Fix: Relocate GitHub Summary Vulnerability Report (#321)

* Revert "Revert "move github vulnerability report"" This reverts commit 7c474a1. * fix: bash variable sub * ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/12433705292 * add if not cancelled to Create markdown content step * ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/12433997812 * fix: bash variable sub * ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/12434320726 --------- Co-authored-by: clay-lake <clay-lake@localhost> Co-authored-by: zhijie-yang <zhijie.yang@canonical.com>
canonical · Dec 20, 2024 · e96fe5a · e96fe5a
1 parent bb0b979
commit e96fe5a
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 6 deletions.
diff --git a/.github/workflows/Test-Rock.yaml b/.github/workflows/Test-Rock.yaml
@@ -271,6 +271,36 @@ jobs:
           name: ${{ steps.configure-trivy.outputs.report-name }}
           path: ${{ steps.configure-trivy.outputs.report-name}}
 
+
+      # We have to walk through the vulnerabilities since trivy does not support outputting the results as Markdown
+      - name: Create markdown content
+        id: create-markdown
+        if: ${{ !cancelled() }}
+        run: |
+          set -x
+
+          vulnerabilities="$(jq -r -c '[
+            try(.scanner.result.Results[])
+            | .Target as $target
+            | .Vulnerabilities
+            | select(. != null)
+            | .[]
+            | {Target: $target, LastModifiedDate: .LastModifiedDate, VulnerabilityID: .VulnerabilityID,
+              PkgName: .PkgName, Severity: .Severity}
+                  ]' < ${{ steps.configure-trivy.outputs.report-name }})"
+
+          num_vulns=$(echo "$vulnerabilities" | jq -r 'length')
+          
+          if [[ $num_vulns -gt 0 ]]; then
+            echo "# Vulnerabilities found for ${{ inputs.oci-archive-name }}" >> $GITHUB_STEP_SUMMARY
+            title="Vulnerabilities found for ${{ inputs.oci-archive-name }}"
+            echo "## $title" >> $GITHUB_STEP_SUMMARY
+            echo "| ID | Target | Severity | Package |" >> $GITHUB_STEP_SUMMARY
+            echo "| -- | ----- | -------- | ------- |" >> $GITHUB_STEP_SUMMARY
+            echo "$vulnerabilities" | jq -r '.[] | "| \(.VulnerabilityID) | /\(.Target) | \(.Severity) | \(.PkgName) |"' >> $GITHUB_STEP_SUMMARY
+          fi
+          
+
   test-malware:
     runs-on: ubuntu-22.04
     name: "test-malware ${{ inputs.oci-archive-name != '' && format('| {0}', inputs.oci-archive-name) || ' '}}"

diff --git a/.github/workflows/Vulnerability-Scan.yaml b/.github/workflows/Vulnerability-Scan.yaml
@@ -213,12 +213,6 @@ jobs:
             echo "issue-body-file=issue.md" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Write to summary
-        if: ${{ !inputs.create-issue && steps.create-markdown.outputs.vulnerability-exists == 'true' }}
-        run: |
-          echo "# Vulnerabilities found for ${{ inputs.oci-image-name }}" >> $GITHUB_STEP_SUMMARY
-          cat ${{ steps.create-markdown.outputs.issue-body-file }} | tail -n +2 >> $GITHUB_STEP_SUMMARY
-
       - id: issue-exists
         if: ${{ inputs.create-issue}}
         run: |