RUST-1205 Cherry-pick SSDLC updates to 3.0.x (#1143)

Author: abr-egn

.evergreen/check-semgrep.sh

@@ -2,23 +2,29 @@
 
 set -o errexit
 
-source ./.evergreen/env.sh
-
-. ${DRIVERS_TOOLS}/.evergreen/find-python3.sh
-PYTHON=$(find_python3)
+if [ -t 0 ] ; then
+    # Interactive shell
+    PYTHON3=${PYTHON3:-"python3"}
+else
+    # Evergreen run (probably)
+    source ./.evergreen/env.sh
+    source ${DRIVERS_TOOLS}/.evergreen/find-python3.sh
+    PYTHON3=$(find_python3)
+fi
 
 if [[ -f "semgrep/bin/activate" ]]; then
-    echo 'using existing virtualenv'
+    echo 'Using existing virtualenv...'
     . semgrep/bin/activate
 else
-    echo 'Creating new virtualenv'  
-    ${PYTHON} -m venv semgrep
-    echo 'Activating new virtualenv'
+    echo 'Creating new virtualenv...'
+    ${PYTHON3} -m venv semgrep
+    echo 'Activating new virtualenv...'
     . semgrep/bin/activate
+    echo 'Installing semgrep...'
     python3 -m pip install semgrep
 fi
 
+# Show human-readable output
+semgrep --config p/rust --error
 # Generate a SARIF report
-semgrep --config p/rust --sarif > mongo-rust-driver.json.sarif
-# And human-readable output
-semgrep --config p/rust --error
+semgrep --config p/rust --quiet --sarif -o sarif.json

.evergreen/create-ssdlc-compliance-report.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -o errexit
+set -o xtrace
+
+REPORT_FILE=".evergreen/${CRATE_VERSION}-ssdlc-compliance-report.md"
+SED_REPLACE="s/RELEASE_VERSION/${CRATE_VERSION}/g"
+
+sed ${SED_REPLACE} .evergreen/ssdlc-compliance-report-template.md > ${REPORT_FILE}

.evergreen/release-build-vars.sh

@@ -13,8 +13,10 @@ CRATE_VERSION=$(cargo metadata --format-version=1 --no-deps | jq --raw-output '.
 rm secrets-export.sh
 
 PAPERTRAIL_PRODUCT="rust-driver"
+TEST_PREFIX=""
 if [[ "${DRY_RUN:-}" == "yes" ]]; then
   PAPERTRAIL_PRODUCT="rust-driver-testing"
+  TEST_PREFIX="testing-"
 fi
 
 cat <<EOT >release-expansion.yml
@@ -27,4 +29,7 @@ ARTIFACTORY_USERNAME: "${ARTIFACTORY_USERNAME}"
 ARTIFACTORY_PASSWORD: "${ARTIFACTORY_PASSWORD}"
 GARASIGN_USERNAME: "${GARASIGN_USERNAME}"
 GARASIGN_PASSWORD: "${GARASIGN_PASSWORD}"
+S3_UPLOAD_AWS_KEY: "${S3_UPLOAD_AWS_KEY}"
+S3_UPLOAD_AWS_SECRET: "${S3_UPLOAD_AWS_SECRET}"
+TEST_PREFIX: "${TEST_PREFIX}"
 EOT

.evergreen/releases.yml

@@ -29,7 +29,6 @@
 #
 # Make sure to remove the changes from 1 and 2 before merging!
 
-
 exec_timeout_secs: 3600 
 
 functions:
@@ -158,8 +157,42 @@ functions:
         args:
           - .evergreen/release-sign.sh
 
+  # Note for debugging: the links generated by Evergreen for these files will
+  # return a "permission denied" error; this is expected and a consequence of
+  # s3 configuration.  The files can be viewed/downloaded by replacing the host
+  # portion of the URL with `downloads.mongodb.org`.
   "save signature":
-    command: s3.push
+    - command: s3.put
+      params:
+        aws_key: ${S3_UPLOAD_AWS_KEY}
+        aws_secret: ${S3_UPLOAD_AWS_SECRET}
+        local_files_include_filter:
+          - src/mongodb-${CRATE_VERSION}.sig
+          - src/mongodb-internal-macros-${CRATE_VERSION}.sig
+        remote_file: rust-driver/${TEST_PREFIX}
+        bucket: cdn-origin-rust-driver
+        permissions: private
+        content_type: text/plain
+        display_name: signature-
+
+  "create and upload SSDLC compliance report":
+    - command: subprocess.exec
+      params:
+        working_dir: "src"
+        include_expansions_in_env:
+          - CRATE_VERSION
+        binary: bash
+        args:
+          - .evergreen/create-ssdlc-compliance-report.sh
+    - command: s3.put
+      params:
+        aws_key: ${S3_UPLOAD_AWS_KEY}
+        aws_secret: ${S3_UPLOAD_AWS_SECRET}
+        local_file: src/.evergreen/${CRATE_VERSION}-ssdlc-compliance-report.md
+        remote_file: rust-driver/${TEST_PREFIX}${CRATE_VERSION}-ssdlc-compliance-report.md
+        bucket: cdn-origin-rust-driver
+        permissions: private
+        content_type: text/markdown
 
 tasks:
   - name: "publish-release"
@@ -172,6 +205,7 @@ tasks:
       - func: "publish papertrail"
       - func: "sign release"
       - func: "save signature"
+      - func: "create and upload SSDLC compliance report"
 
 axes:
   - id: "os"

.evergreen/ssdlc-compliance-report-template.md

@@ -0,0 +1,34 @@
+# MongoDB Rust Driver SSDLC Compliance Report
+
+### Release Version: RELEASE_VERSION
+
+**Release Creator**
+The creator of this release can be determined by visiting
+https://github.com/mongodb/mongo-rust-driver/releases/tag/vRELEASE_VERSION.
+
+**Process Document**
+Not available.  <!-- TODO RUST-1918 Link to "How We Develop Software" document -->
+
+**Tool used to track third party vulnerabilities**
+N/A; the Rust driver does not bundle third-party dependencies
+
+**Third-Party Dependency Information**
+N/A; the Rust driver does not bundle third-party dependencies
+
+**Static Analysis Findings**
+To request a copy of the static analysis report, please contact
+the MongoDB Rust driver team.
+
+**Signature Information**
+The release signature for this version can be found by visiting
+https://downloads.mongodb.org/rust-driver/mongodb-RELEASE_VERSION.sig.
+
+**Security Testing Report**
+See [Driver Security Testing Summary](https://docs.google.com/document/d/1y2K_RY4GZVXpQvv4JH_35mSzFRTawNJ3mibpvSBU8H0/edit?usp=sharing)
+(internal). Available as needed from the MongoDB Rust driver team.
+
+**Security Assessment Report**
+N/A; non-goal for client libraries
+
+**Known Vulnerabilities**
+None

.gitignore

@@ -12,4 +12,6 @@ Cargo.lock
 # we install cargo and rustup in the project directory on Evergreen.
 .cargo
 .rustup
-mongocryptd.pid
+mongocryptd.pid
+semgrep/
+sarif.json

.semgrepignore

@@ -1,2 +1,3 @@
 benchmarks/
-src/test/
+src/test/
+etc/

src/client/auth/scram.rs

@@ -317,7 +317,7 @@ impl ScramVersion {
         let normalized_password = match self {
             ScramVersion::Sha1 => {
                 // nosemgrep: insecure-hashes
-                let mut md5 = Md5::new();
+                let mut md5 = Md5::new(); // mongodb rating: No Fix Needed
                 md5.update(format!("{}:mongo:{}", username, password));
                 Cow::Owned(hex::encode(md5.finalize()))
             }

src/runtime/tls_rustls.rs

@@ -143,7 +143,7 @@ fn make_rustls_config(cfg: TlsOptions) -> Result<rustls::ClientConfig> {
 
     if let Some(true) = cfg.allow_invalid_certificates {
         // nosemgrep: rustls-dangerous
-        config
+        config // mongodb rating: No Fix Needed
             .dangerous()
             .set_certificate_verifier(Arc::new(NoCertVerifier {}));
     }