From 2454b756c1a77085e85176687ec351bdf3f8947f Mon Sep 17 00:00:00 2001
From: Valentin Kovalenko <valentin.kovalenko@mongodb.com>
Date: Wed, 29 May 2024 15:40:40 -0600
Subject: [PATCH 1/5] Create and upload `ssdlc_compliance_report.md`

JAVA-5435
---
 .evergreen/.evg.yml                 | 66 ++++++++++++++++++-----
 .evergreen/ssdlc-report.sh          | 53 +++++++++++++++++--
 template_ssdlc_compliance_report.md | 82 +++++++++++++++++++++++++++++
 3 files changed, 183 insertions(+), 18 deletions(-)
 create mode 100644 template_ssdlc_compliance_report.md
diff --git a/.evergreen/.evg.yml b/.evergreen/.evg.yml
index 37b67c6e1e5..759a5d1740a 100644
--- a/.evergreen/.evg.yml
+++ b/.evergreen/.evg.yml
@@ -142,6 +142,45 @@ functions:
         content_type: ${content_type|text/plain}
         display_name: "orchestration.log"
 
+  "create and upload SSDLC release assets":
+    - command: shell.exec
+      shell: "bash"
+      params:
+        working_dir: "src"
+        env:
+          PRODUCT_NAME: ${product_name}
+          PRODUCT_VERSION: ${product_version}
+        script: .evergreen/ssdlc-report.sh
+    - command: ec2.assume_role
+      params:
+        role_arn: ${UPLOAD_SSDLC_RELEASE_ASSETS_ROLE_ARN}
+    - command: s3.put
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_file: ./src/build/ssdlc/ssdlc_compliance_report.md
+        remote_file: ${product_name}/${product_version}/ssdlc_compliance_report.md
+        bucket: java-driver-release-assets
+        region: us-west-1
+        permissions: private
+        content_type: text/markdown
+        display_name: ssdlc_compliance_report.md
+    - command: s3.put
+      params:
+        aws_key: ${AWS_ACCESS_KEY_ID}
+        aws_secret: ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token: ${AWS_SESSION_TOKEN}
+        local_files_include_filter:
+          - build/ssdlc/static-analysis-reports/*.sarif
+        local_files_include_filter_prefix: ./src/
+        remote_file: ${product_name}/${product_version}/static-analysis-reports/
+        bucket: java-driver-release-assets
+        region: us-west-1
+        permissions: private
+        content_type: application/sarif+json
+        display_name:
+
   "upload test results":
     - command: attach.xunit_results
       params:
@@ -825,24 +864,21 @@ functions:
       params:
         working_dir: "src"
         script: |
-           tag=$(git describe --tags --always --dirty)
-
-           # remove the leading 'r'
-           version=$(echo -n "$tag" | cut -c 2-)
-
-           cat <<EOT > trace-expansions.yml
-           release_version: "$version"
-           EOT
-           cat trace-expansions.yml
+          PRODUCT_VERSION="$(echo -n "$(git describe --tags --always --dirty)" | cut -c 2-)"
+          cat > ssdlc-expansions.yml <<EOF
+            product_version: "$PRODUCT_VERSION"
+            product_name: "${product_name}"
+          EOF
+          cat ssdlc-expansions.yml
     - command: expansions.update
       params:
-        file: src/trace-expansions.yml
+        file: src/ssdlc-expansions.yml
     - command: papertrail.trace
       params:
         key_id: ${papertrail_key_id}
         secret_key: ${papertrail_secret_key}
-        product: ${product}
-        version: ${release_version}
+        product: ${product_name}
+        version: ${product_version}
         filenames:
           - "src/build/repo/org/mongodb/*/*/*.jar"
           - "src/build/repo/org/mongodb/*/*/*.pom"
@@ -1580,7 +1616,8 @@ tasks:
         - func: "publish snapshot"
         - func: "trace artifacts"
           vars:
-            product: mongo-java-driver-snapshot
+            product_name: mongo-java-driver-snapshot
+        - func: "create and upload SSDLC release assets"
 
     - name: publish-release
       git_tag_only: true
@@ -1588,7 +1625,8 @@ tasks:
         - func: "publish release"
         - func: "trace artifacts"
           vars:
-            product: mongo-java-driver
+            product_name: mongo-java-driver
+        - func: "create and upload SSDLC release assets"
 
     - name: "perf"
       tags: ["perf"]
diff --git a/.evergreen/ssdlc-report.sh b/.evergreen/ssdlc-report.sh
index f11a587a20a..d24799bc57b 100755
--- a/.evergreen/ssdlc-report.sh
+++ b/.evergreen/ssdlc-report.sh
@@ -2,14 +2,59 @@
 
 set -o errexit
 
+# Supported/used environment variables:
+# PRODUCT_NAME
+# PRODUCT_VERSION
+
+if [ -z "${PRODUCT_NAME}" ]; then
+    echo "PRODUCT_NAME must be set to a non-empty string"
+    exit 1
+fi
+if [ -z "${PRODUCT_VERSION}" ]; then
+    echo "PRODUCT_VERSION must be set to a non-empty string"
+    exit 1
+fi
+
 ############################################
 #            Main Program                  #
 ############################################
 RELATIVE_DIR_PATH="$(dirname "${BASH_SOURCE[0]:-$0}")"
 source "${RELATIVE_DIR_PATH}/javaConfig.bash"
 
-echo "Creating SSLDC reports"
+printf "\nCreating SSDLC reports\n"
+
+declare -r SSDLC_PATH="${RELATIVE_DIR_PATH}/../build/ssdlc"
+declare -r SSDLC_STATIC_ANALYSIS_REPORTS_PATH="${SSDLC_PATH}/static-analysis-reports"
+mkdir "${SSDLC_PATH}"
+mkdir "${SSDLC_STATIC_ANALYSIS_REPORTS_PATH}"
+
+printf "\nCreating SpotBugs SARIF reports\n"
 ./gradlew -version
-./gradlew -PssdlcReport.enabled=true --continue -x test -x integrationTest -x spotlessApply clean check scalaCheck kotlinCheck testClasses || true
-echo "SpotBugs created the following SARIF files"
-find . -path "*/spotbugs/*.sarif"
+./gradlew -PssdlcReport.enabled=true --continue -x test -x integrationTest -x spotlessApply check scalaCheck kotlinCheck || true
+printf "\nSpotBugs created the following SARIF reports\n"
+IFS=$'\n'
+declare -a SARIF_PATHS=($(find "${RELATIVE_DIR_PATH}/.." -path "*/spotbugs/*.sarif"))
+unset IFS
+for SARIF_PATH in "${SARIF_PATHS[@]}"; do
+    GRADLE_PROJECT_NAME="$(basename "$(dirname "$(dirname "$(dirname "$(dirname "${SARIF_PATH}")")")")")"
+    NEW_SARIF_PATH="${SSDLC_STATIC_ANALYSIS_REPORTS_PATH}/${GRADLE_PROJECT_NAME}_$(basename "${SARIF_PATH}")"
+    cp "${SARIF_PATH}" "${NEW_SARIF_PATH}"
+    printf "%s\n" "${NEW_SARIF_PATH}"
+done
+
+printf "\nCreating SSDLC compliance report\n"
+declare -r TEMPLATE_SSDLC_REPORT_PATH="${RELATIVE_DIR_PATH}/../template_ssdlc_compliance_report.md"
+declare -r SSDLC_REPORT_PATH="${SSDLC_PATH}/ssdlc_compliance_report.md"
+cp "${TEMPLATE_SSDLC_REPORT_PATH}" "${SSDLC_REPORT_PATH}"
+declare -a SED_EDIT_IN_PLACE_OPTION
+if [[ "$OSTYPE" == "darwin"* ]]; then
+  SED_EDIT_IN_PLACE_OPTION=(-i '')
+else
+  SED_EDIT_IN_PLACE_OPTION=(-i)
+fi
+sed "${SED_EDIT_IN_PLACE_OPTION[@]}" \
+    -e "s/\${product_name}/${PRODUCT_NAME}/g" \
+    -e "s/\${product_version}/${PRODUCT_VERSION}/g" \
+    -e "s/\${report_date_utc}/$(date -u +%Y-%m-%d)/g" \
+    "${SSDLC_REPORT_PATH}"
+ls "${SSDLC_REPORT_PATH}"
diff --git a/template_ssdlc_compliance_report.md b/template_ssdlc_compliance_report.md
new file mode 100644
index 00000000000..a7497422868
--- /dev/null
+++ b/template_ssdlc_compliance_report.md
@@ -0,0 +1,82 @@
+# ${product_name} SSDLC compliance report
+
+This report is available at
+<https://d-9067613a84.awsapps.com/start/#/console?account_id=857654397073&role_name=Drivers.User&destination=https%3a%2f%2fus-west-1.console.aws.amazon.com%2fs3%2fobject%2fjava-driver-release-assets%3fregion%3dus-west-1%26bucketType%3dgeneral%26prefix%3d${product_name}%2f${product_version}%2fssdlc_compliance_report.md>.
+
+<table>
+  <tr>
+    <th>Product name</th>
+    <td><a href="https://github.com/mongodb/mongo-java-driver">${product_name}</a></td>
+  </tr>
+  <tr>
+    <th>Product version</th>
+    <td>${product_version}</td>
+  </tr>
+  <tr>
+    <th>Report date, UTC</th>
+    <td>${report_date_utc}</td>
+  </tr>
+</table>
+
+## Release creator  
+
+This information is available in multiple ways:
+
+<table>
+  <tr>
+    <th>Evergreen</th>
+    <td>
+        Go to
+        <a href="https://evergreen.mongodb.com/waterfall/mongo-java-driver?bv_filter=Publish%20Release">
+            https://evergreen.mongodb.com/waterfall/mongo-java-driver?bv_filter=Publish%20Release</a>,
+        find the build triggered from Git tag <code>r${product_version}</code>, see who authored it.
+    </td>
+  </tr>
+  <tr>
+    <th>Papertrail, human-readable</th>
+    <td>
+        Go to
+        <a href="https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}">
+            https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}</a>,
+        look at the value in the "Submitter" column.
+    </td>
+  </tr>
+  <tr>
+    <th>Papertrail, JSON</th>
+    <td>
+        Go to
+        <a href="https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}&format=json">
+            https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}&format=json</a>
+        and loot at the value associated with the <code>submitter</code> key.
+    </td>
+  </tr>
+</table>
+
+## Process document
+
+Blocked on <https://jira.mongodb.org/browse/JAVA-5429>.
+
+The MongoDB SSDLC policy is available at
+<https://docs.google.com/document/d/1u0m4Kj2Ny30zU74KoEFCN4L6D_FbEYCaJ3CQdCYXTMc>.
+
+## Third-darty dependency information
+
+There are no dependencies to report vulnerabilities of.
+Our [SBOM](https://docs.devprod.prod.corp.mongodb.com/mms/python/src/sbom/silkbomb/docs/CYCLONEDX/) lite
+is <https://github.com/mongodb/mongo-java-driver/blob/r${product_version}/sbom.json>.
+
+## Static analysis findings  
+
+The static analysis findings are all available at
+<https://d-9067613a84.awsapps.com/start/#/console?account_id=857654397073&role_name=Drivers.User&destination=https%3a%2f%2fus-west-1.console.aws.amazon.com%2fs3%2fbuckets%2fjava-driver-release-assets%3fregion%3dus-west-1%26bucketType%3dgeneral%26prefix%3d${product_name}%2f${product_version}%2fstatic-analysis-reports%2f>.
+All the findings in the aforementioned reports
+are either of the MongoDB status "False Positive" or "No Fix Needed",
+because code that has any other findings cannot technically get into the product.
+
+<https://github.com/mongodb/mongo-java-driver/blob/r${product_version}/config/spotbugs/exclude.xml> may also be of interest.
+
+## Signature information
+
+The product artifacts are signed.
+The signatures can be verified by following instructions at
+<https://github.com/mongodb/mongo-java-driver/releases/tag/r${product_version}>.

From a39b0c8a96e35ce3184a35fabf4fbac84634ded2 Mon Sep 17 00:00:00 2001
From: Valentin Kovalenko <valentin.kovalenko@mongodb.com>
Date: Fri, 31 May 2024 09:39:36 -0600
Subject: [PATCH 2/5] Replace `ls` with `printf`

JAVA-5435
---
 .evergreen/ssdlc-report.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.evergreen/ssdlc-report.sh b/.evergreen/ssdlc-report.sh
index d24799bc57b..1ba56e56f20 100755
--- a/.evergreen/ssdlc-report.sh
+++ b/.evergreen/ssdlc-report.sh
@@ -57,4 +57,6 @@ sed "${SED_EDIT_IN_PLACE_OPTION[@]}" \
     -e "s/\${product_version}/${PRODUCT_VERSION}/g" \
     -e "s/\${report_date_utc}/$(date -u +%Y-%m-%d)/g" \
     "${SSDLC_REPORT_PATH}"
-ls "${SSDLC_REPORT_PATH}"
+printf "%s\n" "${SSDLC_REPORT_PATH}"
+
+printf "\n"

From d883fc03057dc0b9165b84ef4d8ad892dbbe3bfe Mon Sep 17 00:00:00 2001
From: Valentin Kovalenko <valentin.kovalenko@mongodb.com>
Date: Fri, 31 May 2024 10:01:49 -0600
Subject: [PATCH 3/5] Do minor changes

JAVA-5435
---
 .evergreen/ssdlc-report.sh          | 10 +++++++---
 template_ssdlc_compliance_report.md |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.evergreen/ssdlc-report.sh b/.evergreen/ssdlc-report.sh
index 1ba56e56f20..78f02965e6b 100755
--- a/.evergreen/ssdlc-report.sh
+++ b/.evergreen/ssdlc-report.sh
@@ -1,6 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
-set -o errexit
+set -eu
 
 # Supported/used environment variables:
 # PRODUCT_NAME
@@ -30,7 +30,11 @@ mkdir "${SSDLC_STATIC_ANALYSIS_REPORTS_PATH}"
 
 printf "\nCreating SpotBugs SARIF reports\n"
 ./gradlew -version
-./gradlew -PssdlcReport.enabled=true --continue -x test -x integrationTest -x spotlessApply check scalaCheck kotlinCheck || true
+set +e
+    # This `gradlew` command is expected to exit with a non-zero exit status,
+    # because it reports all the findings that we normally explicitly exclude as "No Fix Needed"/"False Positive".
+    ./gradlew -PssdlcReport.enabled=true --continue -x test -x integrationTest -x spotlessApply check scalaCheck kotlinCheck
+set -e
 printf "\nSpotBugs created the following SARIF reports\n"
 IFS=$'\n'
 declare -a SARIF_PATHS=($(find "${RELATIVE_DIR_PATH}/.." -path "*/spotbugs/*.sarif"))
diff --git a/template_ssdlc_compliance_report.md b/template_ssdlc_compliance_report.md
index a7497422868..434ab819c21 100644
--- a/template_ssdlc_compliance_report.md
+++ b/template_ssdlc_compliance_report.md
@@ -47,7 +47,7 @@ This information is available in multiple ways:
         Go to
         <a href="https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}&format=json">
             https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}&format=json</a>
-        and loot at the value associated with the <code>submitter</code> key.
+        and look at the value associated with the <code>submitter</code> key.
     </td>
   </tr>
 </table>

From 06ec2e91292d01329f76efca655ac1fb73c10251 Mon Sep 17 00:00:00 2001
From: Valentin Kovalenko <valentin.kovalenko@mongodb.com>
Date: Fri, 31 May 2024 14:15:02 -0600
Subject: [PATCH 4/5] Move `template_ssdlc_compliance_report.md` to
 `.evergreen/`

JAVA-5435
---
 .evergreen/ssdlc-report.sh                                      | 2 +-
 .../template_ssdlc_compliance_report.md                         | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename template_ssdlc_compliance_report.md => .evergreen/template_ssdlc_compliance_report.md (100%)

diff --git a/.evergreen/ssdlc-report.sh b/.evergreen/ssdlc-report.sh
index 78f02965e6b..b05e510c66b 100755
--- a/.evergreen/ssdlc-report.sh
+++ b/.evergreen/ssdlc-report.sh
@@ -47,7 +47,7 @@ for SARIF_PATH in "${SARIF_PATHS[@]}"; do
 done
 
 printf "\nCreating SSDLC compliance report\n"
-declare -r TEMPLATE_SSDLC_REPORT_PATH="${RELATIVE_DIR_PATH}/../template_ssdlc_compliance_report.md"
+declare -r TEMPLATE_SSDLC_REPORT_PATH="${RELATIVE_DIR_PATH}/template_ssdlc_compliance_report.md"
 declare -r SSDLC_REPORT_PATH="${SSDLC_PATH}/ssdlc_compliance_report.md"
 cp "${TEMPLATE_SSDLC_REPORT_PATH}" "${SSDLC_REPORT_PATH}"
 declare -a SED_EDIT_IN_PLACE_OPTION
diff --git a/template_ssdlc_compliance_report.md b/.evergreen/template_ssdlc_compliance_report.md
similarity index 100%
rename from template_ssdlc_compliance_report.md
rename to .evergreen/template_ssdlc_compliance_report.md

From 98c51138c7bf48d56678ee53ad3d387573960c46 Mon Sep 17 00:00:00 2001
From: Valentin Kovalenko <valentin.kovalenko@mongodb.com>
Date: Mon, 3 Jun 2024 08:31:37 -0600
Subject: [PATCH 5/5] Remove Papertrail links

JAVA-5435
---
 .evergreen/template_ssdlc_compliance_report.md | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/.evergreen/template_ssdlc_compliance_report.md b/.evergreen/template_ssdlc_compliance_report.md
index 434ab819c21..998092b65c9 100644
--- a/.evergreen/template_ssdlc_compliance_report.md
+++ b/.evergreen/template_ssdlc_compliance_report.md
@@ -33,21 +33,9 @@ This information is available in multiple ways:
     </td>
   </tr>
   <tr>
-    <th>Papertrail, human-readable</th>
+    <th>Papertrail</th>
     <td>
-        Go to
-        <a href="https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}">
-            https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}</a>,
-        look at the value in the "Submitter" column.
-    </td>
-  </tr>
-  <tr>
-    <th>Papertrail, JSON</th>
-    <td>
-        Go to
-        <a href="https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}&format=json">
-            https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}&format=json</a>
-        and look at the value associated with the <code>submitter</code> key.
+        Refer to data in Papertrail. There is currently no official way to serve that data.
     </td>
   </tr>
 </table>

Product name	${product_name}
Product version	${product_version}
Report date, UTC	${report_date_utc}
Evergreen	+ Go to + + https://evergreen.mongodb.com/waterfall/mongo-java-driver?bv_filter=Publish%20Release, + find the build triggered from Git tag `r${product_version}`, see who authored it. +
Papertrail, human-readable	+ Go to + + https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}, + look at the value in the "Submitter" column. +
Papertrail, JSON	+ Go to + + https://papertrail.devprod-infra.prod.corp.mongodb.com/product-version?product=${product_name}&version=${product_version}&format=json + and loot at the value associated with the `submitter` key. +