Validate and Move Vulnerability Submission #82
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate and Move Vulnerability Submission | |
permissions: | |
contents: write | |
on: | |
pull_request_review: | |
types: | |
- submitted | |
jobs: | |
validate-and-move: | |
if: github.event.review.state == 'approved' # Only trigger on approval | |
runs-on: ubuntu-latest | |
steps: | |
# Check out the code with actions/checkout | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 2 | |
# Ensure only /input/new.json is modified | |
- name: Validate modified files | |
run: | | |
modified_files=$(git diff --name-only HEAD^1 HEAD) | |
if [[ "$modified_files" != "input/new.json" ]]; then | |
echo "modified_files: $modified_files" | |
echo "Error: Only /input/new.json should be modified." | |
exit 1 | |
fi | |
# Validate JSON format and fields | |
- name: Validate JSON structure | |
run: | | |
if ! jq -e '.package_name != null and .patch_versions != null' input/new.json; then | |
echo "Error: JSON format or required fields are invalid." | |
exit 1 | |
fi | |
# Generate new filename | |
- name: Generate new filename | |
id: generate-name | |
run: | | |
# Extract the current year | |
current_year=$(date +%Y) | |
# Fetch the main branch to get its contents | |
git fetch origin main --depth=1 | |
# Find the latest file for the current year, if it exists | |
latest_file=$(git ls-tree -r origin/main --name-only | grep "vulnerabilities/AIKIDO-${current_year}-.*.json" | sort | tail -n 1) | |
# Check if any file exists for the current year | |
if [ -z "$latest_file" ]; then | |
# Start with 10001 if no file exists for the current year | |
next_number=10001 | |
else | |
# Extract the latest number and increment it | |
next_number=$(basename "$latest_file" .json | awk -F- '{print $3 + 1}') | |
fi | |
# Format the new file name | |
printf -v next_file_name "vulnerabilities/AIKIDO-%s-%05d.json" "$current_year" "$next_number" | |
echo "file_name=$next_file_name" >> $GITHUB_ENV | |
# Fetch the PR branch from the remote (to be able to push changes - avoid detached HEAD) | |
- name: Fetch PR branch | |
run: | | |
git fetch origin ${{ github.event.pull_request.head.ref }} | |
git checkout ${{ github.event.pull_request.head.ref }} | |
# Update last_modified and published fields in input/new.json | |
- name: Update JSON metadata | |
run: | | |
current_date=$(date +%Y-%m-%d) | |
jq --arg date "$current_date" \ | |
'.last_modified = $date | .published = $date' \ | |
input/new.json > temp.json && mv temp.json input/new.json | |
git add input/new.json | |
# Move input/new.json to the new filename | |
- name: Move new.json to vulnerabilities folder | |
run: | | |
cp input/new.json "$file_name" | |
# Reset input/new.json to the template | |
- name: Reset input/new.json to template | |
run: | | |
echo '{ | |
"package_name": "", | |
"patch_versions": [], | |
"vulnerable_ranges": [], | |
"cwe": [], | |
"tldr": "", | |
"doest_this_affect_me": "", | |
"how_to_fix": "", | |
"vulnerable_to": "", | |
"related_cve_id": "", | |
"language": "", | |
"severity_class": "", | |
"aikido_score": 0, | |
"changelog": "" | |
}' > input/new.json | |
git add input/new.json | |
# Commit changes | |
- name: Commit changes | |
run: | | |
git config user.name "github-actions[bot]" | |
git config user.email "github-actions[bot]@users.noreply.github.com" | |
git add "$file_name" | |
git add input/new.json | |
git commit -m "Move new vulnerability to $file_name and reset new.json template" | |
git push origin ${{ github.event.pull_request.head.ref }} |