VS-161: Update SBOM usage for Kondukto (#88)

adelinowona · web-flow · commit 56916d977b39 · 2025-02-21T12:17:32.000-05:00
diff --git a/evergreen/download-augmented-sbom.sh b/evergreen/download-augmented-sbom.sh
@@ -1,16 +1,24 @@
 #!/usr/bin/env bash
 
 # Environment variables used as input:
-# SILK_CLIENT_ID
-# SILK_CLIENT_SECRET
+# AWS_ACCESS_KEY_ID
+# AWS_SECRET_ACCESS_KEY
+# AWS_SESSION_TOKEN
 
 declare -r SSDLC_PATH="./artifacts/ssdlc"
 mkdir -p "${SSDLC_PATH}"
 
-echo "Downloading augmented sbom from silk"
+echo "Downloading augmented sbom from Kondukto"
+
+# use AWS CLI to get the Kondukto API token from AWS Secrets Manager
+kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
+if [ $? -ne 0 ]; then
+    exit 1
+fi
+# set the KONDUKTO_TOKEN environment variable
+echo "KONDUKTO_TOKEN=$kondukto_token" > ${PWD}/kondukto_credentials.env
 
 docker run --platform="linux/amd64" --rm -v ${PWD}:/pwd \
-  -e SILK_CLIENT_ID \
-  -e SILK_CLIENT_SECRET \
-  artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 \
-  download --silk-asset-group mongo-csharp-analyzer --sbom-out /pwd/${SSDLC_PATH}/augmented-sbom.json
+  --env-file ${PWD}/kondukto_credentials.env \
+  artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 \
+  augment --repo mongodb/mongo-csharp-analyzer --branch main --sbom-in /pwd/sbom.json --sbom-out /pwd/${SSDLC_PATH}/augmented-sbom.json
diff --git a/evergreen/evergreen.yml b/evergreen/evergreen.yml
@@ -183,15 +183,22 @@ functions:
           - "mongo-csharp-analyzer/artifacts/nuget/MongoDB.Analyzer.${PACKAGE_VERSION}.nupkg"
 
   download-and-promote-augmented-sbom-to-s3-bucket:
+    - command: ec2.assume_role
+      params:
+        role_arn: ${kondukto_role_arn}
     - command: shell.exec
       params:
         working_dir: "mongo-csharp-analyzer"
         include_expansions_in_env:
-          - "SILK_CLIENT_ID"
-          - "SILK_CLIENT_SECRET"
+          - "AWS_ACCESS_KEY_ID"
+          - "AWS_SECRET_ACCESS_KEY"
+          - "AWS_SESSION_TOKEN"
         script: |
           ${PREPARE_SHELL}
           ./evergreen/download-augmented-sbom.sh
+    - command: ec2.assume_role
+      params:
+        role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
     - command: s3.put
       params:
         aws_key: ${AWS_ACCESS_KEY_ID}
