feat: Add automatic vulnerabilities check (#123)

* Add automatic vulnerabilities check
aws · Jun 3, 2024 · 9e6041b · 9e6041b
1 parent d37e08c
commit 9e6041b
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 1 deletion.
diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml
@@ -0,0 +1,78 @@
+name: Check binaries
+
+on: 
+  workflow_dispatch:
+  schedule:
+   - cron: "0 16 * * 1-5"  # min h d Mo DoW / 9am PST M-F
+
+jobs:
+  check-for-vulnerabilities:
+    runs-on: ubuntu-latest
+    outputs:
+      report_contents: ${{ steps.save-output.outputs.report_contents }}
+    steps:
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: main
+      - name: Download latest release
+        uses: robinraju/[email protected]
+        with:
+          latest: true
+          fileName: 'aws-lambda-rie*'
+          out-file-path: "bin"
+      - name: Run check for vulnerabilities
+        id: check-binaries
+        run: |
+          make check-binaries
+      - if: always() && failure()   # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities
+        name: Save content of the vulnerabilities report as GitHub output
+        id: save-output
+        run: |
+          report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)"   # last file generated
+          echo "Vulnerabilities stored in $report_csv"
+          final_report="${report_csv}.txt"
+          awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report"   # make the CSV nicer
+          echo "report_contents<<EOF" >> "$GITHUB_OUTPUT"
+          cat "$final_report"         >> "$GITHUB_OUTPUT"
+          echo "EOF"                  >> "$GITHUB_OUTPUT"
+      - if: always() && steps.check-binaries.outcome == 'failure'
+        name: Build new binaries and check vulnerabilities again
+        id: check-new-version
+        run: |
+          mkdir ./bin2
+          mv ./bin/* ./bin2
+          make compile-with-docker-all
+          latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq)
+          echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT"
+          make check-binaries
+      - if: always() && steps.check-binaries.outcome == 'failure'
+        name: Save outputs for the check with the latest build
+        id: save-new-version
+        run: |
+          if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then
+            fixed="No"
+          else
+            fixed="Yes"
+          fi
+          echo "fixed=$fixed" >> "$GITHUB_OUTPUT"
+      - if: always() && steps.check-binaries.outcome == 'failure'
+        name: Create GitHub Issue indicating vulnerabilities
+        id: create-issue
+        uses: dacbd/create-issue-action@main
+        with:
+          token: ${{ github.token }}
+          title: |
+            CVEs found in latest RIE release
+          body: |
+            ###  CVEs found in latest RIE release
+            ```
+            ${{ steps.save-output.outputs.report_contents }}
+            ```
+            
+            #### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?:
+            > **${{ steps.save-new-version.outputs.fixed }}**
diff --git a/Makefile b/Makefile
@@ -70,4 +70,7 @@ integ-tests-with-docker-old:
 	make ARCH=old compile-with-docker
 	make prep-python
 	make TEST_ARCH="" TEST_PORT=9052 exec-python-e2e-test
-
+
+check-binaries: prep-python
+	.venv/bin/pip install cve-bin-tool
+	.venv/bin/python -m cve_bin_tool.cli bin/ -r go -d REDHAT,OSV,GAD,CURL --no-0-cve-report -f csv