feat(ci): add SBOM file to release artifacts (#1975)

.evergreen/compile-artifact.sh

@@ -6,6 +6,9 @@ cd $(pwd)
 
 source .evergreen/setup-env.sh
 
+# make sure our .sbom files are freshly created
+rm -vrf .sbom && mkdir -vp .sbom
+
 if uname -a | grep -q 'Linux.*x86_64'; then
   rm -rf "tmp/.sccache"
   mkdir -p "tmp/.sccache"
@@ -92,6 +95,8 @@ if uname -a | grep -q 'Linux.*x86_64'; then
   test $(objdump -d dist/mongosh | grep '\bvmovd\b' | wc -l) -lt 1250
 fi
 
-tar cvzf dist.tgz dist
+npm run write-node-js-dep
+npm run create-purls-file
+cp .sbom/purls.txt dist/.purls.txt
 
-source .evergreen/compilation-context-expansions.sh
+cat dist/.purls.txt

.evergreen/download-crypt-shared-and-generate-sbom.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+set -x
+npm run evergreen-release download-crypt-shared-library
+
+ls -lhA dist
+echo "pkg:generic/mongo_crypt_shared@$(cat dist/.mongosh_crypt_*.version)" >> dist/.purls.txt
+
+cat dist/.purls.txt
+
+set +x
+docker login artifactory.corp.mongodb.com --username ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}
+set -x
+
+docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
+docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
+  --purls /pwd/dist/.purls.txt --sbom_out /pwd/dist/.sbom.json

.evergreen/evergreen.yml.in

@@ -396,6 +396,37 @@ functions:
           DISTRO_ID: ${distro_id}
           NODE_JS_VERSION: ${node_js_version}
           MONGOSH_SHARED_OPENSSL: ${mongosh_shared_openssl}
+  upload_sbom:
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/dist/.sbom.json
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-sbom.json
+        bucket: mciuploads
+        permissions: public-read
+        content_type: application/json
+    - command: s3.put
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: src/dist/.purls.txt
+        remote_file: mongosh/binaries/${revision}/${revision_order_id}/mongosh-${executable_os_id}${extra_upload_tag}-purls.txt
+        bucket: mciuploads
+        permissions: public-read
+        content_type: text/plain
+  upload_compiled_artifact:
+    - command: shell.exec
+      params:
+        working_dir: src
+        shell: bash
+        env:
+          DISTRO_ID: ${distro_id}
+        script: |
+          set -e
+          set -x
+          tar cvzf dist.tgz dist
+          bash .evergreen/compilation-context-expansions.sh
     - command: expansions.update
       params:
         ignore_missing_file: false
@@ -467,6 +498,17 @@ functions:
   # - package_variant
   # - signature_tag (either 'signed' or 'unsigned')
   ###
+  add_crypt_shared_and_sbom:
+    - command: subprocess.exec
+      params:
+        working_dir: src
+        binary: bash .evergreen/download-crypt-shared-and-generate-sbom.sh
+        env:
+          NODE_JS_VERSION: ${node_js_version}
+          DISTRO_ID_OVERRIDE: ${distro_id}
+          PACKAGE_VARIANT: ${package_variant}
+          ARTIFACTORY_USERNAME: ${artifactory_username}
+          ARTIFACTORY_PASSWORD: ${artifactory_password}
   package_artifact:
     - command: expansions.write
       type: setup
@@ -688,11 +730,6 @@ functions:
           }
 
   generate_license_and_vulnerability_report:
-    - command: expansions.write
-      type: system
-      params:
-        file: tmp/expansions.yaml
-        redacted: true
     - command: shell.exec
       params:
         working_dir: src
@@ -705,7 +742,6 @@ functions:
           JIRA_API_TOKEN: ${jira_api_token}
         script: |
           set -e
-          export NODE_JS_VERSION=${node_js_version}
           source .evergreen/setup-env.sh
 
           # validate licenses, we first remove THIRD_PARTY_NOTICES.md, so we are sure
@@ -1055,6 +1091,9 @@ tasks:
       - func: compile_artifact
         vars:
           node_js_version: "<% out(NODE_JS_VERSION_20) %>"
+      - func: upload_compiled_artifact
+        vars:
+          node_js_version: "<% out(NODE_JS_VERSION_20) %>"
 
   - name: generate_license_and_vulnerability_report
     tags: ["extra-integration-test"]
@@ -1147,7 +1186,7 @@ tasks:
   ###
   <% for (const { executableOsId, compileBuildVariant, packages } of RELEASE_PACKAGE_MATRIX) {
        for (const { name: packageVariant } of packages) { %>
-  - name: package_artifact_<% out(packageVariant.replace(/-/g, '_')) %>
+  - name: add_crypt_shared_and_sbom_<% out(packageVariant.replace(/-/g, '_')) %>
     depends_on:
       - name: compile_artifact
         variant: <% out(compileBuildVariant) %>
@@ -1159,6 +1198,31 @@ tasks:
       - func: download_compiled_artifact
         vars:
           executable_os_id: <% out(executableOsId) %>
+      - func: add_crypt_shared_and_sbom
+        vars:
+          package_variant: <% out(packageVariant) %>
+          executable_os_id: <% out(executableOsId) %>
+      - func: upload_sbom
+        vars:
+          executable_os_id: <% out(executableOsId) %>
+          extra_upload_tag: -<% out(packageVariant) %>-sbom
+      - func: upload_compiled_artifact
+        vars:
+          executable_os_id: <% out(executableOsId) %>
+          extra_upload_tag: -<% out(packageVariant) %>-complete
+  - name: package_artifact_<% out(packageVariant.replace(/-/g, '_')) %>
+    depends_on:
+      - name: add_crypt_shared_and_sbom_<% out(packageVariant.replace(/-/g, '_')) %>
+        variant: linux_package
+    commands:
+      - func: checkout
+      - func: install
+        vars:
+          node_js_version: "<% out(NODE_JS_VERSION_20) %>"
+      - func: download_compiled_artifact
+        vars:
+          executable_os_id: <% out(executableOsId) %>
+          extra_upload_tag: -<% out(packageVariant) %>-complete
       - func: package_artifact
         vars:
           node_js_version: "<% out(NODE_JS_VERSION_20) %>"
@@ -1384,7 +1448,9 @@ buildvariants:
     tags: ["nightly-driver"]
     tasks:
       <% for (const { executableOsId, packages } of RELEASE_PACKAGE_MATRIX) {
-          for (const { name: packageVariant } of packages) {
+          for (const { name: packageVariant } of packages) { %>
+      - name: add_crypt_shared_and_sbom_<% out(packageVariant.replace(/-/g, '_')) %>
+      <%
             if (executableOsId.startsWith('linux')) { %>
       - name: package_artifact_<% out(packageVariant.replace(/-/g, '_')) %>
       - name: sign_artifact_<% out(packageVariant.replace(/-/g, '_')) %>

config/build.conf.js

@@ -4,8 +4,8 @@ const path = require('path');
 const os = require('os');
 
 const SHARED_LIBRARY_SUFFIX =
-  process.platform === 'win32' ? 'dll' :
-  process.platform === 'darwin' ? 'dylib' : 'so';
+  (process.env.PACKAGE_VARIANT ?? process.platform).startsWith('win32') ? 'dll' :
+  (process.env.PACKAGE_VARIANT ?? process.platform).startsWith('darwin') ? 'dylib' : 'so';
 
 /**
  * The project root.
@@ -48,7 +48,7 @@ const EXECUTABLE_PATH = path.join(OUTPUT_DIR, process.platform === 'win32' ? 'mo
  * We use the name mongosh_crypt_v1 to avoid conflicts with users
  * potentially installing the 'proper' crypt shared library.
  */
-const CRYPT_LIBRARY_PATH = path.resolve(TMP_DIR, 'mongosh_crypt_v1.' + SHARED_LIBRARY_SUFFIX);
+const CRYPT_LIBRARY_PATH = path.resolve(OUTPUT_DIR, 'mongosh_crypt_v1.' + SHARED_LIBRARY_SUFFIX);
 
 /**
  * Build info JSON data file.
@@ -148,7 +148,11 @@ module.exports = {
         {
           sourceFilePath: path.resolve(__dirname, '..', 'THIRD_PARTY_NOTICES.md'),
           packagedFilePath: 'THIRD_PARTY_NOTICES'
-        }
+        },
+        {
+          sourceFilePath: path.resolve(path.dirname(EXECUTABLE_PATH), '.sbom.json'),
+          packagedFilePath: '.sbom.json'
+        },
       ],
       manpage: {
         sourceFilePath: path.resolve(TMP_DIR, 'manpage', MANPAGE_NAME),