tasks: - name: publish-sast-report tags: ["auxiliary", "assigned_to_jira_team_devprod_release_infrastructure"] depends_on: - name: version_expansions_gen variant: generate-tasks-for-version commands: - command: git.get_project params: directory: src clone_depth: 1 recurse_submodules: true - func: "get version expansions" - func: "apply version expansions" - func: "f_expansions_write" - command: subprocess.exec display_name: Write credentials for SAST report generation to file type: setup params: silent: true binary: "${workdir}/src/evergreen/write_sast_report_env_file.sh" env: WORK_DIR: ${workdir} JIRA_OAUTH_ACCESS_TOKEN: ${jira_auth_access_token} JIRA_OAUTH_ACCESS_TOKEN_SECRET: ${jira_auth_access_token_secret} JIRA_OAUTH_CONSUMER_KEY: ${jira_auth_consumer_key} JIRA_OAUTH_KEY_CERT: ${jira_auth_key_cert} SAST_REPORT_COVERITY_USERNAME: ${SAST_REPORT_COVERITY_USERNAME} SAST_REPORT_COVERITY_PASSWORD: ${SAST_REPORT_COVERITY_PASSWORD} SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID} SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN} SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET} - command: subprocess.exec display_name: "Generate SAST report and upload to Google Drive" params: binary: "${workdir}/src/evergreen/generate_sast_report.sh" env: WORK_DIR: ${workdir} MODULE_PATH: ${workdir}/devprodCoveritySrc/devprod_coverity GITHUB_COMMIT: ${github_commit} TRIGGERED_BY_GIT_TAG: ${triggered_by_git_tag} MONGODB_VERSION: ${version} MONGODB_RELEASE_BRANCH: ${branch_name} SAST_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID: ${SAST_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID} SAST_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID: ${SAST_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID} - command: s3.put params: aws_key: ${aws_key} aws_secret: ${aws_secret} bucket: mciuploads content_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet local_files_include_filter_prefix: devprodCoveritySrc/devprod_coverity local_files_include_filter: - "sast_report_*.xlsx" remote_file: ${project}/${build_variant}/${revision}/artifacts/${build_id}/${task_name}/ permissions: private visibility: signed - name: publish-augmented-sbom tags: ["auxiliary", "assigned_to_jira_team_platsec_ssdlc"] depends_on: - name: version_expansions_gen variant: generate-tasks-for-version exec_timeout_secs: 600 # 10 minute timeout commands: - command: manifest.load - func: "git get project and add git tag" - func: "get version expansions" - func: "apply version expansions" - func: "f_expansions_write" - func: "kill processes" - func: "cleanup environment" - func: "set up venv" - func: "upload pip requirements" - command: ec2.assume_role display_name: Assume Silkbomb IAM role params: role_arn: arn:aws:iam::119629040606:role/silkbomb - func: "f_expansions_write" - command: subprocess.exec display_name: Write temporary AWS credentials to Silkbomb environment file params: binary: bash args: - "src/evergreen/functions/security_reporting_scripts/write_aws_creds_to_silkbomb_env_file.sh" include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] - command: ec2.assume_role display_name: Assume DevProd Platforms ECR readonly IAM role params: role_arn: arn:aws:iam::901841024863:role/ecr-role-evergreen-ro - func: "f_expansions_write" - command: subprocess.exec display_name: Run Silkbomb to augment SBOM with VEX data params: binary: bash args: - "src/evergreen/functions/security_reporting_scripts/augment_sbom.sh" include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN] env: REQUESTER: ${requester} BRANCH_NAME: ${branch_name} GITHUB_ORG: ${github_org} GITHUB_REPO: ${github_repo} CONTAINER_COMMAND: docker # podman or docker CONTAINER_OPTIONS: --pull=always --platform=linux/amd64 -i --rm CONTAINER_ENV_FILES: ${workdir}/silkbomb.env CONTAINER_VOLUMES: -v ${workdir}:/workdir CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0 SBOM_REPO_PATH: sbom.private.json SBOM_OUT_PATH: ${workdir}/sbom-with-vex-${branch_name}.json SILKBOMB_COMMAND: augment SILKBOMB_ARGS: --sbom-in /workdir/src/sbom.private.json --sbom-out /workdir/src/sbom-with-vex-${branch_name}.json --repo ${github_org}/${github_repo} --branch ${branch_name} - command: subprocess.exec display_name: Upload SBOM to Google Drive" params: binary: bash args: - "${workdir}/src/evergreen/run_python_script.sh" - "${workdir}/src/evergreen/functions/security_reporting_scripts/upload_to_google_drive.py" - "${workdir}/src/sbom-with-vex-${branch_name}.json" env: WORK_DIR: ${workdir} GITHUB_COMMIT: ${github_commit} TRIGGERED_BY_GIT_TAG: ${triggered_by_git_tag} MONGODB_VERSION: ${version} MONGODB_RELEASE_BRANCH: ${branch_name} SBOM_OUT_PATH: ${workdir}/sbom-with-vex-${branch_name}.json UPLOAD_FILE_NAME: "[${version}] MongoDB Server Enterprise SBOM" SBOM_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID: ${SBOM_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID} SBOM_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID: ${SBOM_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID} SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID} SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN} SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET}