ci: Add osv-scanner to unit tests

atsign-foundation · Nov 23, 2023 · 1911765 · 1911765
1 parent 8ad9acd
commit 1911765
Show file tree

Hide file tree

Showing 2 changed files with 257 additions and 0 deletions.
diff --git a/.github/workflows/at_libraries.yaml b/.github/workflows/at_libraries.yaml
@@ -32,6 +32,11 @@ jobs:
         with:
           sdk: stable
 
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: 'stable'
+          cache-dependency-path: tools/osv-scanner/go.sum
+
       - name: Install dependencies in ${{ matrix.package }}
         working-directory: packages/${{ matrix.package }}
         run: dart pub get
@@ -40,6 +45,15 @@ jobs:
         working-directory: packages/${{ matrix.package }}
         run: dart analyze
 
+      # Runs osv-scanner to find any vulnerable Dart dependencies
+      # It needs to look at pubspec.lock files, which is why it's
+      # placed here, as the `dart pub get` above will create them
+      - name: Run osv-scanner
+        working-directory: packages/${{ matrix.package }}
+        run: |
+          go install github.com/google/osv-scanner/cmd/osv-scanner@6316373e47d7e3e4b4fd3630c4bbc10987738de6 # v1.4.3
+          osv-scanner --lockfile=./pubspec.lock
+
   build_and_test:
     runs-on: ubuntu-latest
     strategy:
@@ -58,6 +72,11 @@ jobs:
         with:
           sdk: stable
 
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: 'stable'
+          cache-dependency-path: tools/osv-scanner/go.sum
+
       - name: Install dependencies in ${{ matrix.package }}
         working-directory: packages/${{ matrix.package }}
         run: dart pub get
@@ -70,6 +89,15 @@ jobs:
         working-directory: packages/${{ matrix.package }}
         run: dart test --concurrency=1
 
+      # Runs osv-scanner to find any vulnerable Dart dependencies
+      # It needs to look at pubspec.lock files, which is why it's
+      # placed here, as the `dart pub get` above will create them
+      - name: Run osv-scanner
+        working-directory: packages/${{ matrix.package }}
+        run: |
+          go install github.com/google/osv-scanner/cmd/osv-scanner@6316373e47d7e3e4b4fd3630c4bbc10987738de6 # v1.4.3
+          osv-scanner --lockfile=./pubspec.lock
+
   functional_tests_at_onboarding_cli:
     runs-on: ubuntu-latest
     strategy: