Skip to content

Check binaries

Check binaries #142

name: Check binaries
on:
workflow_dispatch:
schedule:
- cron: "0 16 * * 1-5" # min h d Mo DoW / 9am PST M-F
jobs:
check-for-vulnerabilities:
runs-on: ubuntu-latest
outputs:
report_contents: ${{ steps.save-output.outputs.report_contents }}
steps:
- name: Setup python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Checkout code
uses: actions/checkout@v4
with:
ref: main
- name: Download latest release
uses: robinraju/[email protected]
with:
latest: true
fileName: 'aws-lambda-rie*'
out-file-path: "bin"
- name: Run check for vulnerabilities
id: check-binaries
run: |
make check-binaries
- if: always() && failure() # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities
name: Save content of the vulnerabilities report as GitHub output
id: save-output
run: |
report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)" # last file generated
if [ -z "$report_csv" ]; then
echo "No file with vulnerabilities. Probably a failure in previous step."
else
echo "Vulnerabilities stored in $report_csv"
fi
final_report="${report_csv}.txt"
awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report" # make the CSV nicer
echo "report_contents<<EOF" >> "$GITHUB_OUTPUT"
cat "$final_report" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
- if: always() && steps.save-output.outputs.report_contents
name: Build new binaries and check vulnerabilities again
id: check-new-version
run: |
mkdir ./bin2
mv ./bin/* ./bin2
make compile-with-docker-all
latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq)
echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT"
make check-binaries
- if: always() && steps.save-output.outputs.report_contents
name: Save outputs for the check with the latest build
id: save-new-version
run: |
if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then
fixed="No"
else
fixed="Yes"
fi
echo "fixed=$fixed" >> "$GITHUB_OUTPUT"
- if: always() && steps.save-output.outputs.report_contents
name: Create GitHub Issue indicating vulnerabilities
id: create-issue
uses: dacbd/create-issue-action@main
with:
token: ${{ github.token }}
title: |
CVEs found in latest RIE release
body: |
### CVEs found in latest RIE release
```
${{ steps.save-output.outputs.report_contents }}
```
#### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?:
> **${{ steps.save-new-version.outputs.fixed }}**