-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First attempt using intel/cve-bin-tool to scan for CVE during build.
- Loading branch information
1 parent
cc37a2a
commit cb5f17e
Showing
2 changed files
with
80 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
name: CVE scanner | ||
|
||
inputs: | ||
directory: | ||
required: false | ||
default: '.' | ||
description: "Directory to scan (default: '.')" | ||
|
||
runs: | ||
using: composite | ||
steps: | ||
# Get date utility for caching database. | ||
- name: Get Date | ||
id: get-date | ||
shell: bash | ||
run: | | ||
echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | ||
# cve-bin-tool is a Python application, so set up Python. | ||
- name: Set up Python | ||
uses: actions/setup-python@v4 | ||
with: | ||
python-version: '3.x' | ||
|
||
# This second step is unnecessary but highly recommended because | ||
# It will cache database and saves time redownloading it if database isn't stale. | ||
- name: Get cached python packages | ||
uses: actions/cache@v4 | ||
with: | ||
path: ~/.cache/pip | ||
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | ||
restore-keys: | | ||
${{ runner.os }}-pip- | ||
- name: Get cached database | ||
uses: actions/cache@v4 | ||
with: | ||
path: cache | ||
key: cve-bin-tool-${{ steps.get-date.outputs.date }} | ||
|
||
- name: Install CVE Binary Tool | ||
# We are using latest development version of CVE Binary Tool | ||
# because current PyPI version don't have features like config file support, | ||
# generating HTML report etc. | ||
shell: bash | ||
run: | | ||
[[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool | ||
pip install git+https://github.com/intel/cve-bin-tool@main reportlab | ||
# In case you prefer current PyPI version, you need to hard code CLI options | ||
# for cve-bin-tool in the action itself and have to use CSV or JSON as output format. | ||
# pip install cve-bin-tool | ||
- name: Scan directory | ||
id: scan | ||
shell: bash | ||
run: cve-bin-tool ${{ inputs.directory }} -f pdf -o cve-bin-tool-report-${{ runner.os }}.pdf | ||
continue-on-error: true | ||
# You need to set continue_on_error: true because CVE Binary Tool sets number of cves | ||
# as exit code. And GitHub terminates action when process produces | ||
# nonzero exit code status. | ||
|
||
# Upload generated report as an GitHub artifact which you can download later. | ||
- name: Upload report as an artifact | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: cve_report | ||
path: cve-bin-tool-report-${{ runner.os }}.pdf | ||
|
||
# Report failure if there were any CVEs. | ||
- name: Fail if there were CVEs | ||
if: steps.scan.outcome == 'failure' | ||
shell: bash | ||
run: exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters