First attempt using intel/cve-bin-tool to scan for CVE during build.

ActiveState · Aug 26, 2024 · cb5f17e · cb5f17e
1 parent cc37a2a
commit cb5f17e
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 1 deletion.
diff --git a/.github/actions/scan/action.yml b/.github/actions/scan/action.yml
@@ -0,0 +1,73 @@
+name: CVE scanner
+
+inputs:
+  directory:
+    required: false
+    default: '.'
+    description: "Directory to scan (default: '.')"
+
+runs:
+  using: composite
+  steps:
+    # Get date utility for caching database.
+    - name: Get Date
+      id: get-date
+      shell: bash
+      run: |
+        echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT
+
+    # cve-bin-tool is a Python application, so set up Python.
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.x'
+
+    # This second step is unnecessary but highly recommended because
+    # It will cache database and saves time redownloading it if database isn't stale.
+    - name: Get cached python packages
+      uses: actions/cache@v4
+      with:
+        path: ~/.cache/pip
+        key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+        restore-keys: |
+          ${{ runner.os }}-pip-
+
+    - name: Get cached database
+      uses: actions/cache@v4
+      with:
+        path: cache
+        key: cve-bin-tool-${{ steps.get-date.outputs.date }}
+
+    - name: Install CVE Binary Tool
+      # We are using latest development version of CVE Binary Tool
+      # because current PyPI version don't have features like config file support,
+      # generating HTML report etc.
+      shell: bash
+      run: |
+        [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
+        pip install git+https://github.com/intel/cve-bin-tool@main reportlab
+        # In case you prefer current PyPI version, you need to hard code CLI options
+        # for cve-bin-tool in the action itself and have to use CSV or JSON as output format.
+        # pip install cve-bin-tool
+
+    - name: Scan directory
+      id: scan
+      shell: bash
+      run: cve-bin-tool ${{ inputs.directory }} -f pdf -o cve-bin-tool-report-${{ runner.os }}.pdf
+      continue-on-error: true
+      # You need to set continue_on_error: true because CVE Binary Tool sets number of cves
+      # as exit code. And GitHub terminates action when process produces
+      # nonzero exit code status.
+
+    # Upload generated report as an GitHub artifact which you can download later.
+    - name: Upload report as an artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: cve_report
+        path: cve-bin-tool-report-${{ runner.os }}.pdf
+
+    # Report failure if there were any CVEs.
+    - name: Fail if there were CVEs
+      if: steps.scan.outcome == 'failure'
+      shell: bash
+      run: exit 1
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -214,6 +214,12 @@ jobs:
         shell: bash
         run: parallelize results Build-Executor
 
+      - # === "Scan for CVEs" ===
+        name: Scan for CVEs
+        uses: ./.github/actions/scan
+        with:
+          directory: build
+
       - # === Prepare Windows Cert ===
         name: Prepare Windows Cert
         shell: bash
@@ -424,7 +430,7 @@ jobs:
         name: Install Go
         uses: actions/setup-go@v3
         with:
-          go-version: ${{ matrix.go-version }}
+          go-version: 1.22.x
 
       - # === Install State Tool ===
         name: Install State Tool