e.g. 3.12.1)" required: true type: string - resource: - description: "Resource name (e.g. organization, project, etc.)" - required: true - type: string permissions: id-token: write From 3ad820e675d10e544d5fdd4586948704d27e43b7 Mon Sep 17 00:00:00 2001 From: Oriol Arbusi Abadal Date: Wed, 18 Jun 2025 14:14:57 +0200 Subject: [PATCH 3/7] eof --- .github/workflows/generate-augmented-sbom.yml | 2 +- scripts/compliance/extract-purls.sh | 2 +- scripts/compliance/gen-sbom.sh | 2 +- scripts/compliance/gen-ssdlc-report.sh | 2 +- scripts/compliance/upload-sbom.sh | 1 - 5 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml index aeb0337..ed2aaf0 100644 --- a/.github/workflows/generate-augmented-sbom.yml +++ b/.github/workflows/generate-augmented-sbom.yml @@ -45,4 +45,4 @@ jobs: path: | compliance/augmented-sbom-v${{ inputs.release_version }}-${{ steps.date.outputs.date }}.json compliance/ssdlc-compliance-${{ inputs.release_version }}-${{ steps.date.outputs.date }}.md - if-no-files-found: error \ No newline at end of file + if-no-files-found: error diff --git a/scripts/compliance/extract-purls.sh b/scripts/compliance/extract-purls.sh index 3da99d5..2e2b752 100755 --- a/scripts/compliance/extract-purls.sh +++ b/scripts/compliance/extract-purls.sh @@ -11,4 +11,4 @@ OUTPUT_FILE="$2" go version -m "$BINARY_PATH" | \ awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \ - LC_ALL=C sort > "$OUTPUT_FILE" \ No newline at end of file + LC_ALL=C sort > "$OUTPUT_FILE" diff --git a/scripts/compliance/gen-sbom.sh b/scripts/compliance/gen-sbom.sh index eb78528..d655773 100755 --- a/scripts/compliance/gen-sbom.sh +++ b/scripts/compliance/gen-sbom.sh @@ -7,4 +7,4 @@ docker run --rm \ "$SILKBOMB_IMG" \ update \ --purls /pwd/compliance/purls.txt \ - --sbom-out /pwd/compliance/sbom.json \ No newline at end of file + --sbom-out /pwd/compliance/sbom.json diff --git a/scripts/compliance/gen-ssdlc-report.sh b/scripts/compliance/gen-ssdlc-report.sh index 94b8752..80aefbd 100755 --- a/scripts/compliance/gen-ssdlc-report.sh +++ b/scripts/compliance/gen-ssdlc-report.sh @@ -42,4 +42,4 @@ echo "SSDLC compliance report ready. Files in ${target_dir}/:" ls -l "${target_dir}/" echo "Printing the generated report:" -cat "${target_dir}/${file_name}" \ No newline at end of file +cat "${target_dir}/${file_name}" diff --git a/scripts/compliance/upload-sbom.sh b/scripts/compliance/upload-sbom.sh index b2552ae..339b901 100755 --- a/scripts/compliance/upload-sbom.sh +++ b/scripts/compliance/upload-sbom.sh @@ -10,4 +10,3 @@ docker run --rm \ --sbom-in /pwd/compliance/sbom.json \ --repo "$KONDUKTO_REPO" \ --branch "$KONDUKTO_BRANCH_PREFIX" - \ No newline at end of file From 2042dfafe1ff23c8adcd7bb3e889dd03954a6762 Mon Sep 17 00:00:00 2001 From: Oriol Arbusi Abadal Date: Wed, 18 Jun 2025 17:17:32 +0200 Subject: [PATCH 4/7] correct secrets --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 04c7666..43b5479 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -110,5 +110,5 @@ jobs: commit_message: "chore: Update SSDLC report for ${{ inputs.version_number }}" apix_bot_pat: ${{ secrets.APIX_BOT_PAT }} remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }} - gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }} + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} From 0e84b59f291e0df112683b1bc559730e9e83f124 Mon Sep 17 00:00:00 2001 From: Oriol Arbusi Abadal Date: Wed, 18 Jun 2025 17:33:31 +0200 Subject: [PATCH 5/7] pr comments --- .github/workflows/generate-augmented-sbom.yml | 2 +- templates/ssdlc-compliance.template.md | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml index ed2aaf0..865e9a9 100644 --- a/.github/workflows/generate-augmented-sbom.yml +++ b/.github/workflows/generate-augmented-sbom.yml @@ -21,7 +21,7 @@ jobs: KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Get current date id: date diff --git a/templates/ssdlc-compliance.template.md b/templates/ssdlc-compliance.template.md index 88aa679..a8cb65e 100644 --- a/templates/ssdlc-compliance.template.md +++ b/templates/ssdlc-compliance.template.md @@ -7,22 +7,22 @@ SSDLC Compliance Report: MongoDB Atlas CLI Plugin Terraform ${VERSION} Overview: - **Product and Release Name** -- MongoDB Atlas CLI Plugin Terraform ${VERSION}, ${DATE}. + - MongoDB Atlas CLI Plugin Terraform ${VERSION}, ${DATE}. - **Process Document** -- https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities + - https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities - **Tool used to track third party vulnerabilities** -- [Kondukto](https://arcticglow.kondukto.io/) + - [Kondukto](https://arcticglow.kondukto.io/) - **Dependency Information** -${SBOM_TEXT} + ${SBOM_TEXT} - **Security Testing Report** -- Available as needed from Cloud Security. + - Available as needed from Cloud Security. - **Security Assessment Report** -- Available as needed from Cloud Security. + - Available as needed from Cloud Security. Assumptions and attestations: From c287461e40dd5934b4dcfa93bc8f43262d73e894 Mon Sep 17 00:00:00 2001 From: Oriol Arbusi Abadal Date: Wed, 18 Jun 2025 17:47:38 +0200 Subject: [PATCH 6/7] contributing --- CONTRIBUTING.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 109a7bd..1bfd194 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing to the Atlas CLI plugin for Terraform's MongoDB Atlas Provider -WIP +Thank you for your interest in contributing! This project welcomes contributions from the community. Please follow the guidelines below to get started, build, and contribute effectively. For compliance and release processes, see the sections below. ## Building @@ -9,3 +9,23 @@ You can build the binary plugin by running `make build`. You'll need to have Go ## Using the plugin from the CLI You can also use the plugin with your changes from the CLI by running: `make local` and following the instructions displayed. + +## Third Party Dependencies and Vulnerability Scanning + +We scan our dependencies for vulnerabilities and incompatible licenses using [Snyk](https://snyk.io/). +To run Snyk locally please follow their [CLI reference](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI). + +We also use Kundukto to scan for third-party dependency vulnerabilities. Kundukto creates tickets in MongoDB's issue tracking system for any vulnerabilities found. + +### SBOM and Compliance +We generate Software Bill of Materials (SBOM) files for each release as part of MongoDB's SSDLC initiative. SBOM Lite files are automatically generated and included as release artifacts. Compliance reports are generated after each release and stored in the compliance/ directory. + +Augmented SBOMs can be generated on customer request for any released version. This can only be done by MongoDB employees as it requires access to our GitHub workflow. + +### Papertrail Integration +All releases are recorded using a MongoDB-internal application called Papertrail. This records various pieces of information about releases, including the date and time of the release, who triggered the release (by pushing to Evergreen), and a checksum of each release file. + +This is done automatically as part of the release. + +### Release Artifact Signing +All releases are signed automatically as part of the release process. \ No newline at end of file From fc3002fe884b17a4935a1a368b8b8eb1ca433028 Mon Sep 17 00:00:00 2001 From: Oriol Arbusi Abadal Date: Wed, 18 Jun 2025 18:00:47 +0200 Subject: [PATCH 7/7] typo --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1bfd194..0f69021 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -15,7 +15,7 @@ You can also use the plugin with your changes from the CLI by running: `make loc We scan our dependencies for vulnerabilities and incompatible licenses using [Snyk](https://snyk.io/). To run Snyk locally please follow their [CLI reference](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI). -We also use Kundukto to scan for third-party dependency vulnerabilities. Kundukto creates tickets in MongoDB's issue tracking system for any vulnerabilities found. +We also use Kondukto to scan for third-party dependency vulnerabilities. Kondukto creates tickets in MongoDB's issue tracking system for any vulnerabilities found. ### SBOM and Compliance We generate Software Bill of Materials (SBOM) files for each release as part of MongoDB's SSDLC initiative. SBOM Lite files are automatically generated and included as release artifacts. Compliance reports are generated after each release and stored in the compliance/ directory.