Snyk vulnerability scan report #1423
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Snyk vulnerability scan report | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: "0 0/8 * * *" | |
env: | |
APP_ENGINE_REPO: entando/app-engine | |
APP_ENGINE_BRANCH: develop | |
CATALYST_INFRA_TEMPLATES_REPO: entando/catalyst-infra-templates | |
SNYK_SCAN_MATRIX_CONFIG_URL: global-config/snyk-scan-matrix.json | |
SNYK_SCAN_BUILD_POM_SCRIPT_URL: scripts/snyk-scan-build-pom.sh | |
jobs: | |
setup: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
build_pom_script: ${{ steps.set-build-pom-script.outputs.build_pom_script }} | |
pom_template: ${{ steps.set-pom-template.outputs.pom_template }} | |
steps: | |
- name: Checkout catalyst-infra-templates | |
uses: actions/checkout@v3 | |
with: | |
repository: ${{ env.CATALYST_INFRA_TEMPLATES_REPO }} | |
token: ${{ secrets.ENTANDO_BOT_TOKEN }} | |
- name: Load snyk-scan-matrix.json | |
id: set-matrix | |
run: | | |
echo "matrix=$(jq -c . < $SNYK_SCAN_MATRIX_CONFIG_URL)" >> $GITHUB_OUTPUT | |
- name: Upload snyk-scan-build-pom.sh | |
uses: actions/upload-artifact@v3 | |
with: | |
name: snyk-scan-build-pom.sh | |
path: ${{ env.SNYK_SCAN_BUILD_POM_SCRIPT_URL }} | |
scan-matrix: | |
needs: setup | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: ${{fromJson(needs.setup.outputs.matrix)}} | |
fail-fast: true | |
max-parallel: 10 | |
steps: | |
- name: Checkout project | |
uses: actions/checkout@v3 | |
with: | |
repository: ${{ matrix.repo }} | |
ref: ${{ matrix.branch }} | |
- name: Download snyk-scan-build-pom.sh | |
uses: actions/download-artifact@v3 | |
with: | |
name: snyk-scan-build-pom.sh | |
- name: Get Service Account Access Token | |
run: | | |
CURL_RESPONSE=$(curl -X 'POST' \ | |
'https://vulnerability-reports.k8s-entando.org/auth/realms/VulnerabilityReports/protocol/openid-connect/token' \ | |
-H 'Content-Type: application/x-www-form-urlencoded' \ | |
-d 'client_id=vulnerability-reports-sa&grant_type=client_credentials&client_secret=${{ secrets.KEYCLOAK_CLIENT_SECRET }}') | |
echo $CURL_RESPONSE | |
TOKEN=$(echo $CURL_RESPONSE | jq .access_token) | |
TOKEN=${TOKEN:1:-1} | |
echo "ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV | |
- name: Scan vulnerabilities with snyk | |
run: | | |
rm -rfv ./scan-prj | |
mkdir scan-prj | |
cd scan-prj | |
mv ../snyk-scan-build-pom.sh . | |
bash snyk-scan-build-pom.sh | |
npm install snyk -g | |
snyk auth ${{ secrets.SNYK_TOKEN }} | |
snyk test >> snyk-results.txt || true | |
BRANCH=$(echo ${{ matrix.branch }} | sed -r 's;/+;_;g') | |
REPO_NAME=$(echo "${{ matrix.repo }}" | awk -F '/' '{print $2}') | |
REPORT_FILE_NAME=$BRANCH-$REPO_NAME.csv | |
echo "Vulnerable Library, Vulnerability Type, Severity, Current Version, Fix Version, Fix Type (Update/Explicity/No Fix), Details" > $REPORT_FILE_NAME | |
POST_PAYLOAD="{\"repository\": \"${REPO_NAME}\", \"branch\": \"${{ matrix.branch }}\", \"vulnerabilities\": [" | |
while read LINE | |
do | |
if [[ $LINE == Upgrade* ]] | |
then | |
VULNERABLE_LIB_VERSION_FIX=$(echo "${LINE}" | awk -F '@' '{print $3}' | awk -F ' ' '{print $1}') | |
VULNERABLE_LIB_VERSION_FIX=$(echo $VULNERABLE_LIB_VERSION_FIX | sed -r 's|,|;|g') | |
FIX_TYPE="Update" | |
FIX_TYPE_ENUM="UPDATE" | |
ISSUES_WITH_NO_DIRECT_UPGRADE=false | |
elif [[ $LINE == ✗* ]] | |
then | |
VULNERABILITY_TYPE=$(echo "${LINE}" | awk -F '✗ ' '{print $2}' | awk -F ' \\[' '{print $1}' | sed 's/ (new)//') | |
VULNERABILITY_SEVERITY=$(echo "${LINE}" | awk -F '[' '{print $2}' | awk -F ' ' '{print $1}') | |
VULNERABILITY_SEVERITY_ENUM=$(echo $VULNERABILITY_SEVERITY | tr '[:lower:]' '[:upper:]') | |
VULNERABILITY_SNYK_LINK=$(echo "${LINE}" | awk -F '[' '{print $3}' | awk -F ']' '{print $1}') | |
elif [[ $LINE == "Issues with no direct upgrade"* ]] | |
then | |
ISSUES_WITH_NO_DIRECT_UPGRADE=true | |
FIX_TYPE="No fix" | |
FIX_TYPE_ENUM="NO_FIX" | |
VULNERABLE_LIB_VERSION_FIX= | |
elif [[ $LINE == "introduced by"* ]] | |
then | |
VULNERABLE_LIB=$(echo "${LINE}" | awk -F 'introduced by ' '{print $2}' | awk -F '@' '{print $1}') | |
VULNERABLE_LIB_VERSION=$(echo "${LINE}" | awk -F '@' '{print $2}' | awk '{print $1}') | |
if [[ $ISSUES_WITH_NO_DIRECT_UPGRADE = false ]] | |
then | |
echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME | |
POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"}," | |
fi | |
elif [[ $LINE == "This issue was fixed in versions"* ]] | |
then | |
VULNERABLE_LIB_VERSION_FIX=$(echo "${LINE}" | awk -F 'This issue was fixed in versions: ' '{print $2}') | |
VULNERABLE_LIB_VERSION_FIX=$(echo $VULNERABLE_LIB_VERSION_FIX | sed -r 's|,|;|g') | |
FIX_TYPE="Explicit" | |
FIX_TYPE_ENUM="EXPLICIT" | |
echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME | |
POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"}," | |
elif [[ $LINE == "No upgrade or patch available"* ]] | |
then | |
FIX_TYPE="No fix" | |
FIX_TYPE_ENUM="NO_FIX" | |
VULNERABLE_LIB_VERSION_FIX= | |
echo "${VULNERABLE_LIB},${VULNERABILITY_TYPE},${VULNERABILITY_SEVERITY},${VULNERABLE_LIB_VERSION},${VULNERABLE_LIB_VERSION_FIX},${FIX_TYPE},${VULNERABILITY_SNYK_LINK}" >> $REPORT_FILE_NAME | |
POST_PAYLOAD="${POST_PAYLOAD} {\"detailsURL\": \"${VULNERABILITY_SNYK_LINK}\", \"vulnerableLib\": \"${VULNERABLE_LIB}\", \"type\": \"${VULNERABILITY_TYPE}\", \"severity\": \"${VULNERABILITY_SEVERITY_ENUM}\", \"currentVersion\": \"${VULNERABLE_LIB_VERSION}\", \"fixVersion\": \"${VULNERABLE_LIB_VERSION_FIX}\", \"fixType\": \"${FIX_TYPE_ENUM}\"}," | |
fi | |
done < snyk-results.txt | |
POST_PAYLOAD=${POST_PAYLOAD:0:-1}]} | |
CURL_RESPONSE=$(curl -is -X 'PUT' \ | |
'https://vulnerability-reports.k8s-entando.org/v1/vulnerability-reports/' \ | |
-H "Authorization: Bearer $ACCESS_TOKEN" \ | |
-H 'accept: application/json' \ | |
-H 'Content-Type: application/json' \ | |
-d "${POST_PAYLOAD}]}") | |
echo $CURL_RESPONSE | |
- name: Upload Snyk reports | |
uses: actions/upload-artifact@v3 | |
with: | |
name: snyk-report | |
path: scan-prj/*.csv | |
send-slack-message: | |
needs: scan-matrix | |
runs-on: ubuntu-latest | |
steps: | |
- name: Send message in Slack | |
run: | | |
PAYLOAD="{\"text\":\"*Vulnerability reports updated:* \n • <https://vulnerability-reports.k8s-entando.org/|Vulnerability Reports Page> \n • <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Artifact>\"}" | |
curl -X POST -H 'Content-type: application/json' -d "${PAYLOAD}" ${{ secrets.SLACK_SV_WEBHOOK }} |