From e3715b672e18fbcae60d8571ec6ee51c28453db1 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 4 Jun 2024 11:49:03 -0500 Subject: [PATCH] PYTHON-4389 Add SBOM and CodeQL for Python (#823) * PYTHON-4389 Add SBOM and CodeQL for Python * fix shell script * lint * include sbom * update manifest * update manifest --- .github/dependabot.yml | 8 ++- .github/workflows/codeql.yml | 52 ++++++++++++++++ bindings/python/.evergreen/test.sh | 10 +++ bindings/python/MANIFEST.in | 4 +- bindings/python/libmongocrypt-version.txt | 1 + bindings/python/release.sh | 3 +- bindings/python/sbom.json | 76 +++++++++++++++++++++++ bindings/python/update-sbom.sh | 14 +++++ 8 files changed, 165 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 bindings/python/libmongocrypt-version.txt create mode 100644 bindings/python/sbom.json create mode 100755 bindings/python/update-sbom.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 67eba6916..13a314222 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,12 @@ updates: actions: patterns: - "*" - # Add assignees + assignees: + - "@mongodb/dbx-python" + # Python + - package-ecosystem: "pip" + directory: "/bindings/python" + schedule: + interval: "weekly" assignees: - "@mongodb/dbx-python" \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..a3b838392 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +name: "CodeQL" + +on: + push: + branches: [ "master"] + tags: ['*'] + pull_request: + paths: + - bindings/python/**/*.py + schedule: + - cron: '17 10 * * 2' + +jobs: + analyze-python: + name: Analyze Python + runs-on: "ubuntu-latest" + timeout-minutes: 360 + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - uses: actions/setup-python@v3 + with: + python-version: 3.x + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: python + build-mode: manual + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + queries: security-extended + config: | + paths: + - bindings/python/pymongocrypt + + - name: Install package + run: | + cd bindings/python + bash release.sh + pip install dist/*.whl + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:python" diff --git a/bindings/python/.evergreen/test.sh b/bindings/python/.evergreen/test.sh index 209459737..c0dd28a1c 100755 --- a/bindings/python/.evergreen/test.sh +++ b/bindings/python/.evergreen/test.sh @@ -99,3 +99,13 @@ for PYTHON_BINARY in "${PYTHONS[@]}"; do deactivate rm -rf .venv done + +# Verify the sbom file +LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt) +EXPECTED="pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION" +if grep -q $EXPECTED sbom.json; then + echo "SBOM is up to date!" +else + echo "SBOM is out of date! Run the \"update-sbom.sh\" script." + exit 1 +fi diff --git a/bindings/python/MANIFEST.in b/bindings/python/MANIFEST.in index 2f0f72766..994cd2114 100644 --- a/bindings/python/MANIFEST.in +++ b/bindings/python/MANIFEST.in @@ -2,11 +2,13 @@ include README.rst include LICENSE include pyproject.toml include *requirements.txt +include sbom.json include CHANGELOG.rst recursive-include pymongocrypt *.py recursive-include requirements *.txt exclude build-manylinux-wheel.sh -exclude release.sh +exclude *.sh +exclude libmongocrypt-version.txt exclude RELEASE.rst exclude strip_header.py exclude synchro.py diff --git a/bindings/python/libmongocrypt-version.txt b/bindings/python/libmongocrypt-version.txt new file mode 100644 index 000000000..f8e233b27 --- /dev/null +++ b/bindings/python/libmongocrypt-version.txt @@ -0,0 +1 @@ +1.9.0 diff --git a/bindings/python/release.sh b/bindings/python/release.sh index 805be357f..546c6a9e9 100755 --- a/bindings/python/release.sh +++ b/bindings/python/release.sh @@ -16,7 +16,8 @@ set -o xtrace # Write all commands first to stderr set -o errexit # Exit the script with error if any of the commands fail # The libmongocrypt git revision release to embed in our wheels. -REVISION=$(git rev-list -n 1 1.9.0) +LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt) +REVISION=$(git rev-list -n 1 $LIBMONGOCRYPT_VERSION) # The libmongocrypt release branch. BRANCH="r1.9" # The python executable to use. diff --git a/bindings/python/sbom.json b/bindings/python/sbom.json new file mode 100644 index 000000000..43597e0ae --- /dev/null +++ b/bindings/python/sbom.json @@ -0,0 +1,76 @@ +{ + "components": [ + { + "bom-ref": "pkg:github/mongodb/libmongocrypt@1.9.0", + "externalReferences": [ + { + "type": "distribution", + "url": "https://github.com/mongodb/libmongocrypt/archive/refs/tags/1.9.0.tar.gz" + }, + { + "type": "website", + "url": "https://github.com/mongodb/libmongocrypt/tree/1.9.0" + } + ], + "group": "mongodb", + "name": "libmongocrypt", + "purl": "pkg:github/mongodb/libmongocrypt@1.9.0", + "type": "library", + "version": "1.9.0" + } + ], + "dependencies": [ + { + "ref": "pkg:github/mongodb/libmongocrypt@1.9.0" + } + ], + "metadata": { + "timestamp": "2024-06-03T13:55:11.135812+00:00", + "tools": [ + { + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx-python-library.readthedocs.io/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" + } + ], + "name": "cyclonedx-python-lib", + "vendor": "CycloneDX", + "version": "6.4.4" + } + ] + }, + "serialNumber": "urn:uuid:e7358393-f4d3-4856-98bb-22547b234979", + "version": 1, + "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.5" +} diff --git a/bindings/python/update-sbom.sh b/bindings/python/update-sbom.sh new file mode 100755 index 000000000..e0c903149 --- /dev/null +++ b/bindings/python/update-sbom.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -eux + +LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt) +if [ $(command -v podman) ]; then + DOCKER=podman +else + DOCKER=docker +fi + +echo "pkg:github/mongodb/libmongocrypt@$LIBMONGOCRYPT_VERSION" > purls.txt +$DOCKER run --platform="linux/amd64" -it --rm -v $(pwd):$(pwd) artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update --purls=$(pwd)/purls.txt -o $(pwd)/sbom.json +rm purls.txt