Scanner release vulnerability update #492
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scanner release vulnerability update | |
on: | |
schedule: | |
- cron: "0 */3 * * *" | |
workflow_dispatch: | |
inputs: | |
job: | |
type: choice | |
description: "Choose the NVD source" | |
options: | |
- nvd-api | |
- nvd-feeds | |
required: true | |
default: nvd-api | |
jobs: | |
download-nvd: | |
runs-on: ubuntu-latest | |
env: | |
JOB: ${{ github.event.inputs.job || 'nvd-api' }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Download NVD | |
run: | | |
set -eu | |
since_time=$(date -u -d '24 hours ago' '+%a, %d %b %Y %H:%M:%S GMT') | |
if [ "$JOB" = "nvd-api" ]; then | |
url="https://definitions.stackrox.io/v4/nvd/nvd-api.zip" | |
else | |
url="https://definitions.stackrox.io/v4/nvd/nvd-feeds.zip" | |
fi | |
code=$(curl \ | |
-o nvd.zip \ | |
-w "%{http_code}" \ | |
-H "If-Modified-Since: $since_time" \ | |
"$url") | |
echo "code: $code" | |
echo "$code" | grep -q 200 | |
- uses: ./.github/actions/upload-artifact-with-retry | |
with: | |
name: nvd | |
path: nvd.zip | |
if-no-files-found: error | |
read-release-versions: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.output-matrix.outputs.matrix }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Generate matrix JSON | |
id: output-matrix | |
run: | | |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
echo "matrix<<$EOF" >> "$GITHUB_OUTPUT" | |
./.github/workflows/scripts/scanner-output-release-versions.sh | tee -a "$GITHUB_OUTPUT" | |
echo "$EOF" >> "$GITHUB_OUTPUT" | |
upload-release-vulnerabilities: | |
needs: | |
- read-release-versions | |
- download-nvd | |
runs-on: ubuntu-latest | |
container: | |
image: quay.io/stackrox-io/apollo-ci:scanner-test-0.4.4 | |
volumes: | |
# The updater makes heavy use of /tmp files. | |
- /tmp:/tmp | |
- /usr:/mnt/usr | |
- /opt:/mnt/opt | |
strategy: | |
# If one of the versions fails, it should not stop others from succeeding. | |
fail-fast: false | |
# The updater is memory intensive, so only run one at a time. | |
max-parallel: 1 | |
matrix: | |
include: ${{ fromJson(needs.read-release-versions.outputs.matrix).versions }} | |
env: | |
ROX_PRODUCT_VERSION: ${{ matrix.version }} | |
ROX_PRODUCT_TAG: ${{ matrix.tag }} | |
steps: | |
# Checkout to run ./.github/actions/{download,upload}-artifact-with-retry | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha }} | |
- uses: ./.github/actions/job-preamble | |
with: | |
gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
- name: Free up disk space | |
shell: bash | |
run: | | |
set +e | |
set -x | |
df -h | |
for delete in /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache/CodeQL; do | |
rm -rf "/mnt${delete:?}" | |
done | |
df -h | |
- name: Authenticate with Google Cloud | |
if: github.ref_name == 'master' | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GOOGLE_SA_STACKROX_HUB_VULN_DUMP_UPLOADER }} | |
- name: Authenticate with Google Cloud | |
if: github.ref_name != 'master' | |
uses: google-github-actions/auth@v2 | |
with: | |
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }} | |
- name: Set up Cloud SDK | |
uses: google-github-actions/setup-gcloud@v2 | |
- uses: ./.github/actions/download-artifact-with-retry | |
with: | |
name: nvd | |
path: . | |
- name: Update vulnerabilities | |
env: | |
STACKROX_NVD_API_KEY: ${{ secrets.NVD_API_KEY }} | |
STACKROX_NVD_API_CALL_INTERVAL: 6s | |
run: | | |
# Use fully qualified path to refer to the NVD bundle | |
STACKROX_NVD_ZIP_PATH="$(pwd)/nvd.zip" | |
export STACKROX_NVD_ZIP_PATH | |
DOWNLOAD_URL="https://github.com/stackrox/stackrox/archive/refs/tags/${{ env.ROX_PRODUCT_TAG }}.zip" | |
FILE_NAME=$(basename "$DOWNLOAD_URL") | |
if ! wget "$DOWNLOAD_URL" -O "$FILE_NAME"; then | |
echo "Download failed. Terminating current matrix step." | |
exit 1 | |
fi | |
unzip "$FILE_NAME" -d "${FILE_NAME}-dir" | |
cd "${FILE_NAME}-dir/stackrox-"* | |
if [ ! -d "scanner" ]; then | |
echo "Scanner directory not found. Terminating current matrix step." | |
exit 1 | |
fi | |
# Do not use the make target, as there may be some incompatibilities. | |
# See https://github.com/stackrox/stackrox/pull/9227. | |
# Similarly, any updates to the Go version may require go.mod updates. | |
# Just run go mod tidy and hope for the best. | |
go mod tidy | |
cd scanner | |
go build -trimpath -buildvcs=false -o bin/updater ./cmd/updater | |
go clean -cache -modcache | |
mkdir ${{ env.ROX_PRODUCT_VERSION }} | |
# Run updater per release/product version. | |
case "${{ env.ROX_PRODUCT_VERSION }}" in | |
4.4.*) | |
./bin/updater -output-dir="${{ env.ROX_PRODUCT_VERSION }}" | |
;; | |
*) | |
./bin/updater export --split bundles | |
zip ${{ env.ROX_PRODUCT_VERSION }}/vulnerabilities.zip bundles/*.json.zst | |
;; | |
esac | |
bucket="gs://definitions.stackrox.io/v4/vulnerability-bundles" | |
if [[ "${{ github.ref_name }}" != "master" ]]; then | |
# If dispatched from a branch other then master, upload bundles | |
# to a test bucket for inspection. | |
bucket="gs://scanner-v4-test/vulnerability-bundles" | |
fi | |
echo "Copying ${{ env.ROX_PRODUCT_VERSION }} to $bucket" | |
gsutil cp -r "${{ env.ROX_PRODUCT_VERSION }}" "$bucket" | |
send-notification: | |
needs: | |
- read-release-versions | |
- upload-release-vulnerabilities | |
runs-on: ubuntu-latest | |
if: ${{ failure() && github.ref_name == 'master' }} | |
steps: | |
- name: Send Slack notification on workflow failure | |
run: | | |
curl -X POST -H 'Content-type: application/json' --data '{"text":"<${{github.server_url}}/${{github.repository}}/actions/runs/${{github.run_id}}|Workflow ${{ github.workflow }}> failed in repository ${{ github.repository }}: Failed to update vulnerabilities"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }} |