-
Notifications
You must be signed in to change notification settings - Fork 0
278 lines (241 loc) · 9.53 KB
/
dependency-analysis.yml
File metadata and controls
278 lines (241 loc) · 9.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
name: dependency-checks
on:
pull_request:
workflow_call:
inputs:
module_directory:
description: 'Component path'
required: false
default: ""
type: string
permissions:
contents: read
env:
minimum_package_age_hours: 1 # 168 # 7 days
jobs:
dependency-scan:
name: Run safe-chain analysis
runs-on: ${{ github.repository_visibility != 'public' && 'centreon-security' || 'ubuntu-24.04' }}
steps:
- name: Checkout Repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Setup Pnpm
uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
with:
version: 10
- name: Setup Node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
with:
node-version: 22
package-manager-cache: true
- name: Install safe-chain
run: |
max_retries=5
retry_delay=5
for ((i=1; i<=max_retries; i++)); do
if curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci; then
echo "Success on attempt $i"
exit 0
else
echo "Attempt $i failed. Retrying in $retry_delay seconds..."
sleep $retry_delay
fi
done
echo "All $max_retries attempts failed."
exit 1
shell: bash
- name: Check dependencies and managers
run: |
set +x
# Check override
if [ "${{ vars.OVERRIDE_ALL_DEPENDENCY_SCAN }}" == "true" ]; then
echo "[DEBUG] - Global scan override enabled"
return 0
elif [[ "${{ vars.OVERRIDE_PNPM_COMPLIANCE }}" == "true" ]]; then
echo "[DEBUG] - PNPM scan override enabled"
return 0
fi
# Check date
current_timestamp=$(date +%s)
DUE_DATE="${{ vars.OVERRIDE_DEPENDENCY_ENFORCEMENT_DATE }}"
input_timestamp=$(date -d "$DUE_DATE" +%s)
# Setup vars
export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS=${{ env.minimum_package_age_hours }}
export SAFE_CHAIN_LOGGING="silent"
ERROR_LOG="error_log.txt"
FORCE_FAIL="false"
ENFORCEMENT="false"
SKIP="false"
if [ "$current_timestamp" -ge "$input_timestamp" ]; then
echo "[DEBUG]: Deadline passed."
ENFORCEMENT="true"
fi
function message_type() {
if [ $ENFORCEMENT == "true" ]; then
echo "[ERROR] : $1"
echo "[ERROR] : $1" > "$ERROR_LOG"
FORCE_FAIL="true"
else
echo "[WARNING] : $1"
echo "[WARNING] : $1" > "$ERROR_LOG"
fi
}
# Compare pnpm version used in lockfile
function compare_version() {
SKIP="false"
MIN_LOCKFILE_VERSION="9.0"
LOCKFILE_VERSION=$(grep -E '^lockfileVersion:' "$LOC_TYPE" \
| awk '{print $2}' \
| tr -d "'\"")
# Compare versions
version_ge() {
[ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$2" ]
}
echo "[DEBUG] - 0 - before condition LOCKFILE_VERSION = $LOCKFILE_VERSION"
echo "[DEBUG] - 0 - before condition MIN_LOCKFILE_VERSION = $MIN_LOCKFILE_VERSION"
if version_ge "$MIN_LOCKFILE_VERSION" "$LOCKFILE_VERSION"; then
echo "[DEBUG] - 1 - LOCKFILE_VERSION is lower than $MIN_LOCKFILE_VERSION"
message_type "lockfileVersion $LOCKFILE_VERSION < $MIN_LOCKFILE_VERSION in $LOC_FILE"
SKIP="true"
else
echo "[DEBUG] - 1 - LOCKFILE_VERSION is greater or equal to $MIN_LOCKFILE_VERSION"
fi
}
# Move to module folder and find manifests
MODULE_FOLDER="${{ inputs.module_directory }}" || ""
if [[ -n "$MODULE_FOLDER" ]]; then
cd $MODULE_FOLDER
fi
touch "$ERROR_LOG"
echo "[INFO] - Find manifest files"
DEP_FILES=($(find ./ -type f -name "package.json"))
# Scan node manifests
for DEP_FILE in ${DEP_FILES[@]}; do
DEP_DIR=$(dirname $DEP_FILE)
echo "[INFO] - Scanning $DEP_FILE"
echo "[DEBUG] - DEP_FILE = $DEP_FILE"
LOC_FILES=($(find $DEP_DIR -type f -name "package-lock.json" -o -name "pnpm-lock.yaml" -o -name "yarn.lock"))
COUNT=0
for LOC_FILE in ${LOC_FILES[@]}; do
LOC_TYPE=$(basename $LOC_FILE)
LOC_DIR=$(dirname $LOC_FILE)
cd $LOC_DIR
case $LOC_TYPE in
"yarn.lock")
COUNT=$((COUNT+1))
message_type "Yarn is no longer allowed. Kindly replace the lockfile using PNPM : $LOC_FILE"
;;
"package-lock.json")
COUNT=$((COUNT+1))
message_type "NPM is no longer allowed. Kindly replace the lockfile using PNPM : $LOC_FILE"
;;
"pnpm-lock.yaml")
echo "[DEBUG] - compare version start"
SKIP=$(compare_version)
echo "[DEBUG] - SKIP = $SKIP"
if [ "$SKIP" == "true" ] ; then continue; fi
echo "[DEBUG] - check manifests"
ls -la package.json
ls -la pnpm-lock.yaml
#echo "[DEBUG] - safe chain start"
#echo "[DEBUG] - LOC_FILE = $LOC_FILE"
#pnpm install --frozen-lockfile --loglevel warn --safe-chain-logging=verbose
#pnpm install --frozen-lockfile --safe-chain-logging=verbose
COUNT=$((COUNT+1))
;;
"*")
message_type "no lockfile found in $LOC_DIR"
;;
esac
cd -
done
if [[ $COUNT -gt 1 ]]; then
message_type "$COUNT lockfiles were found. Kindly keep only the lockfile generated with PNPM : $LOC_DIR"
fi
echo "[DEBUG] - COUNT = $COUNT"
done
echo "[DEBUG] - FORCE_FAIL = $FORCE_FAIL"
if [ -s "$ERROR_LOG" ]; then
cat "$ERROR_LOG"
if [ "FORCE_FAIL" == "true" ]; then
echo "[FATAL]: Breaking the run."
exit 1
fi
else
echo "[INFO] - OK nothing found"
fi
echo "[DEBUG] - ERROR_LOG :"
cat $ERROR_LOG
shell: bash
dependency-blacklist:
name: Run blacklist analysis
runs-on: ${{ github.repository_visibility != 'public' && 'centreon-security' || 'ubuntu-24.04' }}
steps:
- name: Checkout Repository
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
- name: Check for blacklisted dependencies
run: |
# Check override
if [ "${{ vars.OVERRIDE_DEPENDENCY_SCAN }}" == "true" ]; then
echo "[DEBUG] - Global scan override enabled"
return 0
elif [[ "${{ vars.OVERRIDE_BLACKLIST_COMPLIANCE }}" == "true" ]]; then
echo "[DEBUG] - Blacklist scan override enabled"
return 0
fi
function checkPnpmLockfile() {
# Find dependency formated as
# "name@version:"
if grep -qF "$NAME@$VERSION" "$LOCKFILE"; then
echo "$NAME:$VERSION was found in $LOCKFILE"
echo "[ERROR] - $NAME:$VERSION was found in $LOCKFILE" >> "$ERROR_LOG"
else
echo -n "."
fi
}
function checkManifest() {
COUNT=0
echo "[INFO] - Testing manifest $LOCKFILE"
manifest_type=$(basename "$LOCKFILE")
while IFS=':' read -r NAME VERSION; do
# ignore empty and commented lines
[[ -z "${NAME// }" ]] && continue
[[ "$NAME" =~ ^# ]] && continue
case "$manifest_type" in
"pnpm-lock.yaml")
checkPnpmLockfile
;;
"yarn.lock")
echo "[ERROR] - dependency manager not allowed. Found in $LOCKFILE" >> "$ERROR_LOG"
;;
"package-lock.json")
echo "[ERROR] - dependency manager not allowed. Found in $LOCKFILE" >> "$ERROR_LOG"
;;
"*")
echo "[ERROR] - dependency manager not managed. Found in $LOCKFILE" >> "$ERROR_LOG"
esac
COUNT=$((COUNT+1))
done < "$DEP_LIST"
echo "[INFO] - Scanned $COUNT IOC"
}
DEP_LIST="compromised-packages.txt"
if [ -f "$DEP_LIST" ]; then rm -f "$DEP_LIST"; fi
wget https://raw.githubusercontent.com/centreon/security-tools/main/blacklist/"$DEP_LIST"
ERROR_LOG="error_log.txt"
touch "$ERROR_LOG"
LOCKFILES=($(find ./ -type f -name "pnpm-lock.yaml"))
for LOCKFILE in "${LOCKFILES[@]}"; do
checkManifest "$LOCKFILE"
done
if [ -s "$ERROR_LOG" ]; then
echo -e "[ERROR]: Breaking the run as following ERRORS were found:"
cat "$ERROR_LOG"
exit 1
else
echo "[INFO] - OK nothing found"
fi
shell: bash