-
Notifications
You must be signed in to change notification settings - Fork 2
140 lines (121 loc) · 4.67 KB
/
generate-cve.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
name: Generate CVE
on:
push:
branches:
- main
schedule:
- cron: '*/30 * * * *'
workflow_dispatch:
inputs:
clean:
description: 'Download fresh feeds from NVD. Any value other than "false" will trigger a clean download.'
required: true
default: 'false'
permissions:
contents: write
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VULNCHECK_API_KEY: ${{ secrets.VULNCHECK_API_KEY }}
VULNERABILITIES_CLEAN: ${{ github.event.inputs.clean || 'false' }}
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Repo
uses: actions/checkout@v4
with:
ref: main
- name: Import GPG Key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Checkout Fleet
uses: actions/checkout@v4
with:
repository: fleetdm/fleet
fetch-depth: 1
ref: main
path: fleet
- name: Checkout goval-dictionary
uses: actions/checkout@v4
with:
repository: vulsio/goval-dictionary
fetch-depth: 1
ref: adcb4dc66908aa84a0aabcd376af0e6e677ea2fd
path: goval-dictionary
- name: Setup Go
uses: actions/setup-go@v4.1.0
with:
cache: false
go-version: '^1.23.3'
- name: Generate NVD Feeds
run: |
cd fleet
go mod download
go run cmd/cve/generate.go --db_dir ./cvefeed --debug
- name: Build goval-dictionary and ensure destination dir exists
run: |
cd goval-dictionary
make build
mkdir -p ../fleet/cvefeed
- name: Pull Amazon Linux 1 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 1 --dbpath ./fleet/cvefeed/amzn_01.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2 --dbpath ./fleet/cvefeed/amzn_02.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2022 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2022 --dbpath ./fleet/cvefeed/amzn_2022.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Pull Amazon Linux 2023 vulnerabilities
run: for i in {1..3}; do goval-dictionary/goval-dictionary fetch amazon 2023 --dbpath ./fleet/cvefeed/amzn_2023.sqlite3 && s=0 && break || s=$? && sleep 2; done; (exit $s)
- name: Compress Amazon Linux vulnerability sqlite files
run: xz ./fleet/cvefeed/*.sqlite3
- name: Current date
id: date
run: |
echo "date=$(date +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
- name: Tag
run: |
git tag -a cve-${{ steps.date.outputs.date }} -m "release ${{ steps.date.outputs.date }}"
git push origin cve-${{ steps.date.outputs.date }}
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: |
fleet/cvefeed/*
tag_name: cve-${{ steps.date.outputs.date }}
target_commitish: main
token: ${{ secrets.GITHUB_TOKEN }}
- name: Delete Old Releases
uses: dev-drprasad/delete-older-releases@v0.3.2
with:
delete_tag_pattern: ^cve-.*
keep_latest: 144
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Slack Notification
if: failure()
uses: slackapi/slack-github-action@v1.18.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "Security artifacts generation result: ${{ job.status }}\nhttps://github.com/fleetdm/vulnerabilities/actions/runs/${{ github.run_id }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_P2_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK