Skip to content

Commit

Permalink
fix(Vulnerability-Scan.yaml): indentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@clay-lake
clay-lake committed Nov 29, 2024
1 parent ed0854b commit b041c46
Showing 1 changed file with 156 additions and 156 deletions.
312 changes: 156 additions & 156 deletions .github/workflows/Vulnerability-Scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,26 +35,26 @@ jobs:
oci-image: ${{ steps.configure.outputs.oci-filename }}
vulnerability-report: ${{ steps.configure.outputs.report-filename }}
steps:
- id: configure
run: |
oci_filename="$(echo "${{ inputs.oci-image-name }}" \
| sed 's/ghcr.io\/canonical\/oci-factory\///g' | tr ':' '_')"
- id: configure
run: |
oci_filename="$(echo "${{ inputs.oci-image-name }}" \
| sed 's/ghcr.io\/canonical\/oci-factory\///g' | tr ':' '_')"
echo "oci-filename=$oci_filename" >> "$GITHUB_OUTPUT"
echo "report-filename=${oci_filename}${{ env.VULNERABILITY_REPORT_SUFFIX }}" >> "$GITHUB_OUTPUT"
echo "oci-filename=$oci_filename" >> "$GITHUB_OUTPUT"
echo "report-filename=${oci_filename}${{ env.VULNERABILITY_REPORT_SUFFIX }}" >> "$GITHUB_OUTPUT"
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD:/workdir -w /workdir \
${{ env.SKOPEO_IMAGE }} \
copy docker://${{ inputs.oci-image-name }} \
oci-archive:$oci_filename
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
-v $PWD:/workdir -w /workdir \
${{ env.SKOPEO_IMAGE }} \
copy docker://${{ inputs.oci-image-name }} \
oci-archive:$oci_filename
- uses: actions/upload-artifact@v4
if: ${{ !cancelled() }}
with:
name: ${{ steps.configure.outputs.oci-filename }}
path: ${{ steps.configure.outputs.oci-filename }}
retention-days: 1
- uses: actions/upload-artifact@v4
if: ${{ !cancelled() }}
with:
name: ${{ steps.configure.outputs.oci-filename }}
path: ${{ steps.configure.outputs.oci-filename }}
retention-days: 1

test-vulnerabilities:
name: "test-vulnerabilities ${{ inputs.oci-image-name != '' && format('| {0}', inputs.oci-image-name) || ' '}}"
Expand All @@ -75,50 +75,50 @@ jobs:
notify: ${{ steps.check-report.outputs.notify }}
vulnerabilities: ${{ steps.check-report.outputs.vulnerabilities }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4

- name: Validate access to triggered image
uses: ./.github/actions/validate-actor
if: ${{ github.repository == 'canonical/oci-factory' && !github.event.pull_request.head.repo.fork }}
with:
admin-only: true
image-path: ${{ inputs.oci-image-path }}
github-token: ${{ secrets.ROCKSBOT_TOKEN }}
- name: Validate access to triggered image
uses: ./.github/actions/validate-actor
if: ${{ github.repository == 'canonical/oci-factory' && !github.event.pull_request.head.repo.fork }}
with:
admin-only: true
image-path: ${{ inputs.oci-image-path }}
github-token: ${{ secrets.ROCKSBOT_TOKEN }}

- name: Download Vulnerability Report
uses: actions/download-artifact@v4
with:
name: '${{ needs.configure-scan.outputs.vulnerability-report }}'
- name: Download Vulnerability Report
uses: actions/download-artifact@v4
with:
name: '${{ needs.configure-scan.outputs.vulnerability-report }}'

- name: Process report
if: ${{ !cancelled() }}
id: check-report
run: |
report="${{ needs.configure-scan.outputs.vulnerability-report }}"
echo "notify=false" >> "$GITHUB_OUTPUT"
set -x
vulnerabilities="$(jq -r -c '[
try(.scanner.result.Results[])
| .Target as $target
| .Vulnerabilities
| select(. != null)
| .[]
| {Target: $target, LastModifiedDate: .LastModifiedDate, VulnerabilityID: .VulnerabilityID,
PkgName: .PkgName, Severity: .Severity}
]' < $report)"
echo "vulnerabilities=$vulnerabilities" >> "$GITHUB_OUTPUT"
last_modified_dates="$(echo "$vulnerabilities" | jq -r '.[] | select(.LastModifiedDate != null) | .LastModifiedDate')"
cat "$GITHUB_OUTPUT"
# We want to notify only if the CVEs have been updated since the last
# time this scan ran
for cve_updated in $last_modified_dates
do
if [[ "$cve_updated" > "${{ inputs.date-last-scan }}" ]]
then
echo "notify=true" >> "$GITHUB_OUTPUT"
break
fi
done
- name: Process report
if: ${{ !cancelled() }}
id: check-report
run: |
report="${{ needs.configure-scan.outputs.vulnerability-report }}"
echo "notify=false" >> "$GITHUB_OUTPUT"
set -x
vulnerabilities="$(jq -r -c '[
try(.scanner.result.Results[])
| .Target as $target
| .Vulnerabilities
| select(. != null)
| .[]
| {Target: $target, LastModifiedDate: .LastModifiedDate, VulnerabilityID: .VulnerabilityID,
PkgName: .PkgName, Severity: .Severity}
]' < $report)"
echo "vulnerabilities=$vulnerabilities" >> "$GITHUB_OUTPUT"
last_modified_dates="$(echo "$vulnerabilities" | jq -r '.[] | select(.LastModifiedDate != null) | .LastModifiedDate')"
cat "$GITHUB_OUTPUT"
# We want to notify only if the CVEs have been updated since the last
# time this scan ran
for cve_updated in $last_modified_dates
do
if [[ "$cve_updated" > "${{ inputs.date-last-scan }}" ]]
then
echo "notify=true" >> "$GITHUB_OUTPUT"
break
fi
done
# Many workflows are now using a similar notification job. It would be better
# if this was a common workflows reachable via a workflow_call
Expand All @@ -128,33 +128,33 @@ jobs:
needs: [parse-results]
if: ${{ !cancelled() && needs.parse-results.outputs.notify == 'true' }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4

- uses: actions/setup-python@v5
with:
python-version: '3.x'
- uses: actions/setup-python@v5
with:
python-version: '3.x'

- name: Get contacts for ${{ inputs.oci-image-name }}
id: get-contacts
working-directory: ${{ inputs.oci-image-path }}
run: |
mm_channels=$(yq -r '.notify | ."mattermost-channels" | join(",")' < contacts.y*ml)
echo "mattermost-channels=${mm_channels}" >> "$GITHUB_OUTPUT"
- name: Get contacts for ${{ inputs.oci-image-name }}
id: get-contacts
working-directory: ${{ inputs.oci-image-path }}
run: |
mm_channels=$(yq -r '.notify | ."mattermost-channels" | join(",")' < contacts.y*ml)
echo "mattermost-channels=${mm_channels}" >> "$GITHUB_OUTPUT"
- name: Notify via Mattermost
env:
MM_BOT_TOKEN: ${{ secrets.MM_BOT_TOKEN }}
FINAL_STATUS: failure
MM_SERVER: ${{ secrets.MM_SERVER }}
URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
SUMMARY: ''
FOOTER: ''
TITLE: 'Vulnerabilities found for ${{ inputs.oci-image-name }}'
run: |
for channel in $(echo ${{ steps.get-contacts.outputs.mattermost-channels }} | tr ',' ' ')
do
MM_CHANNEL_ID="${channel}" ./src/notifications/send_to_mattermost.sh
done
- name: Notify via Mattermost
env:
MM_BOT_TOKEN: ${{ secrets.MM_BOT_TOKEN }}
FINAL_STATUS: failure
MM_SERVER: ${{ secrets.MM_SERVER }}
URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
SUMMARY: ''
FOOTER: ''
TITLE: 'Vulnerabilities found for ${{ inputs.oci-image-name }}'
run: |
for channel in $(echo ${{ steps.get-contacts.outputs.mattermost-channels }} | tr ',' ' ')
do
MM_CHANNEL_ID="${channel}" ./src/notifications/send_to_mattermost.sh
done
issue:
name: "issue ${{ inputs.oci-image-name != '' && format('| {0}', inputs.oci-image-name) || ' '}}"
Expand All @@ -164,66 +164,66 @@ jobs:
GITHUB_TOKEN: ${{ secrets.ROCKSBOT_TOKEN }}
if: ${{ !cancelled() && github.event_name != 'pull_request' }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4

- uses: actions/setup-python@v5
with:
python-version: '3.x'
- uses: actions/setup-python@v5
with:
python-version: '3.x'

- run: pip install pydantic==2.8.2
- run: pip install pydantic==2.8.2

- id: simplify-image-name
run: |
img_name_with_tag=$(echo "${{ inputs.oci-image-name }}" | sed -r 's|.*/([a-zA-Z0-9-]+:[0-9.-]+_[0-9])+|\1|')
img_revision=$(echo "${img_name_with_tag}" | cut -d '_' -f 2)
echo "img_revision=$img_revision" >> "$GITHUB_OUTPUT"
echo "img_name_with_tag=$img_name_with_tag" >> "$GITHUB_OUTPUT"
- id: simplify-image-name
run: |
img_name_with_tag=$(echo "${{ inputs.oci-image-name }}" | sed -r 's|.*/([a-zA-Z0-9-]+:[0-9.-]+_[0-9])+|\1|')
img_revision=$(echo "${img_name_with_tag}" | cut -d '_' -f 2)
echo "img_revision=$img_revision" >> "$GITHUB_OUTPUT"
echo "img_name_with_tag=$img_name_with_tag" >> "$GITHUB_OUTPUT"
# We assume that the sources within image.yaml are the same
- name: Get image repo
id: get-image-repo
run: |
img_repo=$(yq -r '.upload.[].source' ${{ github.workspace }}/${{ inputs.oci-image-path }}/image.yaml | head -n 1)
echo "img-repo=$img_repo" >> "$GITHUB_OUTPUT"
- name: Get image repo
id: get-image-repo
run: |
img_repo=$(yq -r '.upload.[].source' ${{ github.workspace }}/${{ inputs.oci-image-path }}/image.yaml | head -n 1)
echo "img-repo=$img_repo" >> "$GITHUB_OUTPUT"
# We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown
- name: Create markdown content
id: create-markdown
run: |
set -x
num_vulns=$(echo '${{ needs.parse-results.outputs.vulnerabilities }}' | jq -r 'length')
vulnerability_exists=$([[ $num_vulns -gt 0 ]] && echo 'true' || echo 'false')
echo "vulnerability-exists=$vulnerability_exists" >> "$GITHUB_OUTPUT"
if [[ $vulnerability_exists == 'true' ]]; then
title="Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name_with_tag }}"
echo "## $title" > issue.md
echo "| ID | Target | Severity | Package |" >> issue.md
echo "| -- | ----- | -------- | ------- |" >> issue.md
echo '${{ needs.parse-results.outputs.vulnerabilities }}' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> issue.md
if [[ ${{ inputs.create-issue }} == 'true' ]]; then
revision_to_released_tags=$(python3 -m src.shared.release_info get_revision_to_released_tags --all-releases ${{ inputs.oci-image-path }}/_releases.json)
affected_tracks=$(echo "${revision_to_released_tags}" | jq -r '."${{ steps.simplify-image-name.outputs.img_revision }}" | map("- `\(.)`") | join("\n")')
echo -e "\n### Affected tracks:" >> issue.md
echo -e "${affected_tracks}" >> issue.md
echo -e "\nDetails: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
- name: Create markdown content
id: create-markdown
run: |
set -x
num_vulns=$(echo '${{ needs.parse-results.outputs.vulnerabilities }}' | jq -r 'length')
vulnerability_exists=$([[ $num_vulns -gt 0 ]] && echo 'true' || echo 'false')
echo "vulnerability-exists=$vulnerability_exists" >> "$GITHUB_OUTPUT"
if [[ $vulnerability_exists == 'true' ]]; then
title="Vulnerabilities found for ${{ steps.simplify-image-name.outputs.img_name_with_tag }}"
echo "## $title" > issue.md
echo "| ID | Target | Severity | Package |" >> issue.md
echo "| -- | ----- | -------- | ------- |" >> issue.md
echo '${{ needs.parse-results.outputs.vulnerabilities }}' | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> issue.md
if [[ ${{ inputs.create-issue }} == 'true' ]]; then
revision_to_released_tags=$(python3 -m src.shared.release_info get_revision_to_released_tags --all-releases ${{ inputs.oci-image-path }}/_releases.json)
affected_tracks=$(echo "${revision_to_released_tags}" | jq -r '."${{ steps.simplify-image-name.outputs.img_revision }}" | map("- `\(.)`") | join("\n")')
echo -e "\n### Affected tracks:" >> issue.md
echo -e "${affected_tracks}" >> issue.md
echo -e "\nDetails: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> issue.md
fi
echo "issue-title=$title" >> "$GITHUB_OUTPUT"
echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
fi
echo "issue-title=$title" >> "$GITHUB_OUTPUT"
echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
fi
- name: Write to summary
if: ${{ !inputs.create-issue && steps.create-markdown.outputs.vulnerability-exists == 'true' }}
run: |
echo "# Vulnerabilities found for ${{ inputs.oci-image-name }}" >> $GITHUB_STEP_SUMMARY
cat ${{ steps.create-markdown.outputs.issue-body-file }} | tail -n +2 >> $GITHUB_STEP_SUMMARY
- name: Write to summary
if: ${{ !inputs.create-issue && steps.create-markdown.outputs.vulnerability-exists == 'true' }}
run: |
echo "# Vulnerabilities found for ${{ inputs.oci-image-name }}" >> $GITHUB_STEP_SUMMARY
cat ${{ steps.create-markdown.outputs.issue-body-file }} | tail -n +2 >> $GITHUB_STEP_SUMMARY
- id: issue-exists
if: ${{ inputs.create-issue}}
run: |
issue_number=$(gh issue list --repo ${{ steps.get-image-repo.outputs.img-repo }} --json "number,title" \
| jq -r '.[] | select(.title == "${{ steps.create-markdown.outputs.issue-title }}") | .number')
echo "issue-exists=$([[ -n "$issue_number" ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"
echo "issue-number=$issue_number" >> "$GITHUB_OUTPUT"
- id: issue-exists
if: ${{ inputs.create-issue}}
run: |
issue_number=$(gh issue list --repo ${{ steps.get-image-repo.outputs.img-repo }} --json "number,title" \
| jq -r '.[] | select(.title == "${{ steps.create-markdown.outputs.issue-title }}") | .number')
echo "issue-exists=$([[ -n "$issue_number" ]] && echo 'true' || echo 'false')" >> "$GITHUB_OUTPUT"
echo "issue-number=$issue_number" >> "$GITHUB_OUTPUT"
# Truth table for issue creation
# | issue-exists | notify | vulnerability-exists | op |
Expand All @@ -237,28 +237,28 @@ jobs:
# | F | F | T | create |
# | F | F | F | nop |

- name: Notify via GitHub issue
if: ${{ steps.create-markdown.outputs.vulnerability-exists == 'true' && inputs.create-issue }}
run: |
set -x
op=nop
if [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'false' ]]; then
op="create"
elif [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'true' \
&& ${{ needs.parse-results.outputs.notify }} == 'true' ]]; then
op="edit ${{ steps.issue-exists.outputs.issue-number }}"
fi
if [[ $op != 'nop' ]]; then
gh issue $op --repo ${{ steps.get-image-repo.outputs.img-repo }} \
--title "${{ steps.create-markdown.outputs.issue-title }}" \
--body-file "${{ steps.create-markdown.outputs.issue-body-file }}"
fi
- name: Notify via GitHub issue
if: ${{ steps.create-markdown.outputs.vulnerability-exists == 'true' && inputs.create-issue }}
run: |
set -x
op=nop
if [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'false' ]]; then
op="create"
elif [[ ${{ steps.issue-exists.outputs.issue-exists }} == 'true' \
&& ${{ needs.parse-results.outputs.notify }} == 'true' ]]; then
op="edit ${{ steps.issue-exists.outputs.issue-number }}"
fi
if [[ $op != 'nop' ]]; then
gh issue $op --repo ${{ steps.get-image-repo.outputs.img-repo }} \
--title "${{ steps.create-markdown.outputs.issue-title }}" \
--body-file "${{ steps.create-markdown.outputs.issue-body-file }}"
fi
- name: Close issue
if: |
needs.test-vulnerabilities.result == 'success' &&
steps.issue-exists.outputs.issue-exists == 'true' &&
steps.create-markdown.outputs.vulnerability-exists == 'false' &&
inputs.create-issue
run: |
gh issue close ${{ steps.issue-exists.outputs.issue-number }} --repo ${{ steps.get-image-repo.outputs.img-repo }}
- name: Close issue
if: |
needs.test-vulnerabilities.result == 'success' &&
steps.issue-exists.outputs.issue-exists == 'true' &&
steps.create-markdown.outputs.vulnerability-exists == 'false' &&
inputs.create-issue
run: |
gh issue close ${{ steps.issue-exists.outputs.issue-number }} --repo ${{ steps.get-image-repo.outputs.img-repo }}

0 comments on commit b041c46

Please sign in to comment.