feat(cve-check): check for cves

.github/workflows/cves-check.yaml

@@ -0,0 +1,70 @@
+name: Check for CVE in a snap
+
+on:
+  workflow_call:
+    inputs:
+      snap-name:
+        description: The name of the snap to scan.
+        required: true
+        type: string
+      channel:
+        description: The channel of the snap to scan.
+        required: false
+        type: string
+        default: "latest/stable"
+      runs-on:
+        default: 'ubuntu-latest'
+        description: The runner(s) to use.
+        required: false
+        type: string
+    outputs:
+      cves-found:
+        description: "Whether CVEs were found or not. Returns `true` or `false`."
+        value: ${{ jobs.CVE-scan.outputs.cves-found }}
+      cves-dict:
+        description: "The dictionary of found CVEs."
+        value: ${{ jobs.CVE-scan.outputs.cves-dict }}
+
+
+
+jobs:
+  prepare-scan-runners:
+    runs-on: ubuntu-latest
+    outputs:
+      runs-on: ${{ steps.string-to-json.outputs.json }}
+    steps:
+      - name: String to JSON list
+        id: string-to-json
+        uses: canonical/robotics-actions-workflows/string-to-json@main
+        with:
+          string: ${{ inputs.runs-on }}
+
+  CVE-scan:
+    name: CVEs scan
+    needs: [prepare-scan-runners]
+    runs-on: ${{ matrix.runs-on }}
+    strategy:
+      fail-fast: false
+      matrix:
+        runs-on: ${{ fromJSON(needs.prepare-scan-runners.outputs.runs-on) }}
+    outputs:
+      cves-found: ${{ steps.check_notice.outputs.cves_found }}
+      cves-dict: ${{ steps.check_notice.outputs.cves_dict }}
+    steps:
+      - name: Install review-tools
+        run: sudo snap install review-tools
+      - name: Dowload the sap file
+        run: snap download ${{ inputs.snap-name }} --channel=${{ inputs.channel }}
+      - name: Check notices
+        id: check_notice
+        run: | 
+          CVES_DICT=$(review-tools.check-notices ${{ inputs.snap-name}}_*.snap | jq -c '."${{ inputs.snap-name }}" | . []')
+          RESULT=$(echo $CVES_DICT | jq -r 'length >0')
+          if [[ "$RESULT" == "true" ]]; then
+            echo "Your package contains known CVEs!"
+            echo "The following CVEs are detected in your package: ${CVES_DICT}"
+          else
+            echo "No known CVEs found!"
+          fi
+          echo "cves_found=${RESULT}" >> $GITHUB_OUTPUT
+          echo "cves_dict=${CVES_DICT}" >> $GITHUB_OUTPUT

README.md

@@ -42,6 +42,7 @@ The reusable workflows are:
 - [test.yaml](.github/workflows/test.yaml) - the workflow to test the snap.
 - [publish.yaml](.github/workflows/publish.yaml) - the workflow to publish the snap.
 - [keepalive.yaml](.github/workflows/keepalive.yaml) - keeps scheduled workflows alive.
+- [cves-check.yaml](.github/workflows/cves-check.yaml) - Check for CVEs in the snap.
 
 ### The snap workflow
 
@@ -163,3 +164,24 @@ It makes use of the [gautamkrishnar/keepalive-workflow](https://github.com/gauta
 | Option | Default Value | Description | Required |
 |---|---|---|---|
 | `workflow_files` |  | A comma separated list of workflow files to keep alive. | false |
+
+### The CVEs check workflow
+
+The [cves-check](.github/workflows/cves-check.yaml) workflow check for known CVEs in a snap uploaded on the store.
+This workflow can be ran on any snap built with the [canonical/action-build](https://github.com/canonical/action-build) action, the [build](.github/workflows/build.yaml) reusable workflow or for any snap built with the `--manifest` option (more information on [forum.snapcraft.io](https://forum.snapcraft.io/t/checking-ubuntu-security-notices-for-a-snap/23410)).
+
+#### Inputs
+
+| Inputs | Default Value | Description | Required |
+|---|---|---|---|
+| `snap-name` |  | The name of the snap to scan. | true |
+| `channel` | `latest/stable` | The channel of the snap to scan. | false |
+| `runs-on` | `ubuntu-latest` | The runner(s) to use. | false |
+
+
+#### Outputs
+
+| Ouputs | Description |
+|---|---|
+| `cves-found` | Whether CVEs were found or not. Returns `true` or `false`. |
+| `cves-dict` | The dictionary of found CVEs. |