Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include links to the Evergreen build and to the driver security testing summary in the SSDLC report #1426

Merged
merged 7 commits into from
Jun 28, 2024
Merged

Include links to the Evergreen build and to the driver security testing summary in the SSDLC report #1426

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
211837a
Include links to the Evergreen build and to the driver security testi…
stIncMale Jun 25, 2024
7e8fc34
Fix how EVERGREEN_PROJECT_NAME_SUFFIX is computed
stIncMale Jun 25, 2024
77c25a2
Don't fail `ssdlc-report.sh` for patch builds due to inability to com…
stIncMale Jun 26, 2024
db7ccb9
Improve how the script detects snapshot builds
stIncMale Jun 26, 2024
81e4f4d
Do not generate a fake Evergreen link for snapshot builds
stIncMale Jun 27, 2024
0d8f72c
Use default Evergreen expansions to simplify the script
stIncMale Jun 28, 2024
ed6025f
Fix a typo in `template_ssdlc_compliance_report.md`
stIncMale Jun 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 33 additions & 4 deletions .evergreen/ssdlc-report.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ set -eu
# PRODUCT_VERSION

if [ -z "${PRODUCT_NAME}" ]; then
echo "PRODUCT_NAME must be set to a non-empty string"
printf "\nPRODUCT_NAME must be set to a non-empty string\n"
exit 1
fi
if [ -z "${PRODUCT_VERSION}" ]; then
echo "PRODUCT_VERSION must be set to a non-empty string"
printf "\nPRODUCT_VERSION must be set to a non-empty string\n"
exit 1
fi

Expand All @@ -22,12 +22,39 @@ RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE[0]:-$0}")"
source "${RELATIVE_DIR_PATH}/javaConfig.bash"

printf "\nCreating SSDLC reports\n"
printf "\nProduct name: %s\n" "${PRODUCT_NAME}"
printf "\nProduct version: %s\n" "${PRODUCT_VERSION}"

declare -r SSDLC_PATH="${RELATIVE_DIR_PATH}/../build/ssdlc"
declare -r SSDLC_STATIC_ANALYSIS_REPORTS_PATH="${SSDLC_PATH}/static-analysis-reports"
mkdir "${SSDLC_PATH}"
mkdir "${SSDLC_STATIC_ANALYSIS_REPORTS_PATH}"

declare -r EVERGREEN_PROJECT_NAME_PREFIX="${PRODUCT_NAME//-/_}"
declare -r EVERGREEN_BUILD_URL_PREFIX="https://spruce.mongodb.com/version"
declare -r GIT_TAG="r${PRODUCT_VERSION}"
GIT_COMMIT_HASH="$(git rev-list -n 1 "${GIT_TAG}")"
set +e
GIT_BRANCH_MASTER="$(git branch -a --contains "${GIT_TAG}" | grep 'master$')"
GIT_BRANCH_PATCH="$(git branch -a --contains "${GIT_TAG}" | grep '\.x$')"
set -e
if [ -n "${GIT_BRANCH_MASTER}" ]; then
declare -r EVERGREEN_BUILD_URL="${EVERGREEN_BUILD_URL_PREFIX}/${EVERGREEN_PROJECT_NAME_PREFIX}_${GIT_COMMIT_HASH}"
elif [ -n "${GIT_BRANCH_PATCH}" ]; then
# strip out the patch version
declare -r EVERGREEN_PROJECT_NAME_SUFFIX="${PRODUCT_VERSION%.*}"
declare -r EVERGREEN_BUILD_URL="${EVERGREEN_BUILD_URL_PREFIX}/${EVERGREEN_PROJECT_NAME_PREFIX}_${EVERGREEN_PROJECT_NAME_SUFFIX}_${GIT_COMMIT_HASH}"
elif [[ "${PRODUCT_NAME}" == *'-snapshot' ]]; then
declare -r EVERGREEN_BUILD_URL="https://no-url-for-snapshot-builds"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We currently use a placeholder URL (https://no-url-for-snapshot-builds) in the report. Since we don't own this domain, there's some risk it could be registered and misused, potentially exposing viewers to unexpected content if they click on or visit the link expecting legitimate information. I suggest replacing it with a non-clickable message, such as 'No URL available for snapshot builds.

Suggested change
declare -r EVERGREEN_BUILD_URL="https://no-url-for-snapshot-builds"
declare -r EVERGREEN_BUILD_URL="There is no URL available for snapshot builds"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 81e4f4d.

else
printf "\nFailed to compute EVERGREEN_BUILD_URL\n"
exit 1
fi
printf "\nEvergreen build URL: %s\n" "${EVERGREEN_BUILD_URL}"

PRODUCT_RELEASE_CREATOR="$(git log "${GIT_TAG}"^.."${GIT_TAG}" --simplify-by-decoration --pretty='format:%aN')"
printf "\nProduct release creator: %s\n" "${PRODUCT_RELEASE_CREATOR}"

printf "\nCreating SpotBugs SARIF reports\n"
./gradlew -version
set +e
Expand All @@ -52,14 +79,16 @@ declare -r SSDLC_REPORT_PATH="${SSDLC_PATH}/ssdlc_compliance_report.md"
cp "${TEMPLATE_SSDLC_REPORT_PATH}" "${SSDLC_REPORT_PATH}"
declare -a SED_EDIT_IN_PLACE_OPTION
if [[ "$OSTYPE" == "darwin"* ]]; then
SED_EDIT_IN_PLACE_OPTION=(-i '')
SED_EDIT_IN_PLACE_OPTION=(-i '')
else
SED_EDIT_IN_PLACE_OPTION=(-i)
SED_EDIT_IN_PLACE_OPTION=(-i)
fi
sed "${SED_EDIT_IN_PLACE_OPTION[@]}" \
-e "s/\${product_name}/${PRODUCT_NAME}/g" \
-e "s/\${product_version}/${PRODUCT_VERSION}/g" \
-e "s/\${report_date_utc}/$(date -u +%Y-%m-%d)/g" \
-e "s/\${product_release_creator}/${PRODUCT_RELEASE_CREATOR}/g" \
-e "s>\${evergreen_build_url}>${EVERGREEN_BUILD_URL}>g" \
"${SSDLC_REPORT_PATH}"
printf "%s\n" "${SSDLC_REPORT_PATH}"

Expand Down
39 changes: 18 additions & 21 deletions .evergreen/template_ssdlc_compliance_report.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,30 +13,18 @@ This report is available at
<td>${product_version}</td>
</tr>
<tr>
<th>Report date, UTC</th>
<td>${report_date_utc}</td>
</tr>
</table>

## Release creator

This information is available in multiple ways:

<table>
<tr>
<th>Evergreen</th>
<th>Release creator</th>
<td>
Go to
<a href="https://evergreen.mongodb.com/waterfall/mongo-java-driver?bv_filter=Publish%20Release">
https://evergreen.mongodb.com/waterfall/mongo-java-driver?bv_filter=Publish%20Release</a>,
find the build triggered from Git tag <code>r${product_version}</code>, see who authored it.
${product_release_creator}
<p>
Refer to data in Papertrail for more details.
There is currently no official way to serve that data.
</p>
</td>
</tr>
<tr>
<th>Papertrail</th>
<td>
Refer to data in Papertrail. There is currently no official way to serve that data.
</td>
<th>Report date, UTC</th>
<td>${report_date_utc}</td>
</tr>
</table>

Expand All @@ -55,14 +43,23 @@ is <https://github.com/mongodb/mongo-java-driver/blob/r${product_version}/sbom.j

## Static analysis findings

The static analysis findings are all available at
The static analysis findings are available at
<https://d-9067613a84.awsapps.com/start/#/console?account_id=857654397073&role_name=Drivers.User&destination=https%3a%2f%2fus-west-1.console.aws.amazon.com%2fs3%2fbuckets%2fjava-driver-release-assets%3fregion%3dus-west-1%26bucketType%3dgeneral%26prefix%3d${product_name}%2f${product_version}%2fstatic-analysis-reports%2f>.
All the findings in the aforementioned reports
are either of the MongoDB status "False Positive" or "No Fix Needed",
because code that has any other findings cannot technically get into the product.

<https://github.com/mongodb/mongo-java-driver/blob/r${product_version}/config/spotbugs/exclude.xml> may also be of interest.

## Security testing results

The testing results are available at
<${evergreen_build_url}>.

See the driver security testing summary
<https://docs.google.com/document/d/1y2K_RY4GZVXpQvv4JH_35mSzFRTawNJ3mibpvSBU8H0>
for the description of what is tested.

## Signature information

The product artifacts are signed.
Expand Down