CLOUDP-315269: Add SSDLC report (#3898)

blva · web-flow · commit 4e33829dd113 · 2025-05-21T16:50:47.000+01:00
diff --git a/build/ci/release.yml b/build/ci/release.yml
@@ -112,6 +112,15 @@ functions:
           --repo mongodb_mongodb-atlas-cli  \
           --branch ${branch_name}  
           rm ${workdir}/kondukto_credentials.env
+  "generate ssdlc report":
+    - command: subprocess.exec
+      params:
+        include_expansions_in_env:
+            - author
+        env:
+          AUTHOR: ${author}
+        <<: *go_options
+        binary: build/package/gen-ssdlc-report.sh
   "package":
     - command: github.generate_token
       params:
@@ -395,6 +404,7 @@ tasks:
     commands:  
       - func: "generate sbom"
       - func: "run silkbomb"
+      - func: "generate ssdlc report"
   - name: package_goreleaser
     tags: ["packaging"]
     depends_on:
diff --git a/build/package/gen-ssdlc-report.sh b/build/package/gen-ssdlc-report.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+set -eu
+
+release_date=${DATE:-$(date -u '+%Y-%m-%d')}
+
+export DATE="${release_date}"
+VERSION=""
+VERSION=$(git tag --list 'atlascli/v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2)
+export VERSION
+export AUTHOR="${AUTHOR:-$(git config user.name)}"
+
+echo "Generating SSDLC checklist for AtlasCLI version ${VERSION}, author ${AUTHOR} and release date ${DATE}..."
+
+# Ensure compliance directory exists
+mkdir -p "compliance/"
+
+# Generate the report in compliance/ with a versioned filename
+envsubst < docs/releases/ssdlc-compliance.template.md \
+  > "compliance/ssdlc-compliance-${VERSION}.md"
+
+echo "SDLC checklist ready. Files in compliance/:"
+ls -l "compliance/"
+
+echo "Printing the generated report:"
+cat "compliance/ssdlc-compliance-${VERSION}.md"
diff --git a/docs/releases/ssdlc-compliance.template.md b/docs/releases/ssdlc-compliance.template.md
@@ -0,0 +1,30 @@
+SSDLC Compliance Report: Atlas CLI ${VERSION}
+=================================================================
+
+- Release Creator: ${AUTHOR}
+- Created On:       ${DATE}
+
+Overview:
+
+- **Product and Release Name**
+    - Atlas CLI ${VERSION}, ${DATE}.
+
+- **Process Document**
+  - https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities
+
+- **Tool used to track third party vulnerabilities**
+  - [Kondukto](https://arcticglow.kondukto.io/)
+
+- **Dependency Information**
+  - See SBOM Lite manifests (CycloneDX in JSON format):
+    - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json
+
+- **Security Testing Report**
+  - Available as needed from Cloud Security.
+
+- **Security Assessment Report**
+  - Available as needed from Cloud Security.
+
+Assumptions and attestations:
+
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.
