CLOUDP-315270: Generate SSDLC report with augmented SBOM on-demand #3916
Conversation
cveticm
force-pushed
the
CLOUDP-315270_generate_augmented_sbom_and_report
branch
from
df320bb to
de75701
Compare
Fixes sbom file name
cveticm
force-pushed
the
CLOUDP-315270_generate_augmented_sbom_and_report
branch
from
ea89146 to
923ebaa
Compare
| VERSION: ${{ inputs.release_version }} | ||
| AUGMENTED_SBOM_TEXT: " - See Augmented SBOM manifests (CycloneDX in JSON format): | ||
| \n - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${{ inputs.release_version }}.json' | ||
| \n - Please note that this file was generated on ${{ env.date }} and may not reflect the latest security information of all third party dependencies.\n" |
There was a problem hiding this comment.
Looking for reviewers' opinions on this:
I have the date the augmented SBOM is generated in the report as well as including the date in the file names of the report and augmented sbom.
Do you think this is sufficient to flag to the reader that this file can become out-of-date?
There was a problem hiding this comment.
I think so, but I'm OK with keeping this note.
| @@ -18,7 +18,7 @@ Overview: | |||
| - **Dependency Information** | |||
| - See SBOM Lite manifests (CycloneDX in JSON format): | |||
| - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json | |||
There was a problem hiding this comment.
[Q] Should we keep the Release sbom for the on-demand report? If not, we can update the script + template to display the right depending if its triggered or not
From the current example we generate this:
- Dependency Information
- See SBOM Lite manifests (CycloneDX in JSON format):
- See Augmented SBOM manifests (CycloneDX in JSON format):
- This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v1.42.2.json'
- Please note that this file was generated on 2025-05-28 and may not reflect the latest security information of all third party dependencies.
There was a problem hiding this comment.
Good point, will rework the script to only print sbom lite for release and only aug sbom for on-demand
There was a problem hiding this comment.
Done, replaces variable AUGMENTED_SBOM_TEXT string with AUGMENTED_REPORT bool which is then used to determine of the report refers to sbom lite in release or augmented sbom.
Has the added bonus of making more clear how variable change is the report is augmented.
| VERSION: ${{ inputs.release_version }} | ||
| AUGMENTED_SBOM_TEXT: " - See Augmented SBOM manifests (CycloneDX in JSON format): | ||
| \n - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${{ inputs.release_version }}.json' | ||
| \n - Please note that this file was generated on ${{ env.date }} and may not reflect the latest security information of all third party dependencies.\n" |
There was a problem hiding this comment.
I think so, but I'm OK with keeping this note.
cveticm
force-pushed
the
CLOUDP-315270_generate_augmented_sbom_and_report
branch
from
a2a1a60 to
958392e
Compare
Proposed changes
Successful run of augment sbom action.
Verifying changes to report script and template do not effect update-ssdlc-report workflow.
Jira ticket: CLOUDP-315270
Checklist
make fmtand formatted my code