From 0e126645987bbf135e6a645acb771d61bd691224 Mon Sep 17 00:00:00 2001 From: Renato Valenzuela Date: Mon, 13 May 2024 21:55:10 +0000 Subject: [PATCH 1/2] feat: Add automatic vulnerabilities check --- .github/workflows/check-binaries.yml | 76 ++++++++++++++++++++++++++++ Makefile | 5 +- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/check-binaries.yml diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml new file mode 100644 index 0000000..1d113da --- /dev/null +++ b/.github/workflows/check-binaries.yml @@ -0,0 +1,76 @@ +name: Check binaries + +on: + workflow_dispatch: + schedule: + - cron: "0 16 * * 1-5" # min h d Mo DoW / 9am PST M-F + +jobs: + check-for-vulnerabilities: + runs-on: ubuntu-latest + outputs: + report_contents: ${{ steps.save-output.outputs.report_contents }} + steps: + - uses: actions/setup-python@v5 + with: + python-version: '3.11' + - uses: actions/checkout@v4 + with: + ref: main + - uses: robinraju/release-downloader@v1.10 + with: + latest: true + fileName: 'aws-lambda-rie*' + out-file-path: "bin" + - name: Run check for vulnerabilities + id: check-binaries + run: | + make check-binaries + - if: always() && failure() # Failure means there are vulnerabilities + id: save-output + name: Save output contents + run: | + report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)" # last file generated + echo "Vulnerabilities stored in $report_csv" + final_report="${report_csv}.txt" + awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report" # make the CSV nicer + echo "report_contents<> "$GITHUB_OUTPUT" + cat "$final_report" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + - if: always() && steps.check-binaries.outcome == 'failure' + name: Build new version and check + id: check-new-version + run: | + mkdir ./bin2 + mv ./bin/* ./bin2 + make compile-with-docker-all + latest_version=$(strings bin/aws-lambda-rie* | grep '^go1\.' | sort | uniq) + echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT" + make check-binaries + - if: always() && steps.check-binaries.outcome == 'failure' + name: Save output for new version + id: save-new-version + run: | + exit_code=$? + if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then + fixed="No" + else + fixed="Yes" + fi + echo "fixed=$fixed" >> "$GITHUB_OUTPUT" + - if: always() && steps.check-binaries.outcome == 'failure' + name: Create Issue + id: create-issue + uses: dacbd/create-issue-action@main + with: + token: ${{ github.token }} + title: | + CVEs found in latest RIE release + body: | + ### CVEs found in latest RIE release + ``` + ${{ steps.save-output.outputs.report_contents }} + ``` + + #### Are these resolved by building with the latest patch version of Go (${{ steps.check-new-version.outputs.latest_version }})?: + > **${{ steps.save-new-version.outputs.fixed }}** diff --git a/Makefile b/Makefile index f7a714e..6b66e79 100644 --- a/Makefile +++ b/Makefile @@ -70,4 +70,7 @@ integ-tests-with-docker-old: make ARCH=old compile-with-docker make prep-python make TEST_ARCH="" TEST_PORT=9052 exec-python-e2e-test - \ No newline at end of file + +check-binaries: prep-python + .venv/bin/pip install cve-bin-tool + .venv/bin/python -m cve_bin_tool.cli bin/ -r go -d REDHAT,OSV,GAD,CURL --no-0-cve-report -f csv From be0625b06c6f7ef035b5772a6f985450d7dca946 Mon Sep 17 00:00:00 2001 From: Renato Valenzuela Date: Thu, 23 May 2024 19:15:22 +0000 Subject: [PATCH 2/2] Improve step names --- .github/workflows/check-binaries.yml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/workflows/check-binaries.yml b/.github/workflows/check-binaries.yml index 1d113da..bd41ece 100644 --- a/.github/workflows/check-binaries.yml +++ b/.github/workflows/check-binaries.yml @@ -11,13 +11,16 @@ jobs: outputs: report_contents: ${{ steps.save-output.outputs.report_contents }} steps: - - uses: actions/setup-python@v5 + - name: Setup python + uses: actions/setup-python@v5 with: python-version: '3.11' - - uses: actions/checkout@v4 + - name: Checkout code + uses: actions/checkout@v4 with: ref: main - - uses: robinraju/release-downloader@v1.10 + - name: Download latest release + uses: robinraju/release-downloader@v1.10 with: latest: true fileName: 'aws-lambda-rie*' @@ -26,19 +29,19 @@ jobs: id: check-binaries run: | make check-binaries - - if: always() && failure() # Failure means there are vulnerabilities + - if: always() && failure() # `always()` to run even if the previous step failed. Failure means that there are vulnerabilities + name: Save content of the vulnerabilities report as GitHub output id: save-output - name: Save output contents run: | report_csv="$(ls -tr output.cve-bin-*.csv 2>/dev/null | tail -n1)" # last file generated echo "Vulnerabilities stored in $report_csv" final_report="${report_csv}.txt" awk -F',' '{n=split($10, path, "/"); print $2,$3,$4,$5,path[n]}' "$report_csv" | column -t > "$final_report" # make the CSV nicer echo "report_contents<> "$GITHUB_OUTPUT" - cat "$final_report" >> "$GITHUB_OUTPUT" - echo "EOF" >> "$GITHUB_OUTPUT" + cat "$final_report" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" - if: always() && steps.check-binaries.outcome == 'failure' - name: Build new version and check + name: Build new binaries and check vulnerabilities again id: check-new-version run: | mkdir ./bin2 @@ -48,10 +51,9 @@ jobs: echo "latest_version=$latest_version" >> "$GITHUB_OUTPUT" make check-binaries - if: always() && steps.check-binaries.outcome == 'failure' - name: Save output for new version + name: Save outputs for the check with the latest build id: save-new-version run: | - exit_code=$? if [ "${{ steps.check-new-version.outcome }}" == "failure" ]; then fixed="No" else @@ -59,7 +61,7 @@ jobs: fi echo "fixed=$fixed" >> "$GITHUB_OUTPUT" - if: always() && steps.check-binaries.outcome == 'failure' - name: Create Issue + name: Create GitHub Issue indicating vulnerabilities id: create-issue uses: dacbd/create-issue-action@main with: