From 9e6041b151436647af596aec7b48c88f15ac360a Mon Sep 17 00:00:00 2001 From: Renato Valenzuela <37676028+valerena@users.noreply.github.com> Date: Mon, 3 Jun 2024 16:23:06 -0700 Subject: [PATCH 1/2] feat: Add automatic vulnerabilities check (#123) * Add automatic vulnerabilities check --- .github/workflows/check-binaries.yml | 78 ++++++++++++++++++++++++++++ Makefile | 5 +- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/check-binaries.yml diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml new file mode 100644 index 0000000..bd41ece --- /dev/null +++ b/.github/workflows/check-binaries.yml @@ -0,0 +1,78 @@ +name: Check binaries + +on: + workflow_dispatch: + schedule: + - cron: "0 16 * * 1-5" # min h d Mo DoW / 9am PST M-F + +jobs: + check-for-vulnerabilities: + runs-on: ubuntu-latest + outputs: + report_contents: ${{ steps.save-output.outputs.report_contents }} + steps: + - name: Setup python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: main + - name: Download latest release + uses: robinraju/release-downloader@v1.10 + with: + latest: true + fileName: 'aws-lambda-rie*' + out-file-path: "bin" + - name: Run check for vulnerabilities + id: check-binaries + run: | + make check-binaries + - if: always() && failure() # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities + name: Save content of the vulnerabilities report as GitHub output + id: save-output + run: | + report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)" # last file generated + echo "Vulnerabilities stored in $report_csv" + final_report="${report_csv}.txt" + awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report" # make the CSV nicer + echo "report_contents<> "$GITHUB_OUTPUT" + cat "$final_report" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + - if: always() && steps.check-binaries.outcome == 'failure' + name: Build new binaries and check vulnerabilities again + id: check-new-version + run: | + mkdir ./bin2 + mv ./bin/* ./bin2 + make compile-with-docker-all + latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq) + echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT" + make check-binaries + - if: always() && steps.check-binaries.outcome == 'failure' + name: Save outputs for the check with the latest build + id: save-new-version + run: | + if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then + fixed="No" + else + fixed="Yes" + fi + echo "fixed=$fixed" >> "$GITHUB_OUTPUT" + - if: always() && steps.check-binaries.outcome == 'failure' + name: Create GitHub Issue indicating vulnerabilities + id: create-issue + uses: dacbd/create-issue-action@main + with: + token: ${{ github.token }} + title: | + CVEs found in latest RIE release + body: | + ### CVEs found in latest RIE release + ``` + ${{ steps.save-output.outputs.report_contents }} + ``` + + #### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?: + > **${{ steps.save-new-version.outputs.fixed }}** diff --git a/Makefile b/Makefile index f7a714e..6b66e79 100644 --- a/Makefile +++ b/Makefile @@ -70,4 +70,7 @@ integ-tests-with-docker-old: make ARCH=old compile-with-docker make prep-python make TEST_ARCH="" TEST_PORT=9052 exec-python-e2e-test - \ No newline at end of file + +check-binaries: prep-python + .venv/bin/pip install cve-bin-tool + .venv/bin/python -m cve_bin_tool.cli bin/ -r go -d REDHAT,OSV,GAD,CURL --no-0-cve-report -f csv From 71388dd788b7a5519262391ce73fe6548dbaf86e Mon Sep 17 00:00:00 2001 From: Renato Valenzuela <37676028+valerena@users.noreply.github.com> Date: Wed, 5 Jun 2024 11:51:08 -0700 Subject: [PATCH 2/2] fix: Vulnerability checks: create issue only when checked was done (#125) --- .github/workflows/check-binaries.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml index bd41ece..75fa28f 100644 --- a/.github/workflows/check-binaries.yml +++ b/.github/workflows/check-binaries.yml @@ -34,13 +34,17 @@ jobs: id: save-output run: | report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)" # last file generated - echo "Vulnerabilities stored in $report_csv" + if [ -z "$report_csv" ]; then + echo "No file with vulnerabilities. Probably a failure in previous step." + else + echo "Vulnerabilities stored in $report_csv" + fi final_report="${report_csv}.txt" awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report" # make the CSV nicer echo "report_contents<> "$GITHUB_OUTPUT" cat "$final_report" >> "$GITHUB_OUTPUT" echo "EOF" >> "$GITHUB_OUTPUT" - - if: always() && steps.check-binaries.outcome == 'failure' + - if: always() && steps.save-output.outputs.report_contents name: Build new binaries and check vulnerabilities again id: check-new-version run: | @@ -50,7 +54,7 @@ jobs: latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq) echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT" make check-binaries - - if: always() && steps.check-binaries.outcome == 'failure' + - if: always() && steps.save-output.outputs.report_contents name: Save outputs for the check with the latest build id: save-new-version run: | @@ -60,7 +64,7 @@ jobs: fixed="Yes" fi echo "fixed=$fixed" >> "$GITHUB_OUTPUT" - - if: always() && steps.check-binaries.outcome == 'failure' + - if: always() && steps.save-output.outputs.report_contents name: Create GitHub Issue indicating vulnerabilities id: create-issue uses: dacbd/create-issue-action@main