Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create lgv_hack.yml #6

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Create lgv_hack.yml #6

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e466c98
Create lgv_hack.yml
luisgarciaxygeni Mar 21, 2024
a1ae2a1
Update lgv_hack.yml
luisgarciaxygeni Mar 21, 2024
0bdaf83
Update lgv_hack.yml
luisgarciaxygeni Mar 21, 2024
313aefe
Update lgv_hack.yml
luisgarciaxygeni Mar 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
303 changes: 303 additions & 0 deletions .github/workflows/lgv_hack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,303 @@
name: Build CI

on:
pull_request:
branches: [ main ]

workflow_dispatch:

env:
MY_SECRET: ${{ secrets.MY_SECRET }}
GITHUB_PAT: ${{ secrets.GH_PAT }}
PR_ID: ${{github.event.number}}

XY_PRJ_NAME: LGV-GH-${{ github.event.repository.name }}
PIPELINE: ${{ github.event.repository.name }}
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
KEY_PASSWD: ${{ secrets.KEY_PASSWD }}
API_KEY: ${{ secrets.XYGENI_TOKEN }}
OTRA_VAR: "hola"

jobs:

hack_prt_build_and_upload:
runs-on: ubuntu-latest
steps:
- name: Checking out PR code
uses: actions/checkout@v4
if: ${{ github.event_name == 'pull_request' }}
with:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: '0'
# This is to get the PR code instead of the repo code
ref: ${{ github.event.pull_request.head.sha }}

# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
name: Checking out main code
if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
with:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: '0'

- name: Building ...
run: |
mkdir ./bin
touch ./bin/mybin.exe
echo "${{github.event.pull_request.title}}" > ./bin/PR_TITLE.txt
echo "$PR_ID" > ./bin/PR_ID.txt
java -version
mvn -version
#apt-get update ; apt-get install maven default-jdk -y ; update-alternatives --config javac
#mvn clean package
#ls -l target/*.war
#cp target/JavaVulnerableLab.war ./bin
#env:
# PR_TITLE: ${{github.event.pull_request.title}}


- name: Download SALT
run: |
#!/usr/bin/env bash
echo Downloading SALT ....
curl -sLO https://get.xygeni.io/latest/salt/salt.zip
unzip salt.zip -d ./salt_pro
shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}


- name: Calc SHA for bin and add as zip to the artifact
run: |
#!/usr/bin/env bash
#pwd
#ls -l
#cd bin
#ls -l
#sha256sum <(find . -type f -exec sha256sum {} \; | sort)

#zip -r ./bin.zip ./bin
#cp ./bin.zip ./bin
#SHA_SUM=$(sha256sum ./bin.zip | cut -f1 -d ' ')
#echo $SHA_SUM

- name: Generating attestation (JVL)
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}
run: |
#!/usr/bin/env bash

shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt

echo " "
echo "-----------"
echo "Intiating the attestation with attestors git and env ..."
#/home/luisgarcia/LGV/xygeni_salt/salt attestation init
salt attestation init \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--attestor environment \
--attestor git

echo " "
echo "-----------"
echo "Adding materials [src/$SRC_FILE] to attestation ..."
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--name=my_top_material --type material --file ./src

echo " "
echo "-----------"
echo "REMOVING binaries ... -------------------"
rm -rf ${GITHUB_WORKSPACE}/bin

echo " "
echo "----------- "
echo "Compiling ... -------------------"
mkdir ${GITHUB_WORKSPACE}/bin
salt attestation run \
--step=compile \
--pipeline ${PIPELINE}_cli \
--pretty-print \
--name my_sources --type material --file ${GITHUB_WORKSPACE}/src \
--name my_product --type product --file ${GITHUB_WORKSPACE}/target/JavaVulnerableLab.war \
-- mvn clean package
#-- /usr/bin/gcc ${GITHUB_WORKSPACE}/src/*.c \
# -o ${GITHUB_WORKSPACE}/bin/hello

#-- ${WORKSPACE}/salt_examples/provenance/provider/compila.sh

#--type material --file /usr/bin/gcc \

echo " "
echo "-----------"
echo "Adding product [bin/$BIN_FILE] to attestation ..."
cp target/JavaVulnerableLab.war ./bin
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE}/target \
--name=my_product --type product --file JavaVulnerableLab.war


echo " "
echo "------------"
echo "Commiting the drafted attestation using provided keys ..."
salt attestation commit \
--project SALT \
--pipeline ${PIPELINE}_cli \
--key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
--output=${GITHUB_WORKSPACE}/${PIPELINE}_cli.signed.json \
--output-unsigned=${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json \
--pretty-print \
> ${GITHUB_WORKSPACE}/lgv.txt

#--config=$SALT_PATH/conf/salt.yaml \
#cat ${WORKSPACE}/${PIPELINE}_cli.statement.json

cat ${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json
cat ${GITHUB_WORKSPACE}/lgv.txt
echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

grep "registry with id" lgv.txt | awk '{print $14}' > ./bin/att.id
cat ./bin/att.id

ls -l ./bin



- name: Generating attestation (.c)
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}
run: |
#!/usr/bin/env bash
exit 0
java -version
mvn -version
docker ps
exit 1


shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt

echo " "
echo "-----------"
echo "Intiating the attestation with attestors git and env ..."
#/home/luisgarcia/LGV/xygeni_salt/salt attestation init
salt attestation init \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--attestor environment \
--attestor git

echo " "
echo "-----------"
echo "Adding materials [src/$SRC_FILE] to attestation ..."
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--name=my_top_material --type material --file ./src

echo " "
echo "-----------"
echo "REMOVING binaries ... -------------------"
rm -rf ${GITHUB_WORKSPACE}/bin

echo " "
echo "----------- "
echo "Compiling ... -------------------"
mkdir ${GITHUB_WORKSPACE}/bin
salt attestation run \
--step=compile \
--pipeline ${PIPELINE}_cli \
--pretty-print \
--name my_sources --type material --file ${GITHUB_WORKSPACE}/src \
--name my_product --type product --file ${GITHUB_WORKSPACE}/bin/hello \
-- /usr/bin/gcc ${GITHUB_WORKSPACE}/src/*.c \
-o ${GITHUB_WORKSPACE}/bin/hello

#-- ${WORKSPACE}/salt_examples/provenance/provider/compila.sh

#--type material --file /usr/bin/gcc \

echo " "
echo "-----------"
echo "Adding product [bin/$BIN_FILE] to attestation ..."
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE}/bin \
--name=my_product --type product --file hello


echo " "
echo "------------"
echo "Commiting the drafted attestation using provided keys ..."
salt attestation commit \
--project SALT \
--pipeline ${PIPELINE}_cli \
--key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
--output=${GITHUB_WORKSPACE}/${PIPELINE}_cli.signed.json \
--output-unsigned=${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json \
--pretty-print

#--config=$SALT_PATH/conf/salt.yaml \
#cat ${WORKSPACE}/${PIPELINE}_cli.statement.json

cat ${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json
exit 1



- name: Generating provenance
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}
run: |
#!/usr/bin/env bash


shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt


echo " "
echo "-----------"
echo "Generating Provenance with CLI ..."
#$SALT_PATH/salt at provenance
#salt at slsa \
# --basedir ${GITHUB_WORKSPACE} \
# --key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
# --output-unsigned=${GITHUB_WORKSPACE}/cli_provenance_${PIPELINE}_unsigned.json \
# --pipeline ${PIPELINE} --pretty-print \
# --file ./bin/bin.zip \
# > ${GITHUB_WORKSPACE}/lgv.txt

salt at slsa \
--basedir ${GITHUB_WORKSPACE}/target \
--key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
--output-unsigned=${GITHUB_WORKSPACE}/cli_provenance_${PIPELINE}_unsigned.json \
--pipeline ${PIPELINE} --pretty-print \
--file ./JavaVulnerableLab.war \
> ${GITHUB_WORKSPACE}/lgv.txt

cat ${GITHUB_WORKSPACE}/cli_provenance_${PIPELINE}_unsigned.json
cat ${GITHUB_WORKSPACE}/lgv.txt
echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

grep "registry with id" lgv.txt | awk '{print $14}' > ./bin/att.id
cat ./bin/att.id





- name: Archive building artifacts
uses: actions/upload-artifact@v3
with:
name: archive-bin
path: |
bin
Loading