diff --git a/.github/workflows/cves-check.yaml b/.github/workflows/cves-check.yaml new file mode 100644 index 0000000..bf87077 --- /dev/null +++ b/.github/workflows/cves-check.yaml @@ -0,0 +1,69 @@ +name: Check for CVE in a snap + +on: + workflow_call: + inputs: + channel: + default: "latest/stable" + description: The channel of the snap to scan. + required: false + type: string + runs-on: + default: 'ubuntu-latest' + description: The runner(s) to use. + required: false + type: string + snap: + description: The name of the snap to scan. + required: true + type: string + outputs: + cves-dict: + description: "The dictionary of found CVEs." + value: ${{ jobs.CVE-scan.outputs.cves-dict }} + has-cves: + description: "Whether CVEs were found or not. Returns `true` or `false`." + value: ${{ jobs.CVE-scan.outputs.has-cves }} + + +jobs: + prepare-scan-runners: + runs-on: ubuntu-latest + outputs: + runs-on: ${{ steps.string-to-json.outputs.json }} + steps: + - name: String to JSON list + id: string-to-json + uses: canonical/robotics-actions-workflows/string-to-json@main + with: + string: ${{ inputs.runs-on }} + + CVE-scan: + name: CVEs scan + needs: [prepare-scan-runners] + runs-on: ${{ matrix.runs-on }} + strategy: + fail-fast: false + matrix: + runs-on: ${{ fromJSON(needs.prepare-scan-runners.outputs.runs-on) }} + outputs: + has-cves: ${{ steps.check_notice.outputs.has_cves }} + cves-dict: ${{ steps.check_notice.outputs.cves_dict }} + steps: + - name: Install review-tools + run: sudo snap install review-tools + - name: Dowload the snap file + run: snap download ${{ inputs.snap }} --channel=${{ inputs.channel }} + - name: Check notices + id: check_notice + run: | + CVES_DICT=$(review-tools.check-notices ${{ inputs.snap }}_*.snap | jq -c '."${{ inputs.snap }}" | . []') + RESULT=$(echo $CVES_DICT | jq -r 'length >0') + if [[ "$RESULT" == "true" ]]; then + echo "The snap ${{ inputs.snap }} contains known CVEs!" + echo "The following CVEs are detected in your package: ${CVES_DICT}" + else + echo "No known CVEs found." + fi + echo "has_cves=${RESULT}" >> $GITHUB_OUTPUT + echo "cves_dict=${CVES_DICT}" >> $GITHUB_OUTPUT diff --git a/README.md b/README.md index 70a7337..6f77ba6 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,8 @@ The reusable workflows are: - [publish.yaml](.github/workflows/publish.yaml) - the workflow to publish the snap. - [keepalive.yaml](.github/workflows/keepalive.yaml) - keeps scheduled workflows alive. - [promote.yaml](.github/workflows/promote.yaml) - the workflow to promote the snap on the store. +- [cves-check.yaml](.github/workflows/cves-check.yaml) - Check for CVEs in the snap. + ### The snap workflow @@ -188,3 +190,24 @@ The [promote](.github/workflows/promote.yaml) workflow promotes a given snap fro | Secret | Description | Required | |---|---|---| | `snapstore-login` | Store credential (see 'snapcraft export-login'). | true | + +### The CVEs check workflow + +The [cves-check](.github/workflows/cves-check.yaml) workflow check for known CVEs in a snap uploaded on the store. +This workflow can be ran on any snap built with the [canonical/action-build](https://github.com/canonical/action-build) action, the [build](.github/workflows/build.yaml) reusable workflow or for any snap built with the `--manifest` option (more information on [forum.snapcraft.io](https://forum.snapcraft.io/t/checking-ubuntu-security-notices-for-a-snap/23410)). + +#### Inputs + +| Inputs | Default Value | Description | Required | +|---|---|---|---| +| `channel` | `latest/stable` | The channel of the snap to scan. | false | +| `runs-on` | `ubuntu-latest` | The runner(s) to use. | false | +| `snap-name` | | The name of the snap to scan. | true | + + +#### Outputs + +| Ouputs | Description | +|---|---| +| `cves-dict` | The dictionary of found CVEs. | +| `cves-found` | Whether CVEs were found or not. Returns `true` or `false`. |