1+ #! /bin/bash
2+ # filepath: .github/scripts/check_bdba_vulns.sh
3+
4+ set -e
5+
6+ # BDBA Vulnerability Check Script
7+ # This script processes BDBA scan results and generates GitHub Actions summary
8+
9+ ARTIFACTS_DIR=" ./bdba_artifacts"
10+ VULN_FILE=" "
11+ VULN_COUNT=0
12+
13+ # Function to find vulnerability CSV file
14+ find_vulnerability_file () {
15+ echo " Looking for BDBA Reports artifacts..."
16+ find " $ARTIFACTS_DIR " " *BDBA Reports*"
17+
18+ VULN_FILE=$( find " $ARTIFACTS_DIR " " *-vulns.csv" | head -1)
19+
20+ if [ -z " $VULN_FILE " ; then
21+ echo " ::warning::No vulnerability CSV file found in BDBA artifacts"
22+ echo " Available files in BDBA artifacts:"
23+ find " $ARTIFACTS_DIR " | head -20
24+
25+ write_no_file_summary
26+ exit 0
27+ fi
28+
29+ echo " Found vulnerability file: $VULN_FILE "
30+ }
31+
32+ # Function to write summary when no vulnerability file is found
33+ write_no_file_summary () {
34+ cat >> " $GITHUB_STEP_SUMMARY " << 'EOF '
35+ ## 🔍 BDBA Vulnerability Scan Results
36+
37+ ⚠️ **No vulnerability CSV file found in BDBA artifacts**
38+
39+ Please check the BDBA scan configuration.
40+ EOF
41+ }
42+
43+ # Function to count vulnerabilities (excluding triage vulnerabilities)
44+ count_vulnerabilities () {
45+ if [ ! -f " $VULN_FILE " ; then
46+ echo " ::error::Vulnerability file not found: $VULN_FILE "
47+ exit 1
48+ fi
49+
50+ # Count total lines and filtered vulnerabilities
51+ TOTAL_LINES=$( wc -l < " $VULN_FILE " )
52+
53+ # Use Python/awk to properly parse CSV with multiline fields
54+ VULN_COUNT=$( python3 -c "
55+ import csv
56+ import sys
57+
58+ count = 0
59+ try:
60+ with open('$VULN_FILE ', 'r', newline='', encoding='utf-8') as csvfile:
61+ reader = csv.reader(csvfile)
62+ next(reader) # Skip header
63+
64+ for row in reader:
65+ if len(row) >= 20:
66+ # Column 20 is index 19 (0-based)
67+ col20 = row[19].strip()
68+ # Count rows where column 20 is empty
69+ if not col20:
70+ count += 1
71+ else:
72+ # If row has fewer than 20 columns, treat as no triage (count it)
73+ count += 1
74+
75+ except Exception as e:
76+ print(f'Error parsing CSV: {e}', file=sys.stderr)
77+ sys.exit(1)
78+
79+ print(count)
80+ " )
81+
82+ # Calculate totals using Python for consistency
83+ TOTAL_DATA_LINES=$( python3 -c "
84+ import csv
85+ count = 0
86+ try:
87+ with open('$VULN_FILE ', 'r', newline='', encoding='utf-8') as csvfile:
88+ reader = csv.reader(csvfile)
89+ next(reader) # Skip header
90+ for row in reader:
91+ count += 1
92+ except:
93+ pass
94+ print(count)
95+ " )
96+
97+ EXCLUDED_COUNT=$(( TOTAL_DATA_LINES - VULN_COUNT))
98+
99+ echo " BDBA Vulnerability Analysis:"
100+ echo " =========================="
101+ echo " Total lines in file: $TOTAL_LINES "
102+ echo " Total data entries (excluding header): $TOTAL_DATA_LINES "
103+ echo " Excluded entries (column 20 not empty): $EXCLUDED_COUNT "
104+ echo " Vulnerability entries: $VULN_COUNT "
105+ }
106+
107+ # Function to write basic summary header
108+ write_summary_header () {
109+ cat >> " $GITHUB_STEP_SUMMARY " << EOF
110+ ## 🔍 BDBA Vulnerability Scan Results
111+
112+ **Scan Date:** $( date)
113+ **Total Vulnerabilities Found:** $VULN_COUNT
114+
115+ EOF
116+ }
117+
118+ # Function to process vulnerabilities and write to summary
119+ process_vulnerabilities () {
120+ echo " "
121+ echo " BDBA scan found $VULN_COUNT vulnerabilities!"
122+ echo " "
123+
124+ # Add vulnerability table header to GitHub Summary
125+ cat >> " $GITHUB_STEP_SUMMARY " << 'EOF '
126+ ### ❌ Vulnerabilities Found
127+
128+ | # | CVE | CVSS3 | Component | Version | Latest_Version | Object_Full_Path | Vulnerability_URL |
129+ |---|-----|-------|-----------|---------|----------------|------------------|-------------------|
130+ EOF
131+
132+ # Use Python to properly parse CSV and generate table
133+ python3 -c "
134+ import csv
135+ import sys
136+
137+ row_num = 0
138+ try:
139+ with open('$VULN_FILE ', 'r', newline='', encoding='utf-8') as csvfile:
140+ reader = csv.reader(csvfile)
141+ next(reader) # Skip header
142+
143+ for row in reader:
144+ if len(row) >= 20:
145+ # Column 20 is index 19 (0-based)
146+ col20 = row[19].strip()
147+
148+ # Skip this row if column 20 is not empty
149+ if col20:
150+ continue
151+
152+ # Extract specific columns (0-based indexing)
153+ component = row[0] if len(row) > 0 else ''
154+ version = row[1] if len(row) > 1 else ''
155+ latest_version = row[2] if len(row) > 2 else ''
156+ cve = row[3] if len(row) > 3 else ''
157+ cvss3 = row[11] if len(row) > 11 else ''
158+ object_full_path = row[9] if len(row) > 9 else ''
159+ vulnerability_url = row[23] if len(row) > 23 else ''
160+
161+ row_num += 1
162+ print(f'| {row_num} | {cve} | {cvss3} | {component} | {version} | {latest_version} | {object_full_path} | {vulnerability_url} |')
163+
164+ except Exception as e:
165+ print(f'Error processing CSV: {e}', file=sys.stderr)
166+ sys.exit(1)
167+ " >> " $GITHUB_STEP_SUMMARY "
168+
169+ # Add failure status to summary
170+ cat >> " $GITHUB_STEP_SUMMARY " << 'EOF '
171+
172+ **Action Required:** Review and fix the vulnerabilities listed above.
173+ EOF
174+
175+ exit 1
176+ }
177+
178+ # Function to handle no vulnerabilities case
179+ handle_no_vulnerabilities () {
180+ echo " ✅ No vulnerabilities found by BDBA scan"
181+ echo " "
182+
183+ # Add success message to summary
184+ cat >> " $GITHUB_STEP_SUMMARY " << 'EOF '
185+ ### ✅ No Vulnerabilities Found
186+
187+ **Status:** ✅ **PASSED**
188+ **Result:** No security vulnerabilities detected by BDBA scan
189+
190+ EOF
191+ }
192+
193+ # Main execution function
194+ main () {
195+ echo " Starting BDBA vulnerability check..."
196+
197+ find_vulnerability_file
198+ count_vulnerabilities
199+ write_summary_header
200+
201+ if [ " $VULN_COUNT " -gt 0 ]; then
202+ process_vulnerabilities
203+ else
204+ handle_no_vulnerabilities
205+ fi
206+
207+ echo " BDBA vulnerability check completed."
208+ }
209+
210+ # Run the main function
211+ main " $@ "
0 commit comments