MONGOCRYPT-680 add Snyk steps to release process (#820)

* use `-e` in jq This is to exit the command with a non-zero status on error * print HTTP body on error creating silk asset group The error message may include the reason. Example: ``` curl: (22) The requested URL returned error: 409 Failed to create silk asset group. Got reply: {"detail":"('The specified asset with identifier `libmongocrypt-master` already exists',)"} ``` * add Snyk steps to release process * copy instructions from google doc * suggest removal of old reference targets * add build step before `snyk monitor` To ensure libbson dependency is found
mongodb · Jun 17, 2024 · bcaa919 · bcaa919
1 parent f9adce5
commit bcaa919
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 4 deletions.
diff --git a/doc/img/cli-icon.png b/doc/img/cli-icon.png
diff --git a/doc/img/reference-targets.png b/doc/img/reference-targets.png
diff --git a/doc/releasing.md b/doc/releasing.md
@@ -6,6 +6,19 @@ These steps describe releasing the libmongocrypt C library (not the language bin
 Version numbers of libmongocrypt must follow the format 1.[0-9].[0-9] for releases and 1.[0-9].[0-9]-(alpha|beta|rc)[0-9] for pre-releases. This ensures that Linux distribution packages built from each commit are published to the correct location.
 
 ## Steps to release ##
+
+### Check Snyk
+
+Snyk is used to satisfy vulnerability scanning requirements of [DRIVERS-714](https://jira.mongodb.org/browse/DRIVERS-714). Prior to releasing, ensure necessary Snyk reported vulnerabilities meet requirements described in: [MongoDB Software Security Development Lifecycle Policy](https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc/edit?tab=t.0#bookmark=id.l09k96qt24jm).
+
+Go to [Snyk](https://app.snyk.io/) and select the `dev-prod` organization. If access is needed, see [Snyk Onboarding](https://docs.google.com/document/d/1A38HvDvVFOwLtJQfQwIGcy5amAIpDwHUkNInwezLwXY/edit#heading=h.9ayipd2nt7xg). Check the CLI target named `mongodb/libmongocrypt`. The CLI targets may be identified by this icon: ![CLI icon](img/cli-icon.png). There are reference targets for each tracked branch:
+
+![Reference Targets](img/reference-targets.png)
+
+For a patch release (e.g. x.y.z) check the rx.y reference target. For a minor release (e.g. x.y.0) check the master reference target.
+
+### Release
+
 Do the following when releasing:
 - Ensure `etc/purls.txt` is up-to-date. 
 - If this is a feature release (e.g. `x.y.0` or `x.0.0`), follow these steps: [Creating SSDLC static analysis reports](https://docs.google.com/document/d/1rkFL8ymbkc0k8Apky9w5pTPbvKRm68wj17mPJt2_0yo/edit).
@@ -48,6 +61,29 @@ Do the following when releasing:
  +silk-create-asset-group \
  --branch <branch>
  ```
+ - Create a new Snyk reference target. The following instructions use the example branch `rx.y`:
+
+ Run `cmake` to ensure generated source files are present:
+ ```bash
+ cmake -S. -Bcmake-build -D BUILD_TESTING=OFF
+ cmake --build cmake-build --target mongocrypt
+ ```
+
+ Print dependencies found by Snyk and verify libbson is found:
+ ```bash
+ snyk test --unmanaged --print-dep-paths
+ ```
+
+ Copy the organization ID from [Snyk settings](https://app.snyk.io/org/dev-prod/manage/settings). Create the new Snyk reference target to track the newly created release branch:
+ ```bash
+ snyk auth
+ snyk monitor \
+ --org=$ORGANIZATION_ID \
+ --target-reference=rx.y \
+ --unmanaged \
+ --remote-repo-url=https://github.com/mongodb/libmongocrypt.git
+ ```
+ Snyk reference targets for older release branches may be removed if no further releases are expected on the branch.
 - Make a PR to apply the "Update CHANGELOG.md for x.y.z" commit to the `master` branch.
 - Update the release on the [Jira releases page](https://jira.mongodb.org/projects/MONGOCRYPT/versions).
 - Record the release on [C/C++ Release Info](https://docs.google.com/spreadsheets/d/1yHfGmDnbA5-Qt8FX4tKWC5xk9AhzYZx1SKF4AD36ecY/edit?usp=sharing). This is done to meet SSDLC reporting requirements.

diff --git a/etc/silk-create-asset-group.sh b/etc/silk-create-asset-group.sh
@@ -32,7 +32,7 @@ silk_jwt_token=$(curl --no-progress-meter --fail --location -X POST "https://sil
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "$json_payload" \
- | jq -r '.token')
+ | jq -e -r '.token')
 
 asset_id="libmongocrypt-${branch}"
 
@@ -51,14 +51,17 @@ json_payload=$(cat <<EOF
 }
 EOF
 )
-reply=$(curl --no-progress-meter --fail --location -X 'POST' \
+if ! reply=$(curl --no-progress-meter --fail-with-body --location -X 'POST' \
  'https://silkapi.us1.app.silk.security/api/v1/raw/asset_group' \
  -H "Accept: application/json" \
  -H "Authorization: ${silk_jwt_token}" \
  -H 'Content-Type: application/json' \
- -d "$json_payload")
+ -d "$json_payload"); then
+ echo "Failed to create silk asset group. Got reply: $reply"
+ exit 1
+fi
 
-if silkid=$(echo "$reply" | jq ".silk_id"); then
+if silkid=$(echo "$reply" | jq -e ".silk_id"); then
  echo "Created silk asset group with asset_id=$asset_id and silk_id=$silkid"
 else
  echo "Reply does not contain expected 'silk_id': $reply"