-
Notifications
You must be signed in to change notification settings - Fork 2
feat(cve-check): check for cves #10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 3 commits
5b9908c
c5238b4
ed48532
d28c929
e14c2e4
9479c75
5ac2838
7be27ac
bc04da8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| name: Check for CVE in a snap | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| snap-name: | ||
| description: The name of the snap to scan. | ||
| required: true | ||
| type: string | ||
| channel: | ||
| description: The channel of the snap to scan. | ||
| required: false | ||
| type: string | ||
| default: "latest/stable" | ||
| runs-on: | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why do we need to specify a runner? Can't we run an amd64
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I didn't find a way to specify the arch from the
Collaborator
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
| default: 'ubuntu-latest' | ||
| description: The runner(s) to use. | ||
| required: false | ||
| type: string | ||
| outputs: | ||
| cves-found: | ||
| description: "Whether CVEs were found or not. Returns `true` or `false`." | ||
| value: ${{ jobs.CVE-scan.outputs.cves-found }} | ||
| cves-dict: | ||
Guillaumebeuzeboc marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| description: "The dictionary of found CVEs." | ||
| value: ${{ jobs.CVE-scan.outputs.cves-dict }} | ||
|
|
||
|
|
||
|
|
||
| jobs: | ||
| prepare-scan-runners: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| runs-on: ${{ steps.string-to-json.outputs.json }} | ||
| steps: | ||
| - name: String to JSON list | ||
| id: string-to-json | ||
| uses: canonical/robotics-actions-workflows/string-to-json@main | ||
| with: | ||
| string: ${{ inputs.runs-on }} | ||
|
|
||
| CVE-scan: | ||
| name: CVEs scan | ||
| needs: [prepare-scan-runners] | ||
| runs-on: ${{ matrix.runs-on }} | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| runs-on: ${{ fromJSON(needs.prepare-scan-runners.outputs.runs-on) }} | ||
| outputs: | ||
| cves-found: ${{ steps.check_notice.outputs.cves_found }} | ||
Guillaumebeuzeboc marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| cves-dict: ${{ steps.check_notice.outputs.cves_dict }} | ||
| steps: | ||
| - name: Install review-tools | ||
| run: sudo snap install review-tools | ||
| - name: Dowload the sap file | ||
Guillaumebeuzeboc marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| run: snap download ${{ inputs.snap-name }} --channel=${{ inputs.channel }} | ||
| - name: Check notices | ||
| id: check_notice | ||
| run: | | ||
| CVES_DICT=$(review-tools.check-notices ${{ inputs.snap-name}}_*.snap | jq -c '."${{ inputs.snap-name }}" | . []') | ||
| RESULT=$(echo $CVES_DICT | jq -r 'length >0') | ||
| if [[ "$RESULT" == "true" ]]; then | ||
| echo "Your package contains known CVEs!" | ||
Guillaumebeuzeboc marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| echo "The following CVEs are detected in your package: ${CVES_DICT}" | ||
| else | ||
| echo "No known CVEs found!" | ||
Guillaumebeuzeboc marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| fi | ||
| echo "cves_found=${RESULT}" >> $GITHUB_OUTPUT | ||
| echo "cves_dict=${CVES_DICT}" >> $GITHUB_OUTPUT | ||
Uh oh!
There was an error while loading. Please reload this page.