Add compliance report (#25)

Author: blink1073

authorized-pub/action.yml

@@ -22,7 +22,7 @@ runs:
  run: |
  export GH_TOKEN=${{ inputs.token }}
  NAME=$(gh api users/${{ github.actor }} --jq '.name')
- export REPORT=$S3_ASSETS/authorized_publication.txt
+ export REPORT=$S3_ASSETS/authorized-publication.txt
  echo "Product: ${{ inputs.product_name }}" > $REPORT
  echo "Version: ${{ inputs.release_version }}" >> $REPORT
  echo "Releaser: $NAME" >> $REPORT

compliance-report/action.yml

@@ -0,0 +1,28 @@
+name: Generate a compliance report
+description: Generates the compliance report in the S3_ASSETS folder
+inputs:
+ token:
+ description: The GitHub token for the action
+ required: true
+ sbom_name:
+ description: The name of the SBOM file in the S3 bucket
+ default: cyclonedx.sbom.json
+ sarif_name:
+ description: The name of the SARIF file in the S3 bucket
+ default: code-scanning-alerts.json
+ authorized_pub_name:
+ description: The name of the Authorized Publication file in the S3 bucket
+ default: authorized-publication.txt
+runs:
+ using: composite
+ steps:
+ - name: Generate Compliance Report
+ shell: bash
+ run: |
+ set -eux
+ export GH_TOKEN=${{ inputs.token }}
+ export RELEASE_CREATOR=$(gh api users/${{ github.actor }} --jq '.name')
+ export SBOM_NAME=${{ inputs.sbom_name }}
+ export SARIF_NAME=${{ inputs.sarif_name }}
+ export AUTHORIZED_PUB_NAME=${{ inputs.authorized_pub_name }}
+ bash ${{ github.action_path }}/generate.sh

compliance-report/generate.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -eux
+
+cat << EOF >> ${S3_ASSETS}/ssdlc_compliance_report.md
+Release Creator
+${RELEASE_CREATOR}
+
+Tool used to track third party vulnerabilities
+Silk
+
+Third-Party Dependency Information
+See ${SBOM_NAME}
+
+Static Analysis Findings
+See ${SARIF_NAME}
+
+Signature Information
+See ${AUTHORIZED_PUB_NAME}
+
+Known Vulnerabilities
+Any vulnerabilities that may be shown in the files referenced above have been reviewed and accepted by the appropriate approvers.
+EOF

gpg-sign/action.yml

@@ -11,6 +11,16 @@ inputs:
 runs:
  using: composite
  steps:
+ - name: Get the list of filenames as a space-separated string
+ shell: bash
+ id: filenames
+ run: |
+ set -eux
+ export FILENAMES=${{inputs.filenames}}
+ if [[ $FILENAMES =~ '*' ]]; then
+ FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g')
+ fi
+ echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT
  - name: "Create detached signature for file"
  shell: bash
  run: |
@@ -25,4 +35,6 @@ runs:
  - name: "Move the signature files to the release directory"
  shell: bash
  run: |
- for filename in ${{ inputs.filenames }}; do mv ${filename}.sig $RELEASE_ASSETS; done
+ set -eux
+ export FILENAMES=${{steps.filenames.outputs.names}}
+ for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done

python/publish/action.yml

@@ -51,8 +51,11 @@ runs:
  - name: Generate Sarif Report
  uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
  with:
- output-file: sarif-report.json
  ref: ${{ inputs.version }}
+ - name: Generate Compliance Report
+ uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+ with:
+ token: ${{ inputs.token }}
  - name: Run publish script
  shell: bash
  run: ${{github.action_path}}/publish.sh

python/publish/publish.sh

@@ -2,7 +2,8 @@
 
 set -eux
 
-mv sarif-report.json $S3_ASSETS
+cp $RELEASE_ASSETS/*.sig $S3_ASSETS
+mv code-scanning-alerts.json $S3_ASSETS
 
 if [ "$DRY_RUN" == "false" ]; then
  echo "Uploading Release Reports"

sbom/action.yml

@@ -11,10 +11,12 @@ inputs:
 runs:
  using: composite
  steps:
- - name: Download the Augmented SBOM file to the release assets folder
+ - name: Download the Augmented SBOM file to the release assets and s3 assets folders
  shell: bash
  run: |
+ set -eux
  podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \
  --env-file=${SILKBOMB_ENVFILE} \
  ${{ inputs.artifactory_image }} \
- download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/sbom.json
+ download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/cyclonedx.sbom.json
+ cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}

setup/setup.sh

@@ -39,11 +39,11 @@ mkdir $S3_ASSETS
 
 echo "Set up global variables"
 cat <<EOF >> $GITHUB_ENV
-AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}"
+AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}
 GPG_KEY_ID=$GPG_KEY_ID
-GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}"
+GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}
 GARASIGN_ENVFILE=$GARASIGN_ENVFILE
-SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}"
+SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}
 ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
 RELEASE_ASSETS=$RELEASE_ASSETS
 S3_ASSETS=$S3_ASSETS