From 41a24487addbfd801101ac7396e9308f9388d566 Mon Sep 17 00:00:00 2001 From: Austin Abro <37223396+AustinAbro321@users.noreply.github.com> Date: Wed, 24 Apr 2024 18:12:31 -0400 Subject: [PATCH] ci: compare cves to main (#2448) ## Description This would add a compare CVEs to main workflow to replace the "analyze cves" which currently runs on PRs. This new workflow would only fail on PRs is new CVE's were added rather than always failing if CVE's exist in the PR. Assuming we want to move forward with this we would need to add some extra signal for ourselves to notify us when we do have CVEs on PRs. Maybe a status icon on the repo? Maybe emails? Maybe auto opened issues ? Github security also opens up alerts though those don't take into account the .grype.yaml so there is more noise --------- Co-authored-by: razzle --- .github/workflows/compare-cves.yml | 33 ++++++++++++++++++++++++++++++ .github/workflows/scan-cves.yml | 6 ------ hack/check-vulnerabilities.sh | 30 +++++++++++++++++++++++++++ hack/compare.tmpl | 7 +++++++ 4 files changed, 70 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/compare-cves.yml create mode 100755 hack/check-vulnerabilities.sh create mode 100644 hack/compare.tmpl diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml new file mode 100644 index 0000000000..f4c8500d88 --- /dev/null +++ b/.github/workflows/compare-cves.yml @@ -0,0 +1,33 @@ +name: Compare CVEs to main + +permissions: + contents: read + +on: + pull_request: + paths: + - "go.mod" + - "go.sum" + - "cargo.toml" + - "cargo.lock" + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ github.head_ref || github.ref_name }} + + - name: fetch main + run: git fetch origin main --depth 1 + + - name: Setup golang + uses: ./.github/actions/golang + + - name: Install tools + uses: ./.github/actions/install-tools + + - name: Check for CVEs in Dependencies + run: "hack/check-vulnerabilities.sh" diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml index 26c05a08c9..2851849bf7 100644 --- a/.github/workflows/scan-cves.yml +++ b/.github/workflows/scan-cves.yml @@ -6,12 +6,6 @@ permissions: on: schedule: - cron: "0 10 * * *" - pull_request: - paths: - - "go.mod" - - "go.sum" - - "cargo.toml" - - "cargo.lock" jobs: validate: diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh new file mode 100755 index 0000000000..903e59a01a --- /dev/null +++ b/hack/check-vulnerabilities.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +set -euo pipefail + +MAIN_BRANCH="main" +TARGET_BRANCH=$(git rev-parse --abbrev-ref HEAD) +echo "target branch is $TARGET_BRANCH" + +mkdir -p build + +git checkout $MAIN_BRANCH +go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' > build/main-syft.json + +git checkout $TARGET_BRANCH +cat build/main-syft.json | grype -o template -t hack/compare.tmpl > build/main.json +go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/compare.tmpl > build/target.json + + +result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json | jq '[.[] | select(.severity != "Low" and .severity != "Medium")]') + +echo "CVEs on $MAIN_BRANCH are $(cat build/main.json | jq )" +echo "CVEs on $TARGET_BRANCH are $(cat build/target.json | jq)" + +if [[ "$result" == "[]" ]]; then + echo "no new vulnerabilities on $TARGET_BRANCH" + exit 0 +else + echo "new CVEs have been added with IDs $result" + exit 1 +fi diff --git a/hack/compare.tmpl b/hack/compare.tmpl new file mode 100644 index 0000000000..469720459f --- /dev/null +++ b/hack/compare.tmpl @@ -0,0 +1,7 @@ +[ + {{- $length := len .Matches -}} + {{- range $index, $match := .Matches -}} + { "id": "{{$match.Vulnerability.ID}}", "severity": "{{$match.Vulnerability.Severity}}" } + {{ if lt (add $index 1) $length }},{{ end }} + {{- end -}} +]