From 382d572d489404f69c3b82e7f5c64f6fa90b7c8c Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna.henningsen@mongodb.com>
Date: Thu, 20 Jun 2024 17:57:06 +0200
Subject: [PATCH] fix(ci): adopt augmented SBOM integration with Silk
 COMPASS-7910 (#5911)

---
 .evergreen/buildvariants-and-tasks.in.yml | 12 +++++++++---
 .evergreen/buildvariants-and-tasks.yml    | 10 ++++++++++
 .evergreen/create-sbom.sh                 | 16 ++++++++++++----
 .evergreen/functions.yml                  | 11 +++++++++++
 4 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/.evergreen/buildvariants-and-tasks.in.yml b/.evergreen/buildvariants-and-tasks.in.yml
index 2a35bc8943b..5d0f5a1cb54 100644
--- a/.evergreen/buildvariants-and-tasks.in.yml
+++ b/.evergreen/buildvariants-and-tasks.in.yml
@@ -32,26 +32,31 @@ const PACKAGE_BUILD_VARIANTS = [
     // # when compiling/re-building addons. This ensures compatibility with other
     // # debian platforms that have glibc 2.23 or newer.
     run_on: 'ubuntu1604-large',
+    silk_asset_group: 'compass-ubuntu',
   },
   {
     name: 'package-windows',
     display_name: 'Package Windows',
     run_on: 'windows-vsCurrent-large',
+    silk_asset_group: 'compass-windows',
   },
   {
     name: 'package-rhel',
     display_name: 'Package RHEL',
     run_on: 'rhel80-large',
+    silk_asset_group: 'compass-rhel',
   },
   {
     name: 'package-macos-x64',
     display_name: 'Package MacOS Intel',
-    run_on: 'macos-1100'
+    run_on: 'macos-1100',
+    silk_asset_group: 'compass-macos',
   },
   {
     name: 'package-macos-arm',
     display_name: 'Package MacOS Arm64',
-    run_on: 'macos-1100-arm64'
+    run_on: 'macos-1100-arm64',
+    silk_asset_group: 'compass-macos-arm',
   }
 ];
 
@@ -152,7 +157,8 @@ buildvariants:
   # package
 <% for (const buildVariant of PACKAGE_BUILD_VARIANTS) { %>
   - name: <%= buildVariant.name %>
-
+    expansions:
+      silk_asset_group: <%= buildVariant.silk_asset_group %>
     display_name: <%= buildVariant.display_name %>
     run_on: <%= buildVariant.run_on %>
     tasks:
diff --git a/.evergreen/buildvariants-and-tasks.yml b/.evergreen/buildvariants-and-tasks.yml
index b43c846f8ab..77a69d2bb30 100644
--- a/.evergreen/buildvariants-and-tasks.yml
+++ b/.evergreen/buildvariants-and-tasks.yml
@@ -32,6 +32,8 @@ buildvariants:
       - name: test-electron
         run_on: macos-14-arm64-gui
   - name: package-ubuntu
+    expansions:
+      silk_asset_group: compass-ubuntu
     display_name: Package Ubuntu
     run_on: ubuntu1604-large
     tasks:
@@ -39,6 +41,8 @@ buildvariants:
       - name: package-compass-isolated
       - name: package-compass-readonly
   - name: package-windows
+    expansions:
+      silk_asset_group: compass-windows
     display_name: Package Windows
     run_on: windows-vsCurrent-large
     tasks:
@@ -46,6 +50,8 @@ buildvariants:
       - name: package-compass-isolated
       - name: package-compass-readonly
   - name: package-rhel
+    expansions:
+      silk_asset_group: compass-rhel
     display_name: Package RHEL
     run_on: rhel80-large
     tasks:
@@ -53,6 +59,8 @@ buildvariants:
       - name: package-compass-isolated
       - name: package-compass-readonly
   - name: package-macos-x64
+    expansions:
+      silk_asset_group: compass-macos
     display_name: Package MacOS Intel
     run_on: macos-1100
     tasks:
@@ -60,6 +68,8 @@ buildvariants:
       - name: package-compass-isolated
       - name: package-compass-readonly
   - name: package-macos-arm
+    expansions:
+      silk_asset_group: compass-macos-arm
     display_name: Package MacOS Arm64
     run_on: macos-1100-arm64
     tasks:
diff --git a/.evergreen/create-sbom.sh b/.evergreen/create-sbom.sh
index 11c428b40b1..724491ead6a 100755
--- a/.evergreen/create-sbom.sh
+++ b/.evergreen/create-sbom.sh
@@ -7,19 +7,27 @@ CRYPT_SHARED_VERSION=$(cat packages/compass/src/deps/csfle/version)
 
 set +x
 echo "${ARTIFACTORY_PASSWORD}" > /tmp/artifactory_password
+cat << EOF > /tmp/silkbomb.env
+SILK_CLIENT_ID=${SILK_CLIENT_ID}
+SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
+EOF
 set -x
 
 trap_handler() {
-  rm -f /tmp/artifactory_password
+  rm -vf /tmp/artifactory_password /tmp/silkbomb.env
 }
 trap trap_handler ERR EXIT
 
-scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
+scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/silkbomb.env /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
 ssh -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -p "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME" \
   "(cat /tmp/dependencies.json | jq -r '.[] | "'"pkg:npm/" + .name + "@" + .version'"' > /tmp/purls.txt) && \
   echo "pkg:generic/mongo_crypt_shared@${CRYPT_SHARED_VERSION}" >> /tmp/purls.txt && \
   (cat /tmp/artifactory_password | docker login artifactory.corp.mongodb.com --username '${ARTIFACTORY_USERNAME}' --password-stdin ; rm -f /tmp/artifactor_password ) && \
   docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 && \
   docker run --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
-    --purls /tmp/purls.txt --sbom_out /tmp/sbom.json"
-scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom.json,purls.txt} .sbom/
+    --purls /tmp/purls.txt --sbom-out /tmp/sbom-lite.json && \
+  docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
+    --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /tmp/sbom-lite.json && \
+  docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
+    --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /tmp/sbom.json"
+scp -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom-lite.json,sbom.json,purls.txt} .sbom/
diff --git a/.evergreen/functions.yml b/.evergreen/functions.yml
index 10591bd1db3..bacd8b3eb38 100644
--- a/.evergreen/functions.yml
+++ b/.evergreen/functions.yml
@@ -435,6 +435,10 @@ functions:
           SIGNING_SERVER_PRIVATE_KEY_CYGPATH: ${SIGNING_SERVER_PRIVATE_KEY_CYGPATH}
           SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
           SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
+          # for Silk SBOM integration
+          SILK_ASSET_GROUP: ${silk_asset_group}
+          SILK_CLIENT_ID: ${silk_client_id}
+          SILK_CLIENT_SECRET: ${silk_client_secret}
         script: |
           set -e
 
@@ -821,6 +825,13 @@ functions:
         remote_file: ${project}/${revision}_${revision_order_id}/${task_id}/purls.txt
         content_type: text/plain
         optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params-public
+        local_file: src/.sbom/sbom-lite.json
+        remote_file: ${project}/${revision}_${revision_order_id}/${task_id}/sbom-lite.json
+        content_type: application/json
+        optional: true
     - command: s3.put
       params:
         <<: *save-artifact-params-public