Skip to content

Vulnerability Scanner - Database Generation #36

Vulnerability Scanner - Database Generation

Vulnerability Scanner - Database Generation #36

name: Vulnerability Scanner - Database Generation
on:
schedule:
- cron: '20 0 * * *'
pull_request:
paths:
- ".github/workflows/vulnerability-scanner-generate-database.yml"
- ".github/actions/compile_and_test/action.yml"
- ".github/actions/vulnerability_scanner_deps/action.yml"
- ".github/actions/vulnerability_scanner/content_generation/action.yml"
- ".github/actions/vulnerability_scanner/compile/action.yml"
workflow_dispatch:
inputs:
wazuh_version:
description: 'Identifier of the generated content. The generated file will be named vd_1.0.0_vd_<wazuh_version>.tar.xz'
required: true
type: string
jobs:
vulnerability_scanner_database_scheduled_update:
if: github.event_name == 'schedule'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# Identifiers of the generated content. The generated files will be named vd_1.0.0_vd_<wazuh_version>.tar.xz
wazuh_version: ["4.8.0"]
steps:
# Checkout repository to the default branch
- name: Checkout repository
uses: actions/checkout@v3
with:
submodules: recursive
fetch-depth: 0
# Checkout to the tag. If it doesn't exist, continue with the branch
- name: Checkout to ${{ matrix.wazuh_version }}
run: |
if git show-ref --tags --verify --quiet "refs/tags/v${{ matrix.wazuh_version }}"; then
git checkout --quiet "tags/v${{ matrix.wazuh_version }}"
else
echo "Warning: Unable to find tag v${{ matrix.wazuh_version }}. Continuing with branch ${{ matrix.wazuh_version }}"
git show-branch --no-name "${{ matrix.wazuh_version }}" 2> /dev/null
if [ $? -eq 0 ]; then
git checkout --quiet "${{ matrix.wazuh_version }}"
else
echo "Warning: Unable to find branch ${{ matrix.wazuh_version }}. Exiting"
exit 1
fi
fi
echo "Git branch: $(git branch | grep "*")"
########################
# Compilation #
########################
- name: Compile
uses: ./.github/actions/vulnerability_scanner/compile
########################
# Content generation #
########################
- name: Generate vulnerability database
uses: ./.github/actions/vulnerability_scanner/content_generation
with:
wazuh_version: ${{ matrix.wazuh_version }}
########################
# Content upload #
########################
- name: Upload database to S3
if: ${{ github.event_name == 'schedule' }}
run: |
root_folder=$(pwd)
bucket="${{ secrets.FEED_AWS_BUCKET }}"
file="vd_1.0.0_vd_${{ matrix.wazuh_version }}.tar.xz"
dest_dir="deps/vulnerability_model_database"
aws s3 cp ${file} s3://${bucket}/${dest_dir}/${file} --acl public-read
env:
AWS_ACCESS_KEY_ID: ${{ secrets.FEED_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.FEED_AWS_SECRET_ACCESS_KEY}}
AWS_DEFAULT_REGION: 'us-west-1'
shell: bash
vulnerability_scanner_database_workflow_changes:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
# Identifiers of the generated content. The generated files will be named vd_1.0.0_vd_<wazuh_version>.tar.xz
wazuh_version: ["4.8.0"]
steps:
# Checkout repository to the default branch
- name: Checkout repository
uses: actions/checkout@v3
with:
submodules: recursive
fetch-depth: 0
# Checkout to the tag. If it doesn't exist, continue with the branch
- name: Checkout to ${{ matrix.wazuh_version }}
run: |
if git show-ref --tags --verify --quiet "refs/tags/v${{ matrix.wazuh_version }}"; then
git checkout --quiet "tags/v${{ matrix.wazuh_version }}"
else
echo "Warning: Unable to find tag v${{ matrix.wazuh_version }}. Continuing with branch ${{ matrix.wazuh_version }}"
git show-branch --no-name "${{ matrix.wazuh_version }}" 2> /dev/null
if [ $? -eq 0 ]; then
git checkout --quiet "${{ matrix.wazuh_version }}"
else
echo "Warning: Unable to find branch ${{ matrix.wazuh_version }}. Exiting"
exit 1
fi
fi
echo "Git branch: $(git branch | grep "*")"
########################
# Compilation #
########################
- name: Compile
uses: ./.github/actions/vulnerability_scanner/compile
########################
# Content generation #
########################
- name: Generate vulnerability database
uses: ./.github/actions/vulnerability_scanner/content_generation
with:
wazuh_version: "pull_request"
vulnerability_scanner_database_manual_update:
if: ${{ github.event_name == 'workflow_dispatch' }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
submodules: recursive
fetch-depth: 0
########################
# Compilation #
########################
- name: Compile
uses: ./.github/actions/vulnerability_scanner/compile
########################
# Content generation #
########################
- name: Generate vulnerability database
uses: ./.github/actions/vulnerability_scanner/content_generation
with:
wazuh_version: ${{ inputs.wazuh_version }}
########################
# Content upload #
########################
- name: Upload database to S3
run: |
root_folder=$(pwd)
bucket="${{ secrets.FEED_AWS_BUCKET }}"
file="vd_1.0.0_vd_${{ inputs.wazuh_version }}.tar.xz"
dest_dir="deps/vulnerability_model_database"
aws s3 cp ${file} s3://${bucket}/${dest_dir}/${file} --acl public-read
env:
AWS_ACCESS_KEY_ID: ${{ secrets.FEED_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.FEED_AWS_SECRET_ACCESS_KEY}}
AWS_DEFAULT_REGION: 'us-west-1'
shell: bash