Skip to content

Generate CVE

Generate CVE #10858

Workflow file for this run

name: Generate CVE
on:
push:
branches:
- main
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:
inputs:
clean:
description: 'Download fresh feeds from NVD. Any value other than "false" will trigger a clean download.'
required: true
default: 'false'
permissions:
contents: write
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }}
VULNERABILITIES_CLEAN: ${{ github.event.inputs.clean || 'false' }}
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
ref: main
- name: Import GPG Key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Checkout Fleet
uses: actions/checkout@v4
with:
repository: fleetdm/fleet
fetch-depth: 1
ref: main
path: fleet
- name: Checkout goval-dictionary
uses: actions/checkout@v4
with:
repository: vulsio/goval-dictionary
fetch-depth: 1
ref: adcb4dc66908aa84a0aabcd376af0e6e677ea2fd
path: goval-dictionary
- name: Setup Go
uses: actions/setup-go@v4.1.0
with:
cache: false
go-version: '^1.23.3'
- name: Generate NVD Feeds
run: |
cd fleet
go mod download
go run cmd/cve/generate.go --db_dir ./cvefeed --debug
- name: Build goval-dictionary and ensure destination dir exists
run: |
cd goval-dictionary
make build
mkdir -p ../fleet/cvefeed
- name: Pull Amazon Linux 1 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 1 --dbpath ./fleet/cvefeed/amzn_01.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2 --dbpath ./fleet/cvefeed/amzn_02.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2022 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2022 --dbpath ./fleet/cvefeed/amzn_2022.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2023 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2023 --dbpath ./fleet/cvefeed/amzn_2023.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Compress Amazon Linux vulnerability sqlite files
run: xz ./fleet/cvefeed/*.sqlite3
- name: Current date
id: date
run: |
echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
- name: Tag
run: |
git tag -a cve-${{ steps.date.outputs.date }} -m "release ${{ steps.date.outputs.date }}"
git push origin cve-${{ steps.date.outputs.date }}
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: |
fleet/cvefeed/*
tag_name: cve-${{ steps.date.outputs.date }}
target_commitish: main
token: ${{ secrets.GITHUB_TOKEN }}
- name: Delete Old Releases
uses: dev-drprasad/delete-older-releases@v0.3.2
with:
delete_tag_pattern: ^cve-.*
keep_latest: 144
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Slack Notification
if: failure()
uses: slackapi/slack-github-action@v1.18.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Security artifacts generation result: ${{ job.status }}\nhttps://github.com/fleetdm/vulnerabilities/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_P2_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK