|
| 1 | +name: Check for CVE in a snap |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_call: |
| 5 | + inputs: |
| 6 | + snap-name: |
| 7 | + description: The name of the snap to scan. |
| 8 | + required: true |
| 9 | + type: string |
| 10 | + channel: |
| 11 | + description: The channel of the snap to scan. |
| 12 | + required: false |
| 13 | + type: string |
| 14 | + default: "latest/stable" |
| 15 | + runs-on: |
| 16 | + default: 'ubuntu-latest' |
| 17 | + description: The runner(s) to use. |
| 18 | + required: false |
| 19 | + type: string |
| 20 | + outputs: |
| 21 | + cves-found: |
| 22 | + description: "Whether CVEs were found or not. Returns `true` or `false`." |
| 23 | + value: ${{ jobs.CVE-scan.outputs.cves-found }} |
| 24 | + cves-dict: |
| 25 | + description: "The dictionary of found CVEs." |
| 26 | + value: ${{ jobs.CVE-scan.outputs.cves-dict }} |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | +jobs: |
| 31 | + prepare-scan-runners: |
| 32 | + runs-on: ubuntu-latest |
| 33 | + outputs: |
| 34 | + runs-on: ${{ steps.string-to-json.outputs.json }} |
| 35 | + steps: |
| 36 | + - name: String to JSON list |
| 37 | + id: string-to-json |
| 38 | + uses: canonical/robotics-actions-workflows/string-to-json@main |
| 39 | + with: |
| 40 | + string: ${{ inputs.runs-on }} |
| 41 | + |
| 42 | + CVE-scan: |
| 43 | + name: CVEs scan |
| 44 | + needs: [prepare-scan-runners] |
| 45 | + runs-on: ${{ matrix.runs-on }} |
| 46 | + strategy: |
| 47 | + fail-fast: false |
| 48 | + matrix: |
| 49 | + runs-on: ${{ fromJSON(needs.prepare-scan-runners.outputs.runs-on) }} |
| 50 | + outputs: |
| 51 | + cves-found: ${{ steps.check_notice.outputs.cves_found }} |
| 52 | + cves-dict: ${{ steps.check_notice.outputs.cves_dict }} |
| 53 | + steps: |
| 54 | + - name: Install review-tools |
| 55 | + run: sudo snap install review-tools |
| 56 | + - name: Dowload the sap file |
| 57 | + run: snap download ${{ inputs.snap-name }} --channel=${{ inputs.channel }} |
| 58 | + - name: Check notices |
| 59 | + id: check_notice |
| 60 | + run: | |
| 61 | + CVES_DICT=$(review-tools.check-notices ${{ inputs.snap-name}}_*.snap | jq -c '."${{ inputs.snap-name }}" | . []') |
| 62 | + RESULT=$(echo $CVES_DICT | jq -r 'length >0') |
| 63 | + if [[ "$RESULT" == "true" ]]; then |
| 64 | + echo "Your package contains known CVEs!" |
| 65 | + echo "The following CVEs are detected in your package: ${CVES_DICT}" |
| 66 | + else |
| 67 | + echo "No known CVEs found!" |
| 68 | + fi |
| 69 | + echo "cves_found=${RESULT}" >> $GITHUB_OUTPUT |
| 70 | + echo "cves_dict=${CVES_DICT}" >> $GITHUB_OUTPUT |
0 commit comments