CLOUDP-327046/sbom-fixes (#96)

andrpac · web-flow · commit d413bc2b96f5 · 2025-06-30T16:06:17.000+01:00
* fix: sbom.json should be part of .gitignore

* feat: allow for augmented sboms
diff --git a/.gitignore b/.gitignore
@@ -29,6 +29,8 @@ manifest.windows.yml
 gon_x86_64.json
 gon_arm64.json
 *.xml
+sbom.json
+augmented-sbom.json
 
 # We don't want to commit env variables
 *.env
diff --git a/build/ci/release.yml b/build/ci/release.yml
@@ -42,6 +42,7 @@ variables:
       SILKBOMB_PURLS_FILE: "/pwd/purls.txt"
       SILKBOMB_SBOM_FILE: "/pwd/sbom.json"
   - &kondukto_config
+      AUGMENTED_SILKBOMB_SBOM_FILE: "/pwd/augmented-sbom.json"
       KONDUKTO_CREDENTIALS_FILE: kondukto_credentials.env
       KONDUKTO_REPO: mongodb_atlas-cli-plugin-kubernetes
       KONDUKTO_BRANCH: test
diff --git a/build/package/.goreleaser.yml b/build/package/.goreleaser.yml
@@ -92,3 +92,4 @@ release:
   extra_files:
     - glob: ./*.asc
     - glob: ./sbom.json
+    - glob: ./augmented-sbom.json
diff --git a/build/package/generate-sbom.sh b/build/package/generate-sbom.sh
@@ -17,6 +17,8 @@
 set -Eeou pipefail
 
 : "${SILKBOMB_IMAGE:?Missing SILKBOMB_IMAGE}"
+: "${SILKBOMB_PURLS_FILE:?Missing SILKBOMB_PURLS_FILE}"
+: "${SILKBOMB_SBOM_FILE:?Missing SILKBOMB_SBOM_FILE}"
 
 # Check if SILKBOMB_IMAGE is set and available locally
 if podman image exists "${SILKBOMB_IMAGE}"; then
@@ -25,6 +27,7 @@ else # Else image will need to be pulled from AWS registry
   : "${AWS_ACCESS_KEY_ID:?Missing AWS_ACCESS_KEY_ID}"
   : "${AWS_SECRET_ACCESS_KEY:?Missing AWS_SECRET_ACCESS_KEY}"
   : "${AWS_SESSION_TOKEN:?Missing AWS_SESSION_TOKEN}"
+  : "${SILKBOMB_REGISTRY:?Missing SILKBOMB_REGISTRY}"
 
   echo "Logging in to ECR..."
   aws ecr get-login-password --region us-east-1 | \
diff --git a/build/package/package.sh b/build/package/package.sh
@@ -28,16 +28,14 @@ export VERSION
 
 make generate-all-manifests
 
- "${test_mode:=false}"
-
  # If test mode is set, do not create a release on GitHub, just package locally 
- if [[ "${test_mode}" == "true" ]]; then
- 	# avoid race conditions on the notarization step by using `-p 1`
+if [[ "${test_mode:-false}" == "true" ]]; then
+	# avoid race conditions on the notarization step by using `-p 1`
  	./bin/goreleaser release --snapshot --config "build/package/.goreleaser.yml" --clean -p 1
- else 
+else 
  	# avoid race conditions on the notarization step by using `-p 1`
  	./bin/goreleaser release --config "build/package/.goreleaser.yml" --clean -p 1
- fi
+fi
 
 # check that the notarization service signed the mac binaries
 SIGNED_FILE_NAME=atlas-cli-plugin-kubernetes_macos_signed.zip
diff --git a/build/package/upload-sbom.sh b/build/package/upload-sbom.sh
@@ -17,6 +17,7 @@
 set -Eeou pipefail
 
 : "${SILKBOMB_IMAGE:?Missing SILKBOMB_IMAGE}"
+: "${SILKBOMB_SBOM_FILE:?Missing SILKBOMB_SBOM_FILE}"
 : "${KONDUKTO_CREDENTIALS_FILE:?Missing KONDUKTO_CREDENTIALS_FILE}"
 : "${KONDUKTO_REPO:?Missing KONDUKTO_REPO}"
 : "${KONDUKTO_BRANCH:?Missing KONDUKTO_BRANCH}"
@@ -33,22 +34,37 @@ else # Else image will need to be pulled from AWS registry
   : "${AWS_ACCESS_KEY_ID:?Missing AWS_ACCESS_KEY_ID}"
   : "${AWS_SECRET_ACCESS_KEY:?Missing AWS_SECRET_ACCESS_KEY}"
   : "${AWS_SESSION_TOKEN:?Missing AWS_SESSION_TOKEN}"
+  : "${SILKBOMB_REGISTRY:?Missing SILKBOMB_REGISTRY}"
 
   echo "Logging in to ECR..."
   aws ecr get-login-password --region us-east-1 | \
     podman login --username AWS --password-stdin "${SILKBOMB_REGISTRY}"
 fi
 
-echo "Uploading SBOM to Kondukto..."
-podman run --rm \
-  --pull=missing \
-  -v "$(pwd):/pwd" \
-  --env-file "${KONDUKTO_CREDENTIALS_FILE}" \
-  "${SILKBOMB_IMAGE}" \
-  upload \
-  --sbom-in "${SILKBOMB_SBOM_FILE}" \
-  --repo "${KONDUKTO_REPO}" \
-  --branch "${KONDUKTO_BRANCH}"
-
-echo "Uploading complete."
+# Note, augment by default uploads to Kondukto
+if [[ -n "${AUGMENTED_SILKBOMB_SBOM_FILE}" ]]; then
+  echo "Uploading SBOM to Kondukto and outputting augmented version..."
+  podman run --rm \
+    --pull=missing \
+    -v "$(pwd):/pwd" \
+    --env-file "${KONDUKTO_CREDENTIALS_FILE}" \
+    "${SILKBOMB_IMAGE}" \
+    augment \
+    --sbom-in "${SILKBOMB_SBOM_FILE}" \
+    --sbom-out "${AUGMENTED_SILKBOMB_SBOM_FILE}" \
+    --repo "${KONDUKTO_REPO}" \
+    --branch "${KONDUKTO_BRANCH}"
+else
+  echo "Uploading SBOM to Kondukto..."
+  podman run --rm \
+    --pull=missing \
+    -v "$(pwd):/pwd" \
+    --env-file "${KONDUKTO_CREDENTIALS_FILE}" \
+    "${SILKBOMB_IMAGE}" \
+    upload \
+    --sbom-in "${SILKBOMB_SBOM_FILE}" \
+    --repo "${KONDUKTO_REPO}" \
+    --branch "${KONDUKTO_BRANCH}"
+fi
+
 rm -f "${KONDUKTO_CREDENTIALS_FILE}"
