@@ -29,10 +29,11 @@ jobs:
2929 run : pip install --no-cache-dir --upgrade cve-bin-tool
3030 - name : Run dependency scan
3131 run : |
32- # Generate CSV for detailed vulnerability data
33- cve-bin-tool . --exclude examples -r go -d "REDHAT,OSV,GAD,CURL" --no-0-cve-report -f csv --output-file dependency-report.csv || true
34- # Generate console output to capture CPE summary with latest stable versions (use wide columns to avoid truncation)
35- COLUMNS=300 cve-bin-tool . --exclude examples -r go -d "REDHAT,OSV,GAD,CURL" --no-0-cve-report -f console > dependency-console.txt 2>&1 || true
32+ # Scan only specific Go files and modules, exclude directories that may cause false positives
33+ # Focus on go.mod dependencies and main source files
34+ cve-bin-tool go.mod go.sum main.go --exclude examples --exclude local_testing --exclude test --exclude extensions --exclude .git --exclude .github --exclude credentials --exclude release-testing --exclude preview-extensions-ggqizro707 --exclude venv --exclude .venv -r go -d "REDHAT,OSV,GAD,CURL" --no-0-cve-report -f csv --output-file dependency-report.csv || true
35+ # Generate console output for version information
36+ COLUMNS=300 cve-bin-tool go.mod go.sum main.go --exclude examples --exclude local_testing --exclude test --exclude extensions --exclude .git --exclude .github --exclude credentials --exclude release-testing --exclude preview-extensions-ggqizro707 --exclude venv --exclude .venv -r go -d "REDHAT,OSV,GAD,CURL" --no-0-cve-report -f console > dependency-console.txt 2>&1 || true
3637name : Upload dependency scan artifacts
3738 uses : actions/upload-artifact@v4
3839 with :
@@ -72,10 +73,17 @@ jobs:
7273 esac
7374name : Run CVE scan on binary
7475 run : |
75- # Generate CSV for detailed vulnerability data
76- cve-bin-tool extensions/ -r go -d "$SCAN_DATASOURCES" --no-0-cve-report -f csv --output-file cve-report-${{ matrix.arch }}.csv || true
77- # Generate console output to capture CPE summary with latest stable versions (use wide columns to avoid truncation)
78- COLUMNS=300 cve-bin-tool extensions/ -r go -d "$SCAN_DATASOURCES" --no-0-cve-report -f console > cve-console-${{ matrix.arch }}.txt 2>&1 || true
76+ # Scan only the compiled binary, not directory contents
77+ if [ -f "extensions/newrelic-lambda-extension" ]; then
78+ # Generate CSV for detailed vulnerability data
79+ cve-bin-tool extensions/newrelic-lambda-extension -r go -d "$SCAN_DATASOURCES" --no-0-cve-report -f csv --output-file cve-report-${{ matrix.arch }}.csv || true
80+ # Generate console output to capture CPE summary with latest stable versions
81+ COLUMNS=300 cve-bin-tool extensions/newrelic-lambda-extension -r go -d "$SCAN_DATASOURCES" --no-0-cve-report -f console > cve-console-${{ matrix.arch }}.txt 2>&1 || true
82+ else
83+ echo "Binary not found, creating empty reports"
84+ echo "Vendor,Product,Version,Description,CVE,Severity" > cve-report-${{ matrix.arch }}.csv
85+ echo "No binary found for scanning" > cve-console-${{ matrix.arch }}.txt
86+ fi
7987name : Upload CVE scan artifacts
8088 uses : actions/upload-artifact@v4
8189 with :
@@ -268,7 +276,7 @@ jobs:
268276 const backupFingerprint = '${{ steps.parse.outputs.backup_fingerprint }}';
269277 const todayDate = new Date().toISOString().split('T')[0];
270278 const vulnCount = '${{ steps.parse.outputs.vuln_count }}';
271- const issueTitle = `Security Scan Report - ${todayDate} (${vulnCount} vulnerabilities) `;
279+ const issueTitle = `Security Scan Report - ${todayDate}`;
272280 const issueLabel = 'vulnerability-report';
273281 const newBody = process.env.REPORT_BODY;
274282
0 commit comments