ci: compare cves to main (#2448)

## Description This would add a compare CVEs to main workflow to replace the "analyze cves" which currently runs on PRs. This new workflow would only fail on PRs is new CVE's were added rather than always failing if CVE's exist in the PR. Assuming we want to move forward with this we would need to add some extra signal for ourselves to notify us when we do have CVEs on PRs. Maybe a status icon on the repo? Maybe emails? Maybe auto opened issues ? Github security also opens up alerts though those don't take into account the .grype.yaml so there is more noise --------- Co-authored-by: razzle <[email protected]>
zarf-dev · Apr 24, 2024 · 41a2448 · 41a2448
1 parent a8aa167
commit 41a2448
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 6 deletions.
diff --git a/.github/workflows/compare-cves.yml b/.github/workflows/compare-cves.yml
@@ -0,0 +1,33 @@
+name: Compare CVEs to main
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "cargo.toml"
+      - "cargo.lock"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      - name: fetch main
+        run: git fetch origin main --depth 1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Check for CVEs in Dependencies
+        run: "hack/check-vulnerabilities.sh"
diff --git a/.github/workflows/scan-cves.yml b/.github/workflows/scan-cves.yml
@@ -6,12 +6,6 @@ permissions:
 on:
   schedule:
     - cron: "0 10 * * *"
-  pull_request:
-    paths:
-      - "go.mod"
-      - "go.sum"
-      - "cargo.toml"
-      - "cargo.lock"
 
 jobs:
   validate:

diff --git a/hack/check-vulnerabilities.sh b/hack/check-vulnerabilities.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+MAIN_BRANCH="main"
+TARGET_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+echo "target branch is $TARGET_BRANCH"
+
+mkdir -p build
+
+git checkout $MAIN_BRANCH
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' > build/main-syft.json
+
+git checkout $TARGET_BRANCH
+cat build/main-syft.json | grype -o template -t hack/compare.tmpl > build/main.json
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/compare.tmpl > build/target.json
+
+
+result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json | jq '[.[] | select(.severity != "Low" and .severity != "Medium")]')
+
+echo "CVEs on $MAIN_BRANCH are $(cat build/main.json | jq )"
+echo "CVEs on $TARGET_BRANCH are $(cat build/target.json | jq)"
+
+if [[ "$result" == "[]" ]]; then
+  echo "no new vulnerabilities on $TARGET_BRANCH"
+  exit 0
+else
+  echo "new CVEs have been added with IDs $result"
+  exit 1
+fi
diff --git a/hack/compare.tmpl b/hack/compare.tmpl
@@ -0,0 +1,7 @@
+[
+  {{- $length := len .Matches -}}
+  {{- range $index, $match := .Matches -}}
+  { "id": "{{$match.Vulnerability.ID}}", "severity": "{{$match.Vulnerability.Severity}}" }
+  {{ if lt (add $index 1) $length }},{{ end }}
+  {{- end -}}
+]