.github/workflows/spring-cve-2022-22965.yml

name: spring-cve-2022-22965
on:
  workflow_dispatch:
jobs:
  scan:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        release: ["master", "R3-2022", "R2-2022"]
    steps:
      - name: Analyze
        run: |
          echo "Spring4Shell CVE-2022-22965 - list spring-beans existence, mark <5.3.18 or <5.2.20.RELEASE as vuln" > result.txt
          echo >> result.txt
          wget https://grails.org/files/wrapper-issue7/grails4/grails-wrapper.jar
          git config --global advice.detachedHead false
          INSTALL=$( curl -sS https://raw.githubusercontent.com/folio-org/platform-complete/${{ matrix.release }}/install.json \
                     | jq -r '.[].id' \
                     | sed -E 's/-([0-9])/:\1/' \
                     | grep -v '^folio_' \
                     | sort -u )
          for M in $INSTALL
          do
            echo "M=$M"
            MOD=$(echo $M | cut -d: -f1)
            VER=$(echo $M | cut -d: -f2)
            if [ "$MOD" = "mod-z3950" ]
            then
              MOD="Net-Z3950-FOLIO"
            fi
            git clone --branch "v$VER" --single-branch "https://github.com/folio-org/$MOD"
            cp grails-wrapper.jar "$MOD/service/" || true
            SPRING=$( ( cd $MOD; mvn dependency:tree \
                          | grep -v ':test$' \
                          | sed -n -E 's/^.* org.springframework:spring-beans:jar:([^:]+):.*/\1/p'; \
                        cd service; \
                        ./grailsw dependency-report runtime \
                          | sed -n -E 's/^.* org.springframework:spring-beans:([^ ]+)$/\1/p' \
                      ) | sort -u )
            if [ -z "$SPRING" ]
            then
              R="ok"
            elif echo "$SPRING" | grep -v --line-regexp -e 5.3.18 -e 5.3.19 -e 5.3.20 -e 5.3.21 -e 5.3.22 -e 5.3.23 -e 5.3.24 -e 5.3.25 -e 5.3.26   -e 5.2.20.RELEASE -e 5.2.21.RELEASE -e 5.2.22.RELEASE > /dev/null
            then
              R="vuln"
            else
              R="ok"
            fi
            printf "%4s %-14s %s\n" "$R" "$SPRING" "$M" >> result.txt
          done
      - run: cat result.txt