SQL-2108: Add compliance report generation and publication (#272)

* Add compliance report generation and publication

* Address review feedback

* Revert variant name change

.evg.yml

@@ -28,7 +28,7 @@ buildvariants:
       - spotless
 
   - name: code-quality-and-correctness
-    display_name: "Code Quality and Correctness"
+    display_name: "Code Quality and Security"
     expansions:
       _platform: ubuntu2204-64-jdk-8
     run_on: [ ubuntu2204-small ]
@@ -119,18 +119,29 @@ tasks:
         variant: "release"
       - name: sbom
         variant: code-quality-and-correctness
+      - name: semgrep
+        variant: code-quality-and-correctness
     exec_timeout_secs: 300 # 5m
     commands:
       - func: "publish augmented SBOM"
+      - func: "publish static code analysis"
+      - func: "generate compliance report"
+      - func: "publish compliance report"
 
   - name: ssdlc-artifacts-snapshot
     run_on: ubuntu2204-small
+    allow_for_git_tag: false
     depends_on:
       - name: sbom
         variant: code-quality-and-correctness
+      - name: semgrep
+        variant: code-quality-and-correctness
     exec_timeout_secs: 300 # 5m
     commands:
       - func: "publish augmented SBOM"
+      - func: "publish static code analysis"
+      - func: "generate compliance report"
+      - func: "publish compliance report"
 
 functions:
   "push SBOM Lite to Silk":
@@ -383,6 +394,9 @@ functions:
           # set the state needed irrespective of _platform
           ARTIFACTS_DIR=artifacts
           S3_ARTIFACTS_DIR='mongo-jdbc-driver/artifacts/${version_id}/${build_variant}'
+          AUGMENTED_SBOM_NAME="mongo-jdbc-driver.augmented.sbom.json"
+          COMPLIANCE_REPORT_NAME="mongodb-jdbc-compliance-report.md"
+          STATIC_CODE_ANALYSIS_NAME="mongo-jdbc-driver.sast.sarif"
 
           # Get the version from trigger.
           # Tag triggered runs are releases and the version is set in the tag.
@@ -411,7 +425,10 @@ functions:
           export PROJECT_DIRECTORY="$(pwd)"
 
           export SBOM_LITE_NAME="mongo-jdbc-driver.cdx.json"
-          export AUGMENTED_SBOM_NAME="mongo-jdbc-driver.augmented.sbom.json"
+          export AUGMENTED_SBOM_NAME="$AUGMENTED_SBOM_NAME"
+          export COMPLIANCE_REPORT_NAME=$COMPLIANCE_REPORT_NAME
+          export STATIC_CODE_ANALYSIS_NAME=$STATIC_CODE_ANALYSIS_NAME
+
           export SSDLC_DIR="$ARTIFACTS_DIR/ssdlc"
           mkdir -p $SSDLC_DIR
 
@@ -423,6 +440,8 @@ functions:
           JAVA_HOME: "$JAVA_HOME"
           SBOM_LITE_NAME: "$SBOM_LITE_NAME"
           AUGMENTED_SBOM_NAME: "$AUGMENTED_SBOM_NAME"
+          STATIC_CODE_ANALYSIS_NAME: "$STATIC_CODE_ANALYSIS_NAME"
+          COMPLIANCE_REPORT_NAME: "$COMPLIANCE_REPORT_NAME"
           SSDLC_DIR: "$SSDLC_DIR"
           PREPARE_SHELL: |
             export ADF_TEST_LOCAL_USER=${adf_test_local_user}
@@ -444,7 +463,8 @@ functions:
             export AUGMENTED_SBOM_NAME="$AUGMENTED_SBOM_NAME"
             export SSDLC_DIR="$SSDLC_DIR"
             export SBOM_LITE="$ARTIFACTS_DIR/ssdlc/$SBOM_LITE_NAME"
-          
+            export COMPLIANCE_REPORT_NAME="$COMPLIANCE_REPORT_NAME"
+            export STATIC_CODE_ANALYSIS_NAME="$STATIC_CODE_ANALYSIS_NAME"          
           EOT
 
     - command: expansions.update
@@ -653,7 +673,6 @@ functions:
         shell: bash
         working_dir: mongo-jdbc-driver
         script: |
-          ${prepare_shell}
           echo "Version = ${MDBJDBC_VER}"
           sed -i "s@{RELEASE_VERSION}@${MDBJDBC_VER}@" mongo-jdbc-downloads_template.json
           echo "-------------------------"
@@ -680,9 +699,8 @@ functions:
         shell: bash
         working_dir: mongo-jdbc-driver
         script: |
-          ${prepare_shell}
           echo "Running static code analysis with Semgrep..."
-
+          
           venv='venv'
           # Setup or use the existing virtualenv for semgrep
           if [[ -f "$venv/bin/activate" ]]; then
@@ -700,10 +718,10 @@ functions:
           # confirm
           semgrep --version
           set +e
-          semgrep --config p/java --verbose --exclude "vendor" --error --severity=ERROR --sarif-output=mongo-jdbc-driver.sast.sarif > mongo-jdbc-driver.sast.cmd.verbose.out 2>&1
+          semgrep --config p/java --verbose --exclude "vendor" --error --severity=ERROR --sarif-output=${STATIC_CODE_ANALYSIS_NAME} > mongo-jdbc-driver.sast.cmd.verbose.out 2>&1
           SCAN_RESULT=$?
           set -e
-          
+
           # Exit with a failure if the scan found an issue
           exit $SCAN_RESULT
     - command: s3.put
@@ -717,3 +735,112 @@ functions:
         content_type: application/json
         bucket: evg-bucket-mongo-jdbc-driver
         permissions: public-read
+
+  "publish static code analysis":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${assume_role_arn}
+        duration_seconds: 3600
+    - command: s3.get
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
+        remote_file: artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
+        content_type: application/json
+        bucket: evg-bucket-mongo-jdbc-driver
+    - command: s3.put
+      params:
+        aws_key: ${release_aws_key}
+        aws_secret: ${release_aws_secret}
+        local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
+        remote_file: mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
+        content_type: application/json
+        bucket: translators-connectors-releases
+        permissions: public-read
+        display_name: mongodb-jdbc-${MDBJDBC_VER}.sast.sarif
+
+
+  "generate compliance report":
+    - command: shell.exec
+      type: test
+      params:
+        shell: bash
+        working_dir: mongo-jdbc-driver
+        script: |
+          echo "Author = ${author}"
+          echo "Author email = ${author_email}"
+          echo "Version = ${MDBJDBC_VER}"
+          SBOM_URL="https://translators-connectors-releases.s3.amazonaws.com/mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sbom.json"
+          SARIF_URL="https://translators-connectors-releases.s3.amazonaws.com/mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}.sast.sarif"
+          echo "Sbom url = $SBOM_URL"
+          echo "Sarif Url = $SARIF_URL"
+          
+          echo "----- Generating ${COMPLIANCE_REPORT_NAME} -----"
+          
+          # Copy template
+          cp resources/release/mongo_jdbc_compliance_report_template.md ${COMPLIANCE_REPORT_NAME}
+          
+          # Update the version
+          echo "Update the version"
+          echo "sed -i.bu "s,%VERSION%,${MDBJDBC_VER},g" ${COMPLIANCE_REPORT_NAME}"
+          sed -i.bu "s,%VERSION%,${MDBJDBC_VER},g" ${COMPLIANCE_REPORT_NAME}
+          
+          # Update the SBOM link
+          echo "Update the SBOM link"
+          echo "sed -i.bu "s,%SBOM_URL%,$SBOM_URL,g"${COMPLIANCE_REPORT_NAME}"
+          sed -i.bu "s,%SBOM_URL%,$SBOM_URL,g" ${COMPLIANCE_REPORT_NAME}
+          
+          # Update the SARIF link
+          echo "Update the SARIF link"
+          echo "sed -i.bu "s,%SARIF_URL%,$SARIF_URL,g" ${COMPLIANCE_REPORT_NAME}"
+          sed -i.bu "s,%SARIF_URL%,$SARIF_URL,g" ${COMPLIANCE_REPORT_NAME}
+          
+          # Update the author information
+          echo "Update the author name"
+          echo "sed -i.bu "s,%AUTHOR%,${author},g" ${COMPLIANCE_REPORT_NAME}"
+          sed -i.bu "s,%AUTHOR%,${author},g" ${COMPLIANCE_REPORT_NAME}
+          
+          echo "update the author email"
+          echo "sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}"
+          sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}
+          echo "---------------------------"
+    - command: ec2.assume_role
+      params:
+        role_arn: ${assume_role_arn}
+        duration_seconds: 3600
+    - command: s3.put
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_file: mongo-jdbc-driver/${COMPLIANCE_REPORT_NAME}
+        remote_file: artifacts/${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
+        content_type: text/markdown
+        bucket: evg-bucket-mongo-jdbc-driver
+        permissions: public-read
+
+  "publish compliance report":
+    - command: ec2.assume_role
+      params:
+        role_arn: ${assume_role_arn}
+        duration_seconds: 3600
+    - command: s3.get
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
+        remote_file: artifacts/${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
+        content_type: text/markdown
+        bucket: evg-bucket-mongo-jdbc-driver
+    - command: s3.put
+      params:
+        aws_key: ${release_aws_key}
+        aws_secret: ${release_aws_secret}
+        local_file: artifacts/ssdlc/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
+        remote_file: mongo-jdbc-driver/mongodb-jdbc-${MDBJDBC_VER}-compliance-report.md
+        content_type: text/markdown
+        bucket: translators-connectors-releases
+        permissions: public-read

resources/release/mongo_jdbc_compliance_report_template.md

@@ -0,0 +1,23 @@
+
+# Mongo JDBC Driver SSDLC Compliance Report - %VERSION%
+
+**Release Creator**  
+%AUTHOR% - %AUTHOR_EMAIL%
+
+**Process Document**  
+https://www.mongodb.com/resources/products/capabilities/supply-chain-security-in-mongodb-s-software-development-lifecycle
+
+**Tool used to track third party vulnerabilities**  
+Silk Security
+
+**Third-Party Dependency Information**  
+See SBOM at URL: %SBOM_URL%
+
+**Static Analysis Findings**  
+See report at URL: %SARIF_URL%
+
+**Signature Information**  
+Product is signed with signatures available which can be verified by following the instructions from our [README](https://github.com/mongodb/mongo-jdbc-driver#).
+
+**Known Vulnerabilities**  
+Any vulnerabilities that may be shown in the links referenced above have been reviewed and accepted by the appropriate reviewers.