fix(ci): adopt augmented SBOM integration with Silk MONGOSH-1773 (#2021)

Author: addaleax

.evergreen.yml

@@ -7550,6 +7550,10 @@ functions:
           PACKAGE_VARIANT: ${package_variant}
           ARTIFACTORY_USERNAME: ${artifactory_username}
           ARTIFACTORY_PASSWORD: ${artifactory_password}
+          # for Silk SBOM integration
+          SILK_ASSET_GROUP: mongosh-${executable_os_id}
+          SILK_CLIENT_ID: ${silk_client_id}
+          SILK_CLIENT_SECRET: ${silk_client_secret}
   create_static_analysis_report:
     - command: s3.get
       params:
@@ -16801,7 +16805,7 @@ tasks:
       - func: install
         vars:
           node_js_version: "20.12.2"
-      - func: create_static_analysis_report 
+      - func: create_static_analysis_report
         vars:
           node_js_version: "20.12.2"
 

.evergreen/download-crypt-shared-and-generate-sbom.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 set -e
 set -x
+
 npm run evergreen-release download-crypt-shared-library
 
 ls -lhA dist
@@ -9,9 +10,22 @@ echo "pkg:generic/mongo_crypt_shared@$(cat dist/.mongosh_crypt_*.version)" >> di
 cat dist/.purls.txt
 
 set +x
-docker login artifactory.corp.mongodb.com --username ${ARTIFACTORY_USERNAME} --password ${ARTIFACTORY_PASSWORD}
+echo "${ARTIFACTORY_PASSWORD}" | docker login artifactory.corp.mongodb.com --username "${ARTIFACTORY_USERNAME}" --password-stdin
+cat << EOF > silkbomb.env
+SILK_CLIENT_ID=${SILK_CLIENT_ID}
+SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
+EOF
 set -x
 
+trap_handler() {
+  rm -f silkbomb.env
+}
+trap trap_handler ERR EXIT
+
 docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0
 docker run --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
-  --purls /pwd/dist/.purls.txt --sbom_out /pwd/dist/.sbom.json
+  --purls /pwd/dist/.purls.txt --sbom-out /pwd/dist/.sbom-lite.json
+docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
+  --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /pwd/dist/.sbom-lite.json
+docker run --env-file silkbomb.env --rm -v ${PWD}:/pwd artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
+  --silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /pwd/dist/.sbom.json

.evergreen/evergreen.yml.in

@@ -522,9 +522,13 @@ functions:
           PACKAGE_VARIANT: ${package_variant}
           ARTIFACTORY_USERNAME: ${artifactory_username}
           ARTIFACTORY_PASSWORD: ${artifactory_password}
+          # for Silk SBOM integration
+          SILK_ASSET_GROUP: mongosh-${executable_os_id}
+          SILK_CLIENT_ID: ${silk_client_id}
+          SILK_CLIENT_SECRET: ${silk_client_secret}
   create_static_analysis_report:
   <%
-  let firstPartyDepsFilenames = []; 
+  let firstPartyDepsFilenames = [];
   for (const { executableOsId, packages } of RELEASE_PACKAGE_MATRIX) {
         const filename = `mongosh-${executableOsId}-first-party-deps.json`;
         firstPartyDepsFilenames.push(filename); %>
@@ -1391,7 +1395,7 @@ tasks:
       - func: install
         vars:
           node_js_version: "<% out(NODE_JS_VERSION_20) %>"
-      - func: create_static_analysis_report 
+      - func: create_static_analysis_report
         vars:
           node_js_version: "<% out(NODE_JS_VERSION_20) %>"