SERVER-107272: generate SAST report for MongoDB 7.0 releases (#38366)

GitOrigin-RevId: d9690b8977b6d8fb70c3a9c1b0eafe77f3a7f083

.github/CODEOWNERS

@@ -10,4 +10,4 @@ README.md
 jstests/
 /src/mongo/dbtests/
 /src/mongo/**/*_test.cpp
-/src/mongo/**/*_bm.cpp
+/src/mongo/**/*_bm.cpp

etc/evergreen.yml

@@ -56,9 +56,11 @@ include:
 - filename: etc/evergreen_yml_components/project_and_distro_settings.yml
 - filename: etc/evergreen_yml_components/configuration.yml
 - filename: etc/evergreen_yml_components/definitions.yml
+- filename: etc/evergreen_yml_components/tasks/release_tasks.yml
 - filename: etc/evergreen_yml_components/variants/task_generation.yml
 - filename: etc/evergreen_yml_components/variants/sanitizer.yml
 - filename: etc/evergreen_yml_components/variants/in_memory.yml
+- filename: etc/evergreen_yml_components/variants/misc/misc.yml
 - filename: etc/evergreen_yml_components/variants/ninja.yml
 - filename: etc/evergreen_yml_components/variants/compile_static_analysis.yml
 # TODO: (SERVER-86211) Re-enable config shard evergreen variant.

etc/evergreen_nightly.yml

@@ -25,6 +25,10 @@ include:
 
 - filename: etc/evergreen_yml_components/tasks/coverity_tasks.yml
 - filename: etc/evergreen_yml_components/variants/coverity.yml
+- filename: etc/evergreen_yml_components/tasks/release_tasks.yml
+- filename: etc/evergreen_yml_components/variants/misc/misc.yml
+### Uncomment when using this file for a LTS or Rapid release branch. ###
+- filename: etc/evergreen_yml_components/variants/release/release.yml
 
 parameters:
 - key: evergreen_config_file_path

etc/evergreen_yml_components/configuration.yml

@@ -51,6 +51,12 @@ modules:
   repo: git@github.com:wiredtiger/wiredtiger.git
   prefix: src/third_party
   branch: develop
+- name: devprod_coverity
+  owner: mongodb-devprod-infrastructure
+  repo: coverity
+  prefix: "${workdir}/devprodCoveritySrc"
+  branch: main
+  auto_update: true
 
 # Pre task steps
 pre:

etc/evergreen_yml_components/tasks/release_tasks.yml

@@ -0,0 +1,54 @@
+tasks:
+  - name: publish-sast-report
+    # uses "Admin Only" variables, so patch runs will only work for admins
+    allowed_requesters: ["commit", "github_tag", "patch"]
+    tags: ["auxiliary", "assigned_to_jira_team_devprod_release_infrastructure"]
+    depends_on:
+      - name: version_expansions_gen
+        variant: generate-tasks-for-version
+    commands:
+      - command: git.get_project
+        params:
+          directory: src
+          clone_depth: 1
+          recurse_submodules: true
+      - func: "get version expansions"
+      - func: "apply version expansions"
+      - func: "f_expansions_write"
+      - command: subprocess.exec
+        display_name: Write credentials for SAST report generation to file
+        type: setup
+        params:
+          silent: true
+          binary: "${workdir}/src/evergreen/write_sast_report_env_file.sh"
+          env:
+            WORK_DIR: ${workdir}
+            SAST_REPORT_COVERITY_USERNAME: ${SAST_REPORT_COVERITY_USERNAME}
+            SAST_REPORT_COVERITY_PASSWORD: ${SAST_REPORT_COVERITY_PASSWORD}
+            SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID}
+            SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN}
+            SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET: ${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET}
+      - command: subprocess.exec
+        display_name: "Generate SAST report and upload to Google Drive"
+        params:
+          binary: "${workdir}/src/evergreen/generate_sast_report.sh"
+          env:
+            WORK_DIR: ${workdir}
+            MODULE_PATH: ${workdir}/devprodCoveritySrc/devprod_coverity
+            TRIGGERED_BY_GIT_TAG: ${triggered_by_git_tag}
+            MONGODB_VERSION: ${version}
+            MONGODB_RELEASE_BRANCH: ${branch_name}
+            SAST_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID: ${SAST_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID}
+            SAST_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID: ${SAST_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID}
+      - command: s3.put
+        params:
+          aws_key: ${aws_key}
+          aws_secret: ${aws_secret}
+          bucket: mciuploads
+          content_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+          local_files_include_filter_prefix: devprodCoveritySrc/devprod_coverity
+          local_files_include_filter:
+            - "sast_report_*.xlsx"
+          remote_file: ${project}/${build_variant}/${revision}/artifacts/${build_id}/${task_name}/
+          permissions: private
+          visibility: signed

etc/evergreen_yml_components/variants/coverity.yml

@@ -71,16 +71,3 @@ tasks:
         vars:
           module_prefix: ${workdir}/devprodCoveritySrc
           module_name: devprod_coverity
-
-#######################################
-#               Modules               #
-#######################################
-# for some reason this has can't be included from the included configuration file above
-# it may be because one of the includes needs this module, could be an evergreen bug
-modules:
-  - name: devprod_coverity
-    owner: mongodb-devprod-infrastructure
-    repo: coverity
-    prefix: "${workdir}/devprodCoveritySrc"
-    branch: main
-    auto_update: true

etc/evergreen_yml_components/variants/misc/misc.yml

@@ -0,0 +1,17 @@
+# Miscellaneous build variants
+#
+# After the branching variants in this file
+# should continue to run on a new rapid release (v7.1, v7.2 etc.)
+# and LTS release (v7.0, v6.0 etc.) branch projects
+
+buildvariants:
+  - name: test-release
+    display_name: "Test Release"
+    allowed_requesters: ["commit", "patch"]
+    tags: ["assigned_to_jira_team_devprod_release_infrastructure"]
+    activate: true
+    run_on: ubuntu2404-small
+    modules:
+      - devprod_coverity
+    tasks:
+      - name: publish-sast-report

etc/evergreen_yml_components/variants/release/release.yml

@@ -0,0 +1,10 @@
+buildvariants:
+  - name: release
+    display_name: Release
+    allowed_requesters: ["github_tag"]
+    tags: ["release", "assigned_to_jira_team_devprod_release_infrastructure"]
+    run_on: ubuntu2404-small
+    modules:
+      - devprod_coverity
+    tasks:
+      - name: publish-sast-report

evergreen/generate_sast_report.sh

@@ -0,0 +1,27 @@
+#!/bin/env bash
+set -eux
+
+cd ${MODULE_PATH}/scripts
+echo "Running SAST report generation script..."
+commit_datetime=$(git log -1 --format=%cd --date=iso-strict)
+echo "Date and time of commit: $commit_datetime"
+virtualenv -p python3.12 .venv
+source .venv/bin/activate
+pip install -r sast_reporting/requirements.txt
+if [ -z "${TRIGGERED_BY_GIT_TAG}" ]; then
+  echo "Evergreen version was NOT triggered by a git tag"
+  echo "Setting Google Drive folder ID for non-release"
+  google_drive_folder_id="${SAST_REPORT_TEST_GOOGLE_DRIVE_FOLDER_ID}"
+else
+  echo "Evergreen version was triggered by git tag '${TRIGGERED_BY_GIT_TAG}'"
+  echo "Setting Google Drive folder ID for release"
+  google_drive_folder_id="${SAST_REPORT_RELEASES_GOOGLE_DRIVE_FOLDER_ID}"
+fi
+python3 -m sast_reporting.src.mongodb_server \
+  --version ${MONGODB_VERSION} \
+  --branch ${MONGODB_RELEASE_BRANCH} \
+  --commit-date $commit_datetime \
+  --output-path ${MODULE_PATH}/sast_report_${MONGODB_VERSION}.xlsx \
+  --upload-file-name "[${MONGODB_VERSION}] MongoDB Server Enterprise SAST Report" \
+  --google-drive-folder-id $google_drive_folder_id \
+  --env-file ${WORK_DIR}/sast_report_generation_credentials.env

evergreen/write_sast_report_env_file.sh

@@ -0,0 +1,9 @@
+#!/bin/env bash
+
+cat << EOF > ${WORK_DIR}/sast_report_generation_credentials.env
+COVERITY_USERNAME=${SAST_REPORT_COVERITY_USERNAME}
+COVERITY_PASSWORD=${SAST_REPORT_COVERITY_PASSWORD}
+GOOGLE_CLIENT_ID=${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_ID}
+GOOGLE_CLIENT_REFRESH_TOKEN=${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_REFRESH_TOKEN}
+GOOGLE_CLIENT_SECRET=${SAST_REPORT_UPLOAD_GOOGLE_CLIENT_SECRET}
+EOF