mongodb · jchemburkar · Sep 11, 2025 · Sep 11, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/evergreen/configs/ssdlc_util.yml b/evergreen/configs/ssdlc_util.yml
@@ -10,6 +10,7 @@
 #  - SBOM_DIR - the directory to output sbom files to
 #  - SBOM_LICENSES - the name of the intermediate license file to scan
 #  - STATIC_CODE_ANALYSIS_NAME - the name of the file to output semgrep static analysis
+#  - SBOM_FILENAME - the name of the sbom file to add to the compliance report
 
 variables:
   - &rust_subprocess_default_params
@@ -26,9 +27,13 @@ functions:
           - author
           - author_email
           - release_version
-          - template_filepath
+          - repo_name
+          - repo_title
+          - signing_title
-          - repo_title
-          - signing_title
+          - product_name
+          - signing_section_bookmark
-          - repo_title
-          - signing_title
+          - product_name
+          - signing_section_bookmark
           - working_dir
           - COMPLIANCE_REPORT_NAME
+          - STATIC_CODE_ANALYSIS_NAME
+          - SBOM_FILENAME
         args:
           - ${script_dir}/generate_compliance_report.sh
     - command: s3.put
@@ -37,11 +42,31 @@ functions:
         aws_key: ${aws_key}
         aws_secret: ${aws_secret}
         local_file: ${working_dir}/${COMPLIANCE_REPORT_NAME}
-        remote_file: ${working_dir}/artifacts/${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
+        remote_file: ${working_dir}/artifacts/${working_dir}_${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
         content_type: text/markdown
         bucket: mciuploads
         permissions: public-read
-
+
+  "publish compliance report":
+    - command: s3.get
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: ${working_dir}/${COMPLIANCE_REPORT_NAME}
+        remote_file: ${working_dir}/artifacts/${working_dir}_${version_id}/ssdlc/${COMPLIANCE_REPORT_NAME}
+        content_type: text/markdown
+        bucket: mciuploads
+    - command: s3.put
+      params:
+        aws_key: ${release_aws_key}
+        aws_secret: ${release_aws_secret}
+        local_file: ${working_dir}/${COMPLIANCE_REPORT_NAME}
+        remote_file: ${working_dir}/${COMPLIANCE_REPORT_NAME}
+        content_type: text/markdown
+        bucket: translators-connectors-releases
+        permissions: public-read
+        display_name: ${COMPLIANCE_REPORT_NAME}
+
   "scan SBOM":
     - command: subprocess.exec
       type: test
@@ -55,6 +80,27 @@ functions:
         args:
           - ${script_dir}/scan_sbom.sh
 
+  "publish augmented SBOM":
+    - command: s3.get
+      params:
+        aws_key: ${aws_key}
+        aws_secret: ${aws_secret}
+        local_file: ${working_dir}/${AUGMENTED_SBOM_FILENAME}
+        remote_file: ${working_dir}/artifacts/${version_id}/ssdlc/${AUGMENTED_SBOM_FILENAME}
+        content_type: application/json
+        bucket: mciuploads
+        permissions: public-read
+    - command: s3.put
+      params:
+        aws_key: ${release_aws_key}
+        aws_secret: ${release_aws_secret}
+        local_file: ${working_dir}/${AUGMENTED_SBOM_FILENAME}
+        remote_file: ${working_dir}/${SBOM_FILENAME}
+        bucket: translators-connectors-releases
+        content_type: application/json
+        permissions: public-read
+        display_name: ${SBOM_FILENAME}
+
   "generate static code analysis":
     - command: subprocess.exec
       type: test
@@ -92,8 +138,8 @@ functions:
         aws_key: ${release_aws_key}
         aws_secret: ${release_aws_secret}
         local_file: ${working_dir}/papertrail/${STATIC_CODE_ANALYSIS_NAME}
-        remote_file: ${working_dir}/artifacts/${version_id}/ssdlc/${STATIC_CODE_ANALYSIS_NAME}
+        remote_file: ${working_dir}/${STATIC_CODE_ANALYSIS_NAME}
         content_type: application/json
         bucket: translators-connectors-releases
         permissions: public-read
-        display_name: ${working_dir}-${release_version}.sast.sarif
+        display_name: ${STATIC_CODE_ANALYSIS_NAME}
diff --git a/evergreen/resources/compliance_report_template.md b/evergreen/resources/compliance_report_template.md
@@ -0,0 +1,25 @@
+# %REPO_TITLE% SSDLC Compliance Report - %VERSION%
+
+**Release Creator**  
+%AUTHOR% - %AUTHOR_EMAIL%
+
+**Compliance Report Created Date**  
+%CREATED_DATE%
+
+**Process Document**  
+https://www.mongodb.com/resources/products/capabilities/supply-chain-security-in-mongodb-s-software-development-lifecycle
+
+**Tool used to track third party vulnerabilities**  
+Silk Security
+
+**Third-Party Dependency Information**  
+See SBOM at URL: %SBOM_URL%
+
+**Static Analysis Findings**  
+See report at URL: %SARIF_URL%
+
+**Signature Information**  
+Product is signed with signatures available which can be verified by following the instructions from our [README](https://github.com/mongodb/%REPO_NAME%/blob/main/README.md#%SIGNING_TITLE%).
+
+**Known Vulnerabilities**  
+Any vulnerabilities that may be shown in the links referenced above have been reviewed and accepted by the appropriate reviewers.
diff --git a/evergreen/scripts/generate_compliance_report.sh b/evergreen/scripts/generate_compliance_report.sh
@@ -6,17 +6,17 @@ echo "Author = ${author}"
 echo "Author email = ${author_email}"
 echo "Version = ${release_version}"
 
-SBOM_URL="https://translators-connectors-releases.s3.amazonaws.com/eap/${working_dir}/${working_dir}-${release_version}.sbom.json"
-SARIF_URL="https://translators-connectors-releases.s3.amazonaws.com/eap/${working_dir}/${working_dir}-${release_version}.sast.sarif"
+SBOM_URL="https://translators-connectors-releases.s3.amazonaws.com/${working_dir}/${SBOM_FILENAME}"
+SARIF_URL="https://translators-connectors-releases.s3.amazonaws.com/${working_dir}/${STATIC_CODE_ANALYSIS_NAME}"
 
 echo "Sbom url = $SBOM_URL"
 echo "Sarif Url = $SARIF_URL"
 
 echo "----- Generating ${COMPLIANCE_REPORT_NAME} -----"
 
 # Copy template
-echo "Copying template file from ${template_filepath} to ${COMPLIANCE_REPORT_NAME}"
-cp ${template_filepath} ${COMPLIANCE_REPORT_NAME}
+echo "Copying template file from sql-engines-common-test-infra/evergreen/resources/compliance_report_template.md to ${COMPLIANCE_REPORT_NAME}"
+cp sql-engines-common-test-infra/evergreen/resources/compliance_report_template.md ${COMPLIANCE_REPORT_NAME}
 
 # Update the version
 echo "Update the version"
@@ -42,3 +42,27 @@ echo "update the author email"
 echo "sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}"
 sed -i.bu "s,%AUTHOR_EMAIL%,${author_email},g" ${COMPLIANCE_REPORT_NAME}
 echo "---------------------------"
+
+# Update the created date
+CREATED_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+echo "Created date = $CREATED_DATE"
+echo "update the created date"
+echo "sed -i.bu "s,%CREATED_DATE%,${CREATED_DATE},g" ${COMPLIANCE_REPORT_NAME}"
+sed -i.bu "s,%CREATED_DATE%,${CREATED_DATE},g" ${COMPLIANCE_REPORT_NAME}
+echo "---------------------------"
+
+# update repository specific metadata
+echo "update the repo title"
+echo "sed -i.bu "s,%REPO_TITLE%,${repo_title},g" ${COMPLIANCE_REPORT_NAME}"
+sed -i.bu "s,%REPO_TITLE%,${repo_title},g" ${COMPLIANCE_REPORT_NAME}
+echo "---------------------------"
+
+echo "update the repo name"
+echo "sed -i.bu "s,%REPO_NAME%,${repo_name},g" ${COMPLIANCE_REPORT_NAME}"
+sed -i.bu "s,%REPO_NAME%,${repo_name},g" ${COMPLIANCE_REPORT_NAME}
+echo "---------------------------"
+
+echo "update the link to signing verification instructions"
+echo "sed -i.bu "s,%SIGNING_TITLE%,${signing_title},g" ${COMPLIANCE_REPORT_NAME}"
+sed -i.bu "s,%SIGNING_TITLE%,${signing_title},g" ${COMPLIANCE_REPORT_NAME}
+echo "---------------------------"