forked from aws/aws-lambda-runtime-interface-emulator
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge the check for vulnerabilities
- Loading branch information
Showing
2 changed files
with
86 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
name: Check binaries | ||
|
||
on: | ||
workflow_dispatch: | ||
schedule: | ||
- cron: "0 16 * * 1-5" # min h d Mo DoW / 9am PST M-F | ||
|
||
jobs: | ||
check-for-vulnerabilities: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
report_contents: ${{ steps.save-output.outputs.report_contents }} | ||
steps: | ||
- name: Setup python | ||
uses: actions/setup-python@v5 | ||
with: | ||
python-version: '3.11' | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
with: | ||
ref: main | ||
- name: Download latest release | ||
uses: robinraju/[email protected] | ||
with: | ||
latest: true | ||
fileName: 'aws-lambda-rie*' | ||
out-file-path: "bin" | ||
- name: Run check for vulnerabilities | ||
id: check-binaries | ||
run: | | ||
make check-binaries | ||
- if: always() && failure() # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities | ||
name: Save content of the vulnerabilities report as GitHub output | ||
id: save-output | ||
run: | | ||
report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)" # last file generated | ||
if [ -z "$report_csv" ]; then | ||
echo "No file with vulnerabilities. Probably a failure in previous step." | ||
else | ||
echo "Vulnerabilities stored in $report_csv" | ||
fi | ||
final_report="${report_csv}.txt" | ||
awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report" # make the CSV nicer | ||
echo "report_contents<<EOF" >> "$GITHUB_OUTPUT" | ||
cat "$final_report" >> "$GITHUB_OUTPUT" | ||
echo "EOF" >> "$GITHUB_OUTPUT" | ||
- if: always() && steps.save-output.outputs.report_contents | ||
name: Build new binaries and check vulnerabilities again | ||
id: check-new-version | ||
run: | | ||
mkdir ./bin2 | ||
mv ./bin/* ./bin2 | ||
make compile-with-docker-all | ||
latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq) | ||
echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT" | ||
make check-binaries | ||
- if: always() && steps.save-output.outputs.report_contents | ||
name: Save outputs for the check with the latest build | ||
id: save-new-version | ||
run: | | ||
if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then | ||
fixed="No" | ||
else | ||
fixed="Yes" | ||
fi | ||
echo "fixed=$fixed" >> "$GITHUB_OUTPUT" | ||
- if: always() && steps.save-output.outputs.report_contents | ||
name: Create GitHub Issue indicating vulnerabilities | ||
id: create-issue | ||
uses: dacbd/create-issue-action@main | ||
with: | ||
token: ${{ github.token }} | ||
title: | | ||
CVEs found in latest RIE release | ||
body: | | ||
### CVEs found in latest RIE release | ||
``` | ||
${{ steps.save-output.outputs.report_contents }} | ||
``` | ||
#### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?: | ||
> **${{ steps.save-new-version.outputs.fixed }}** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters