-
-
Notifications
You must be signed in to change notification settings - Fork 205
35 lines (29 loc) · 1.15 KB
/
vulnerabilities.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: List vulnerable packages
on:
workflow_dispatch:
# Currently broken on .net 8, see https://github.com/NuGet/Home/issues/12954
# schedule:
# - cron: "0 0 * * *" # once a day
# pull_request:
jobs:
list-vulnerable-packages:
name: List vulnerable packages
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Setup Environment
uses: ./.github/actions/environment
# We only need to restore to check for vulnerable packages
- name: Restore .NET Dependencies
run: dotnet restore Sentry.sln --nologo
# The dotnet list package command doesn't change its exit code on detection, so tee to a file and scan it
# See https://github.com/NuGet/Home/issues/11315#issuecomment-1243055173
- name: List vulnerable packages
shell: bash
run: |
dotnet list ${{ github.workspace }}/Sentry.sln package --vulnerable --include-transitive | tee vulnerable.txt
# https://github.com/getsentry/sentry-dotnet/issues/2814
# ! grep 'has the following vulnerable packages' vulnerable.txt