SERVER-73216 Upgrade BlackDuck to Detect v8

(cherry picked from commit 5935850dae716e5f482ff11b0dc9bd9e317c6e17)

4 files changed, 32 insertions, 3 deletions

diff --git a/buildscripts/blackduck_hub.py b/buildscripts/blackduck_hub.py
index 15746f3773d..01e3e9feb1e 100644
--- a/buildscripts/blackduck_hub.py
+++ b/buildscripts/blackduck_hub.py
@@ -559,8 +559,7 @@ class BlackDuckConfig:
             rc = json.loads(rfh.read())
 
         self.url = rc["baseurl"]
-        self.username = rc["username"]
-        self.password = rc["password"]
+        self.token = rc["token"]
 
 
 def _run_scan():
@@ -569,7 +568,7 @@ def _run_scan():
 
     with tempfile.NamedTemporaryFile() as fp:
         fp.write(f"""#/!bin/sh
-curl --retry 5 -s -L https://detect.synopsys.com/detect.sh  | bash -s -- --blackduck.url={bdc.url} --blackduck.username={bdc.username} --blackduck.password={bdc.password} --detect.report.timeout={BLACKDUCK_TIMEOUT_SECS} --snippet-matching --upload-source --detect.wait.for.results=true
+curl --retry 5 -s -L https://detect.synopsys.com/detect8.sh | bash -s -- --blackduck.url={bdc.url} --blackduck.api.token={bdc.token} --detect.report.timeout={BLACKDUCK_TIMEOUT_SECS} --snippet-matching --upload-source --detect.wait.for.results=true --logging.level.detect=TRACE --detect.diagnostic=true --detect.cleanup=false
 """.encode())
         fp.flush()
 
diff --git a/etc/evergreen_yml_components/definitions.yml b/etc/evergreen_yml_components/definitions.yml
index 9f18d13b03a..bb6a63d5cfc 100644
--- a/etc/evergreen_yml_components/definitions.yml
+++ b/etc/evergreen_yml_components/definitions.yml
@@ -1825,6 +1825,24 @@ functions:
   - *tar_jepsen_results
   - *archive_jepsen_results
 
+  "save blackduck artifacts":
+  - command: archive.targz_pack
+    params:
+      target: blackduck.tgz
+      source_dir: /home/ec2-user/blackduck/runs/
+      include:
+      - "**"
+  - command: s3.put
+    params:
+      aws_key: ${aws_key}
+      aws_secret: ${aws_secret}
+      local_file: blackduck.tgz
+      remote_file: ${project}/${build_variant}/${version_id}/blackduck-${task_id}-${execution}.tgz
+      bucket: mciuploads
+      permissions: public-read
+      content_type: ${content_type|application/gzip}
+      display_name: BlackDuck logs
+
   ### Process & archive mongo coredumps ###
   "gather mongo coredumps": &gather_mongo_coredumps
     command: subprocess.exec
@@ -2171,6 +2189,7 @@ post:
 - func: "save local client logs"
 - func: "save code coverage data"
 - func: "save jepsen artifacts"
+- func: "save blackduck artifacts"
 - func: "save mongo coredumps"
 - func: "save failed unittests"
 - func: "save hang analyzer debugger files"
diff --git a/evergreen/blackduck_hub.sh b/evergreen/blackduck_hub.sh
index f7edf2d486e..ce3d81fc79c 100755
--- a/evergreen/blackduck_hub.sh
+++ b/evergreen/blackduck_hub.sh
@@ -14,4 +14,14 @@ if [ "$branch_name" != "master" ]; then
   additional_args="--vulnerabilities_only"
 fi
 
+# BlackDuck crashes on this gzip file because it is not well-formed
+# invalid compressed data--format violated
+rm ./src/third_party/zstandard/zstd/tests/gzip/hufts-segv.gz
+
+# Remove package.json since it only exists for vscode
+# MongoDB server does not use Node.JS code so we strip this file to not confuse BlackDuck Detect
+# Otherwise we need to run npm install to install everything in package.json or disable the NPM
+# scanner.
+rm package.json
+
 python buildscripts/blackduck_hub.py -v scan_and_report --build_logger=mci.buildlogger --build_logger_task_id=${task_id} --report_file=report.json $additional_args
diff --git a/evergreen/blackduck_setup.sh b/evergreen/blackduck_setup.sh
index 8ed396833a3..d2fc4cfaa87 100755
--- a/evergreen/blackduck_setup.sh
+++ b/evergreen/blackduck_setup.sh
@@ -9,6 +9,7 @@ cat > .restconfig.json << END_OF_CREDS
 "baseurl": "${blackduck_url}",
 "username": "${blackduck_username}",
 "password": "${blackduck_password}",
+"token": "${blackduck_token}",
 "debug": false,
 "insecure" : false
 }