xuemingqiang/mongo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3e45333645ecb8e841065b8e47e803c5a7a59a6
mongo/etc/evergreen_yml_components/tasks/release_tasks.yml
Jason Hills c3e4533364 SERVER-116213, SERVER-117626, SERVER-117790: Enhance SBOM automation with private folder support, team automation and branch filtering (#48555) 
Co-authored-by: Mathias Stearn <mathias@mongodb.com>
GitOrigin-RevId: 0ed281764f145dc335b24cc49112f018a921f94b
2026-03-05 16:13:59 +00:00

136 lines
6.4 KiB
YAML
Raw Blame History

tasks:
- name: publish-sast-report
tags: ["auxiliary", "assigned_to_jira_team_devprod_release_infrastructure"]
depends_on:
- name: version_expansions_gen
variant: generate-tasks-for-version
commands:
- command: git.get_project
params:
directory: src
clone_depth: 1
recurse_submodules: true
- func: "get version expansions"
- func: "apply version expansions"
- func: "f_expansions_write"
- command: subprocess.exec
display_name: Write credentials for SAST report generation to file
type: setup
params:
silent: true
binary: "${workdir}/src/evergreen/write_sast_report_env_file.sh"
env:
WORK_DIR: ${workdir}
JIRA_OAUTH_ACCESS_TOKEN: ${jira_auth_access_token}
JIRA_OAUTH_ACCESS_TOKEN_SECRET: ${jira_auth_access_token_secret}
JIRA_OAUTH_CONSUMER_KEY: ${jira_auth_consumer_key}
JIRA_OAUTH_KEY_CERT: ${jira_auth_key_cert}
SAST_REPORT_COVERITY_USERNAME: ${SAST_REPORT_COVERITY_USERNAME}
SAST_REPORT_COVERITY_PASSWORD: ${SAST_REPORT_COVERITY_PASSWORD}
SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID}
SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN}
SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET}
- command: subprocess.exec
display_name: "Generate SAST report and upload to Google Drive"
params:
binary: "${workdir}/src/evergreen/generate_sast_report.sh"
env:
WORK_DIR: ${workdir}
MODULE_PATH: ${workdir}/devprodCoveritySrc/devprod_coverity
GITHUB_COMMIT: ${github_commit}
TRIGGERED_BY_GIT_TAG: ${triggered_by_git_tag}
MONGODB_VERSION: ${version}
MONGODB_RELEASE_BRANCH: ${branch_name}
SAST_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID: ${SAST_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID}
SAST_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID: ${SAST_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID}
- command: s3.put
params:
aws_key: ${aws_key}
aws_secret: ${aws_secret}
bucket: mciuploads
content_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
local_files_include_filter_prefix: devprodCoveritySrc/devprod_coverity
local_files_include_filter:
- "sast_report_*.xlsx"
remote_file: ${project}/${build_variant}/${revision}/artifacts/${build_id}/${task_name}/
permissions: private
visibility: signed
- name: publish-augmented-sbom
tags: ["auxiliary", "assigned_to_jira_team_platsec_ssdlc"]
depends_on:
- name: version_expansions_gen
variant: generate-tasks-for-version
exec_timeout_secs: 600 # 10 minute timeout
commands:
- command: manifest.load
- func: "git get project and add git tag"
- func: "get version expansions"
- func: "apply version expansions"
- func: "f_expansions_write"
- func: "kill processes"
- func: "cleanup environment"
- func: "set up venv"
- func: "upload pip requirements"
- command: ec2.assume_role
display_name: Assume Silkbomb IAM role
params:
role_arn: arn:aws:iam::119629040606:role/silkbomb
- func: "f_expansions_write"
- command: subprocess.exec
display_name: Write temporary AWS credentials to Silkbomb environment file
params:
binary: bash
args:
- "src/evergreen/functions/security_reporting_scripts/write_aws_creds_to_silkbomb_env_file.sh"
include_expansions_in_env:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
- command: ec2.assume_role
display_name: Assume DevProd Platforms ECR readonly IAM role
params:
role_arn: arn:aws:iam::901841024863:role/ecr-role-evergreen-ro
- func: "f_expansions_write"
- command: subprocess.exec
display_name: Run Silkbomb to augment SBOM with VEX data
params:
binary: bash
args:
- "src/evergreen/functions/security_reporting_scripts/augment_sbom.sh"
include_expansions_in_env:
[AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
env:
REQUESTER: ${requester}
BRANCH_NAME: ${branch_name}
GITHUB_ORG: ${github_org}
GITHUB_REPO: ${github_repo}
CONTAINER_COMMAND: docker # podman or docker
CONTAINER_OPTIONS: --pull=always --platform=linux/amd64 -i --rm
CONTAINER_ENV_FILES: ${workdir}/silkbomb.env
CONTAINER_VOLUMES: -v ${workdir}:/workdir
CONTAINER_IMAGE: 901841024863.dkr.ecr.us-east-1.amazonaws.com/release-infrastructure/silkbomb:2.0
SBOM_REPO_PATH: sbom.private.json
SBOM_OUT_PATH: ${workdir}/sbom-with-vex-${branch_name}.json
SILKBOMB_COMMAND: augment
SILKBOMB_ARGS: --sbom-in /workdir/src/sbom.private.json --sbom-out /workdir/src/sbom-with-vex-${branch_name}.json --repo ${github_org}/${github_repo} --branch ${branch_name}
- command: subprocess.exec
display_name: Upload SBOM to Google Drive"
params:
binary: bash
args:
- "${workdir}/src/evergreen/run_python_script.sh"
- "${workdir}/src/evergreen/functions/security_reporting_scripts/upload_to_google_drive.py"
- "${workdir}/src/sbom-with-vex-${branch_name}.json"
env:
WORK_DIR: ${workdir}
GITHUB_COMMIT: ${github_commit}
TRIGGERED_BY_GIT_TAG: ${triggered_by_git_tag}
MONGODB_VERSION: ${version}
MONGODB_RELEASE_BRANCH: ${branch_name}
SBOM_OUT_PATH: ${workdir}/sbom-with-vex-${branch_name}.json
UPLOAD_FILE_NAME: "[${version}] MongoDB Server Enterprise SBOM"
SBOM_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID: ${SBOM_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID}
SBOM_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID: ${SBOM_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID}
SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID}
SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN}
SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET}
Reference in New Issue View Git Blame Copy Permalink