From 744ebb6a049b80722c221b7a680fe42f0e45ab4a Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Mon, 22 Apr 2024 18:56:42 +0000
Subject: [PATCH 01/11] check cves

---
 .github/workflows/compare-cves.yml | 33 ++++++++++++++++++++++++++++++
 hack/.templates/compare.tmpl       |  7 +++++++
 hack/check-vulnerabilities.sh      | 28 +++++++++++++++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 .github/workflows/compare-cves.yml
 create mode 100644 hack/.templates/compare.tmpl
 create mode 100644 hack/check-vulnerabilities.sh

diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
new file mode 100644
index 0000000000..f4c8500d88
--- /dev/null
+++ b/.github/workflows/compare-cves.yml
@@ -0,0 +1,33 @@
+name: Compare CVEs to main
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "cargo.toml"
+      - "cargo.lock"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      - name: fetch main
+        run: git fetch origin main --depth 1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Check for CVEs in Dependencies
+        run: "hack/check-vulnerabilities.sh"
diff --git a/hack/.templates/compare.tmpl b/hack/.templates/compare.tmpl
new file mode 100644
index 0000000000..763849a52e
--- /dev/null
+++ b/hack/.templates/compare.tmpl
@@ -0,0 +1,7 @@
+[
+  {{- $length := len .Matches -}}
+  {{- range $index, $match := .Matches -}}
+  "{{$match.Vulnerability.ID}}"
+  {{ if lt (add $index 1) $length }},{{ end }}
+  {{- end -}}
+]
diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
new file mode 100644
index 0000000000..a13d1dc64d
--- /dev/null
+++ b/hack/check-vulnerabilities.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+
+MAIN_BRANCH="main"
+TARGET_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+echo "target branch is $TARGET_BRANCH"
+
+mkdir -p build
+
+git checkout $MAIN_BRANCH
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' > build/main-syft.json
+
+git checkout $TARGET_BRANCH
+cat build/main-syft.json | grype -o template -t hack/.templates/compare.tmpl > build/main.json
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/.templates/compare.tmpl > build/target.json
+
+
+result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json)
+
+if [[ "$result" == "[]" ]]; then
+  echo "no new vulnerabilities on $TARGET_BRANCH"
+  exit 0
+else
+  echo "new CVEs have been added with IDs $result"
+  exit 1
+fi

From a648446169f630696f19eb0d999f3816c465d5d1 Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Mon, 22 Apr 2024 18:59:44 +0000
Subject: [PATCH 02/11] chmod

---
 hack/check-vulnerabilities.sh | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 hack/check-vulnerabilities.sh

diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
old mode 100644
new mode 100755

From d97195a93e0fb7d3b406dcfc0d06d25bf2a8f3b0 Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Mon, 22 Apr 2024 19:04:47 +0000
Subject: [PATCH 03/11] cve compare

---
 .github/workflows/compare-cves.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
index f4c8500d88..322ee10173 100644
--- a/.github/workflows/compare-cves.yml
+++ b/.github/workflows/compare-cves.yml
@@ -4,6 +4,7 @@ permissions:
   contents: read
 
 on:
+  workflow_dispatch:
   pull_request:
     paths:
       - "go.mod"

From b3d4f378a7acc78b1bc2c8741b086d1da2bdd12d Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Mon, 22 Apr 2024 19:22:02 +0000
Subject: [PATCH 04/11] update analyze cve runs

---
 .github/workflows/scan-cves.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml
index 26c05a08c9..2851849bf7 100644
--- a/.github/workflows/scan-cves.yml
+++ b/.github/workflows/scan-cves.yml
@@ -6,12 +6,6 @@ permissions:
 on:
   schedule:
     - cron: "0 10 * * *"
-  pull_request:
-    paths:
-      - "go.mod"
-      - "go.sum"
-      - "cargo.toml"
-      - "cargo.lock"
 
 jobs:
   validate:

From 9243f8d528c24403d24505c731dc7dd783fa4aa0 Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Mon, 22 Apr 2024 19:23:10 +0000
Subject: [PATCH 05/11] whitespace

---
 hack/check-vulnerabilities.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
index a13d1dc64d..9aabab8392 100755
--- a/hack/check-vulnerabilities.sh
+++ b/hack/check-vulnerabilities.sh
@@ -2,7 +2,6 @@
 
 set -euo pipefail
 
-
 MAIN_BRANCH="main"
 TARGET_BRANCH=$(git rev-parse --abbrev-ref HEAD)
 echo "target branch is $TARGET_BRANCH"

From 3a4f1182e09462c4f2affb9d21e7203e09a59d46 Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Tue, 23 Apr 2024 18:44:43 +0000
Subject: [PATCH 06/11] adding

---
 hack/.templates/compare.tmpl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hack/.templates/compare.tmpl b/hack/.templates/compare.tmpl
index 763849a52e..eb1c305b56 100644
--- a/hack/.templates/compare.tmpl
+++ b/hack/.templates/compare.tmpl
@@ -1,7 +1,8 @@
 [
   {{- $length := len .Matches -}}
   {{- range $index, $match := .Matches -}}
+  {
   "{{$match.Vulnerability.ID}}"
-  {{ if lt (add $index 1) $length }},{{ end }}
+  }{{ if lt (add $index 1) $length }},{{ end }}
   {{- end -}}
 ]

From a2b5e1fde60f8358f8412ad409431dccb1ead11d Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Tue, 23 Apr 2024 19:04:16 +0000
Subject: [PATCH 07/11] script improvements

---
 hack/.templates/compare.tmpl  | 7 ++++---
 hack/check-vulnerabilities.sh | 3 +++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/hack/.templates/compare.tmpl b/hack/.templates/compare.tmpl
index eb1c305b56..043cbb2258 100644
--- a/hack/.templates/compare.tmpl
+++ b/hack/.templates/compare.tmpl
@@ -1,8 +1,9 @@
 [
   {{- $length := len .Matches -}}
   {{- range $index, $match := .Matches -}}
-  {
-  "{{$match.Vulnerability.ID}}"
-  }{{ if lt (add $index 1) $length }},{{ end }}
+    {{- if and (ne $match.Vulnerability.Severity "Low") (ne $match.Vulnerability.Severity "Medium") -}}
+      "{{$match.Vulnerability.ID}}"
+      {{ if lt (add $index 1) $length }},{{ end }}
+    {{- end -}}
   {{- end -}}
 ]
diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
index 9aabab8392..10931d9a92 100755
--- a/hack/check-vulnerabilities.sh
+++ b/hack/check-vulnerabilities.sh
@@ -18,6 +18,9 @@ go run main.go tools sbom scan . -o json --exclude './site' --exclude './example
 
 result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json)
 
+echo "CVEs on $MAIN_BRANCH are $(cat build/main.json | jq )"
+echo "CVEs on $TARGET_BRANCH are $(cat build/target.json | jq)"
+
 if [[ "$result" == "[]" ]]; then
   echo "no new vulnerabilities on $TARGET_BRANCH"
   exit 0

From 7ae9af36424a9f6ea13c8980ec649e5d0e20e0aa Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Tue, 23 Apr 2024 19:28:58 +0000
Subject: [PATCH 08/11] cve

---
 hack/.templates/compare.tmpl  | 6 ++----
 hack/check-vulnerabilities.sh | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/hack/.templates/compare.tmpl b/hack/.templates/compare.tmpl
index 043cbb2258..469720459f 100644
--- a/hack/.templates/compare.tmpl
+++ b/hack/.templates/compare.tmpl
@@ -1,9 +1,7 @@
 [
   {{- $length := len .Matches -}}
   {{- range $index, $match := .Matches -}}
-    {{- if and (ne $match.Vulnerability.Severity "Low") (ne $match.Vulnerability.Severity "Medium") -}}
-      "{{$match.Vulnerability.ID}}"
-      {{ if lt (add $index 1) $length }},{{ end }}
-    {{- end -}}
+  { "id": "{{$match.Vulnerability.ID}}", "severity": "{{$match.Vulnerability.Severity}}" }
+  {{ if lt (add $index 1) $length }},{{ end }}
   {{- end -}}
 ]
diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
index 10931d9a92..d0ecb3aa0d 100755
--- a/hack/check-vulnerabilities.sh
+++ b/hack/check-vulnerabilities.sh
@@ -16,7 +16,7 @@ cat build/main-syft.json | grype -o template -t hack/.templates/compare.tmpl > b
 go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/.templates/compare.tmpl > build/target.json
 
 
-result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json)
+result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json | jq '[.[] | select(.severity != "Low" and .severity != "Medium")]')
 
 echo "CVEs on $MAIN_BRANCH are $(cat build/main.json | jq )"
 echo "CVEs on $TARGET_BRANCH are $(cat build/target.json | jq)"

From 75e16163533446e267eea1c75c6eb250e3404dc0 Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Tue, 23 Apr 2024 19:35:33 +0000
Subject: [PATCH 09/11] temp run this

---
 .github/workflows/compare-cves.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
index 322ee10173..833ce25f1a 100644
--- a/.github/workflows/compare-cves.yml
+++ b/.github/workflows/compare-cves.yml
@@ -4,7 +4,7 @@ permissions:
   contents: read
 
 on:
-  workflow_dispatch:
+  push:
   pull_request:
     paths:
       - "go.mod"

From b0f08185c583d890d75162c3111418dd5e7bcbc8 Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Tue, 23 Apr 2024 19:39:22 +0000
Subject: [PATCH 10/11] only on pr

---
 .github/workflows/compare-cves.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
index 833ce25f1a..f4c8500d88 100644
--- a/.github/workflows/compare-cves.yml
+++ b/.github/workflows/compare-cves.yml
@@ -4,7 +4,6 @@ permissions:
   contents: read
 
 on:
-  push:
   pull_request:
     paths:
       - "go.mod"

From ea90b497f7844abdf122858c4b55d943a707dd25 Mon Sep 17 00:00:00 2001
From: Austin Abro <AustinAbro321@gmail.com>
Date: Wed, 24 Apr 2024 20:05:04 +0000
Subject: [PATCH 11/11] move compare.tmpl

---
 hack/check-vulnerabilities.sh      | 4 ++--
 hack/{.templates => }/compare.tmpl | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename hack/{.templates => }/compare.tmpl (100%)

diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
index d0ecb3aa0d..903e59a01a 100755
--- a/hack/check-vulnerabilities.sh
+++ b/hack/check-vulnerabilities.sh
@@ -12,8 +12,8 @@ git checkout $MAIN_BRANCH
 go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' > build/main-syft.json
 
 git checkout $TARGET_BRANCH
-cat build/main-syft.json | grype -o template -t hack/.templates/compare.tmpl > build/main.json
-go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/.templates/compare.tmpl > build/target.json
+cat build/main-syft.json | grype -o template -t hack/compare.tmpl > build/main.json
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/compare.tmpl > build/target.json
 
 
 result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json | jq '[.[] | select(.severity != "Low" and .severity != "Medium")]')
diff --git a/hack/.templates/compare.tmpl b/hack/compare.tmpl
similarity index 100%
rename from hack/.templates/compare.tmpl
rename to hack/compare.tmpl